Targeted Sectors:

·         Manufacturing

·         Construction

·         Healthcare

·         Insurance

Other Impacted Sectors

·         Aviation

·         Consumer services

·         Chemicals

·         Pharmaceuticals

·         Engineering

Countries

·         South Korea

·         Germany

·         USA

BLUF

The Gentlemen ransomware group has expanded its campaign, utilizing a "double extortion" model that combines data exfiltration with file encryption and Bring Your Own Vulnerable Driver (BYOVD) tactics.

Date of First Reported Activity

·         Early December 2025

Date of Last Reported Update

·         December 16, 2025

APT Names

·         Not linked to specific APT; operates as a cybercriminal group.

Criminal Organization Names

·         Gentlemen Ransomware Group

IOCs

·         Renamed files with random character strings

·         Presence of vulnerable third-party drivers used for EDR bypass.

Tools Used

GPO manipulation tools

Vulnerable hardware drivers (BYOVD).

TTPs

·         T1484.001 Domain Policy Modification (GPO manipulation).

·         T1068 Exploitation for Privilege Escalation (BYOVD).

Malware Names

Gentlemen Ransomware

Malware Sample

Sha256

4e46867650327f0e3419be229e9dd1c67528bd00df72f505ef08e8d6a40f6760

URL Link to sample

·         hxxps://www.virustotal.com/gui/file/4e46867650327f0e3419be229e9dd1c67528bd00df72f505ef08e8d6a40f6760

CVE-2025-40818

(Siemens SSL/TLS vulnerability often targeted in industrial pivots)

CVSS 3.1

·         3.3 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Nessus ID(s)

·         There is currently not a Nessus plugin ID for this vulnerability     

Is this on the KEV list?

·         No

CISA patch by date

·         No

Patching/Mitigation Data

Patch Release Date

December 9, 2025

URL to patch

·         hxxps://cert-portal.siemens.com/productcert/html/ssa-626856.html

Impacted versions

•             SINEMA Remote Connect Server prior to V3.2 SP4

Suggested rules / potential hunts

These rules are indicator rules they are likely to be noisy. For best hunt results use a data model to review for and identify anomalous activity.

Suricata Rules

SFTP Exfiltration via WinSCP

Detect non-standard SFTP transfers to external IPs, especially those involving WinSCP's default behavior

alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"ET POLICY Gentlemen Ransomware WinSCP SFTP Exfiltration Attempt"; flow:established,to_server; content:"WinSCP"; nocase; sid:2025101; rev:1;)

Tor Gateway/Leak Site Access

Detect traffic directed at the "Gentlemen" Tor-based leak portal.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gentlemen Ransomware Onion Leak Site Access"; content:".onion"; http_uri; sid:2025102; rev:1;)

Tox Messenger Traffic

The group uses Tox for victim negotiation

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Tox Messenger Protocol Detected (Potential Ransomware Negotiation)"; dsize:>50; content:"|27 10 02 00|"; offset:0; depth:4; sid:2025103; rev:1;)

SentinelOne STAR Rules

Vulnerable Driver Load (BYOVD)

Detect the loading of ThrottleStop.sys (often renamed to ThrottleBlood.sys) used to disable EDR.

Indicator Type = "Driver Load" AND (File Name = "ThrottleStop.sys" OR File Name = "ThrottleBlood.sys" OR File Hash SHA256 = "81dfb857a4d54f1949df3511b06f342d8d3232d5cec504533eddcae8d16ec49b")

Registry-Based Persistence

Detect the group's use of modified registry settings for persistence.

Registry Key Path Contains "Software\Microsoft\Windows\CurrentVersion\Run" AND Process Name = "AnyDesk.exe"

Mass Process Termination

Detect attempts to neutralize security products (Anti-AV utilities)

Process Name = "taskkill.exe" AND Command Line Contains "/F" AND (Command Line Contains "Sentinel" OR Command Line Contains "Defender" OR Command Line Contains "CrowdStrike")

Splunk Hunts

Hunt for GPO Propagation

Find unauthorized changes to Group Policy Objects used for domain-wide ransomware deployment.

index=windows sourcetype=WinEventLog:Security EventCode=5136

| search "GPO" AND "Value: *GENTLEMEN*"

| stats count by _time, ComputerName, ObjectName, AttributeValue

Hunt for Lateral Movement (PsExec/AnyDesk)

The group heavily utilizes legitimate tools for lateral movement.

index=windows sourcetype=WinEventLog:Security EventCode=4688

| search Process_Name IN ("*psexec.exe", "*anydesk.exe", "*powerrun.exe")

| stats count by _time, ComputerName, New_Process_Name, Process_Command_Line

Hunt for Data Staging (Staging for Exfiltration)

Identify rapid file compression or staging in common directories (Temp, Downloads)

index=windows sourcetype=WinEventLog:Security EventCode=4663

| search (Process_Name="*7z.exe" OR Process_Name="*winrar.exe") AND Access_Mask="0x2"

| stats count by _time, ComputerName, Object_Name, Process_Name

| where count > 100

Delivery Method

·         Compromised corporate networks via initial phishing or unpatched web-facing servers

References

Virustotal

·         hxxps://www.virustotal.com/gui/file/4e46867650327f0e3419be229e9dd1c67528bd00df72f505ef08e8d6a40f6760

Siemens

•             hxxps://cert-portal.siemens.com/productcert/html/ssa-626856.html

AhnLab

·         hxxps://asec.ahnlab.com/en/91545/

Trend Micro

·         hxxps://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html

Assets KPMG

·         hxxps://assets.kpmg.com/content/dam/kpmgsites/in/pdf/2025/11/kpmg-ctip-gentlemen-ransomware-11-nov-2025.pdf.coredownload.inline.pdf

Dark Reading

·         hxxps://www.darkreading.com/vulnerabilities-threats/gentlemen-ransomware-vulnerable-driver-security-gear