New Gentlemen Ransomware Leverages Legitimate Drivers, Group Policies to Infiltrate Organizations

In recent months, security researchers have observed a surge in activity by a previously undocumented ransomware group known as The Gentlemen.

This threat actor has rapidly distinguished itself through the deployment of highly specialized tools and meticulous reconnaissance tactics, targeting critical infrastructure across multiple sectors and regions.

Leveraging legitimate Windows drivers and nuanced Group Policy Object (GPO) manipulation, The Gentlemen are capable of evading traditional defenses and achieving domain-wide compromise.

The initial intrusion techniques of this group remain partially obscured; however, forensic evidence suggests that compromised credentials or exposed internet-facing services served as the primary infection vectors.

Following foothold establishment, The Gentlemen deploy a dual-component defense evasion suite consisting of All.exe and ThrottleBlood.sys—a legitimate signed driver abused to terminate protected security processes.

This kernel-level manipulation enables the threat actors to neutralize endpoint protections without triggering standard alerts.

Trend Micro analysts noted that subsequent iterations of this suite include a dynamically modified binary, Allpatch2.exe, which specifically targets the unique security agent components present in the compromised network.

By adapting their tools mid-campaign, the group has demonstrated both flexibility and a deep understanding of the enterprise security landscape.

This approach has facilitated widespread deployment of their encryption payload via the NETLOGON share, ensuring rapid and comprehensive file encryption across domain-joined systems.

The impact of The Gentlemen’s operations has been severe: key sectors such as manufacturing, healthcare, and construction have suffered service disruptions and extensive data encryption.

Victims have reported loss of critical backups and unauthorized exfiltration of sensitive information via WinSCP, confirming the adoption of a double-extortion strategy.

This depicts the ransomware attack chain, illustrating each stage from initial access through data exfiltration.

Infection Mechanism and Kernel-Level Evasion

A defining characteristic of The Gentlemen’s methodology is its exploitation of a legitimate Windows driver to achieve kernel-level execution.

Upon execution, the ransomware drops a pair of files into the %USERPROFILE%Downloads directory:-

copy All.exe %USERPROFILE%DownloadsAll.exe
copy ThrottleBlood.sys %USERPROFILE%DownloadsThrottleBlood.sys

The attacker then invokes the driver to terminate targeted security services: the command-line sequence illustrates this abuse of signed driver functionality:-

%USERPROFILE%DownloadsAll.exe install ThrottleBlood.sys
taskkill /IM avagent.exe /F
taskkill /IM VeeamNFSSvc.exe /F

By leveraging this technique, The Gentlemen escape the limitations of user-mode bypasses.

Once kernel execution is secured, the ransomware escalates privileges using PowerRun.exe, a legitimate utility frequently abused for elevated command execution.

This allows the malware to modify critical registry keys—such as enabling RDP access via reg add HKLMSystemCurrentControlSetControlTerminal Server /v SecurityLayer /t REG_DWORD /d 1 /f—and deploy persistence mechanisms through GPO objects.

While this attack chain shows the code-driven stages of driver-based process termination. The combination of legitimate tools with custom binaries exemplifies a mature adversary who balances stealth, adaptability, and impact.

As organizations struggle with conventional endpoint defenses, the emergence of such advanced tactics underscores the urgent need for proactive threat hunting and implementation of Zero Trust principles.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.