Rapid growth and a new ransomware variant
The Gentlemen ransomware-as-a-service group emerged as a top-10 threat actor in the first half of 2026. The group exploits vulnerabilities in internet-facing devices like VPNs and firewalls, potentially collaborating with initial access brokers. They employ comprehensive reconnaissance using tools like SharpADWS, NetScan, and Advanced IP Scanner, capturing network traffic with netsh. The attackers disable security products through BYOVD techniques using vulnerable drivers, and deploy custom Go-based backdoors and ransomware variants. They spread laterally via GPO deployment and PsExec, encrypt files using Curve25519 and XChaCha20, and recently developed a C-based ransomware variant using AES256-GCM and RSA. The group targets multiple industries worldwide, particularly in Brazil, China, Indonesia, Taiwan, and Thailand, with attacks focusing on manufacturing, IT services, healthcare, and financial sectors.
AI Analysis
Technical Summary
The Gentlemen ransomware-as-a-service group emerged as a top-10 threat actor in the first half of 2026. They exploit vulnerabilities in internet-facing devices like VPNs and firewalls, potentially in collaboration with initial access brokers. Their attack methodology includes comprehensive reconnaissance using tools such as SharpADWS, NetScan, and Advanced IP Scanner, and capturing network traffic with netsh. They disable security products through Bring Your Own Vulnerable Driver (BYOVD) techniques, leveraging vulnerable drivers to evade detection. The group deploys custom backdoors written in Go and ransomware variants that encrypt files using Curve25519 and XChaCha20. Recently, they developed a C-based ransomware variant employing AES256-GCM and RSA encryption. Lateral movement is achieved via Group Policy Object deployment and PsExec. The group targets multiple industries worldwide, with a focus on Brazil, China, Indonesia, Taiwan, and Thailand, especially in manufacturing, IT services, healthcare, and financial sectors.
Potential Impact
The threat actor's activities result in network compromise through exploitation of vulnerable internet-facing devices, disabling of security controls, and deployment of ransomware that encrypts files with strong cryptographic algorithms. This leads to potential operational disruption and data loss across multiple critical industries globally. The use of advanced lateral movement techniques increases the scope and impact of infections within targeted networks.
Mitigation Recommendations
No official patch or remediation is specified for this threat actor or their ransomware variants. Organizations should monitor vendor advisories for vulnerabilities in internet-facing devices such as VPNs and firewalls and apply security updates promptly. Mitigation should focus on hardening perimeter devices, detecting and preventing the use of vulnerable drivers, and monitoring for indicators of lateral movement such as unusual Group Policy Object deployments and PsExec usage. Since this is a ransomware-as-a-service operation, incident response plans should include ransomware-specific containment and recovery procedures. Patch status is not yet confirmed — check vendor advisories for current remediation guidance.
Affected Countries
Brazil, China, Indonesia, Taiwan, Thailand
Indicators of Compromise
- domain: rsat.activedirectory.ds-lds.tools
- hash: 9321a61a25c7961d9f36852ecaa86f55
- hash: 6afc6b04cf73dd461e4a4956365f25c1f1162387
- hash: f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b
- hash: 5af1dae21425dda8311a2044209c308525135e1733eeff5dd20649946c6e054c
- hash: b6b51508ad6f462c45fe102c85d246c8
- hash: 96f0dbf52aed0afd43e44500116b04b674f7358e
- hash: 7556ae58c215b8245a43f764f0676c7a8f0fdd1a
- hash: 8f0577d28c4ff5f71b149f444bfaba8e
- hash: 9ddae47ff968343a8c32a5344060257fdc08e2a7bdb9a227c8b3a584ee3c9f1e
- hash: eef8a950952696b018aa9c6da2f5d7ad
- hash: 1fa071303fb846308571e64727501fb98b1c2be6
- hash: 5abe477517f51d81061d2e69a9adebdcda80d36667d0afabe103fda4802d33db
- hash: 5b4f59236a9b950bcd5191b35d19125f60cfb9e1a1e1aa2e4f914b6745dde9df
- hash: 68fec379f2ae76c3d2ce913f7be650cea1d06990
- hash: 5761bd63da03686fc480245da7bd1e9f
- hash: 6ae7c9a7ea0b8c40a64225734f6bd01d
- hash: 8468cb5888fb383d25f9144c2b2f61c414cea3f8
- hash: b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6
- hash: c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73
- hash: 3b46a729db7ae6af8b19711c9452194d
- hash: 5aea74bf3e70f38eb596f8002b3c02514daee4f0
- hash: 1af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2
- hash: 10ca9a4040001560d053b7e7885c1b95
- hash: e7cc7b32d844ec6a2f41f0efbc64a0783afb56e4
- hash: 02944c8a5535cdb5b2cbb893db2d5acf
- hash: 3c471ebc947cdf32240a90ffadf49b13
- hash: 4be8bb62f0ebbcf4ce52c35ab6f794f5
- hash: 53c616677bc7e2a0a03127f19166d007
- hash: 554e699c96b332468f1ae69c1ae81ef9
- hash: 5c3b9821fc82a9028cb63b9671950919
- hash: 5f0b2c6d9f442754258bf4dd841c8341
- hash: 608faf58353b65c45ef9833358ac3787
- hash: 73f0a8c3ea794a04e80c32038249f044
- hash: 846dc77c1246db20d976346e0e359502
- hash: adac9984b3cc43d66a0d33079bbec299
- hash: ae0e536766788478263bf448a9381641
- hash: b3e418d30312c1b2c58a791286868f42
- hash: b9986a0f1f1f1a798dc3f0c59a80a1a3
- hash: c2764744dcb4b0e1db79ca1e8bf65368
- hash: d12a5b36dd00586cc374a1cae43efed4
- hash: d2f72897e8986303d5567eb2384932b8
- hash: de1522f9219497632f30f8a6e72f26b6
- hash: edb1c480295250dd1a38f3aa1357deae
- hash: fdae2beb813778b4540a997706862096
- hash: ab5ad04bb822435e5453706cd86cc001ee555aee
- hash: cb747c0134f99d5033bac6e966864e2435a2a94244ca8e3f614f4992df93ff10
- ip: 81.177.215.15
Rapid growth and a new ransomware variant
Description
The Gentlemen ransomware-as-a-service group emerged as a top-10 threat actor in the first half of 2026. The group exploits vulnerabilities in internet-facing devices like VPNs and firewalls, potentially collaborating with initial access brokers. They employ comprehensive reconnaissance using tools like SharpADWS, NetScan, and Advanced IP Scanner, capturing network traffic with netsh. The attackers disable security products through BYOVD techniques using vulnerable drivers, and deploy custom Go-based backdoors and ransomware variants. They spread laterally via GPO deployment and PsExec, encrypt files using Curve25519 and XChaCha20, and recently developed a C-based ransomware variant using AES256-GCM and RSA. The group targets multiple industries worldwide, particularly in Brazil, China, Indonesia, Taiwan, and Thailand, with attacks focusing on manufacturing, IT services, healthcare, and financial sectors.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Gentlemen ransomware-as-a-service group emerged as a top-10 threat actor in the first half of 2026. They exploit vulnerabilities in internet-facing devices like VPNs and firewalls, potentially in collaboration with initial access brokers. Their attack methodology includes comprehensive reconnaissance using tools such as SharpADWS, NetScan, and Advanced IP Scanner, and capturing network traffic with netsh. They disable security products through Bring Your Own Vulnerable Driver (BYOVD) techniques, leveraging vulnerable drivers to evade detection. The group deploys custom backdoors written in Go and ransomware variants that encrypt files using Curve25519 and XChaCha20. Recently, they developed a C-based ransomware variant employing AES256-GCM and RSA encryption. Lateral movement is achieved via Group Policy Object deployment and PsExec. The group targets multiple industries worldwide, with a focus on Brazil, China, Indonesia, Taiwan, and Thailand, especially in manufacturing, IT services, healthcare, and financial sectors.
Potential Impact
The threat actor's activities result in network compromise through exploitation of vulnerable internet-facing devices, disabling of security controls, and deployment of ransomware that encrypts files with strong cryptographic algorithms. This leads to potential operational disruption and data loss across multiple critical industries globally. The use of advanced lateral movement techniques increases the scope and impact of infections within targeted networks.
Mitigation Recommendations
No official patch or remediation is specified for this threat actor or their ransomware variants. Organizations should monitor vendor advisories for vulnerabilities in internet-facing devices such as VPNs and firewalls and apply security updates promptly. Mitigation should focus on hardening perimeter devices, detecting and preventing the use of vulnerable drivers, and monitoring for indicators of lateral movement such as unusual Group Policy Object deployments and PsExec usage. Since this is a ransomware-as-a-service operation, incident response plans should include ransomware-specific containment and recovery procedures. Patch status is not yet confirmed — check vendor advisories for current remediation guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/the-gentlemen-raas/120447/"]
- Adversary
- The Gentlemen
- Pulse Id
- 6a42506c95cc259404196a5b
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainrsat.activedirectory.ds-lds.tools | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash9321a61a25c7961d9f36852ecaa86f55 | — | |
hash6afc6b04cf73dd461e4a4956365f25c1f1162387 | — | |
hashf8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b | — | |
hash5af1dae21425dda8311a2044209c308525135e1733eeff5dd20649946c6e054c | — | |
hashb6b51508ad6f462c45fe102c85d246c8 | — | |
hash96f0dbf52aed0afd43e44500116b04b674f7358e | — | |
hash7556ae58c215b8245a43f764f0676c7a8f0fdd1a | — | |
hash8f0577d28c4ff5f71b149f444bfaba8e | — | |
hash9ddae47ff968343a8c32a5344060257fdc08e2a7bdb9a227c8b3a584ee3c9f1e | — | |
hasheef8a950952696b018aa9c6da2f5d7ad | — | |
hash1fa071303fb846308571e64727501fb98b1c2be6 | — | |
hash5abe477517f51d81061d2e69a9adebdcda80d36667d0afabe103fda4802d33db | — | |
hash5b4f59236a9b950bcd5191b35d19125f60cfb9e1a1e1aa2e4f914b6745dde9df | — | |
hash68fec379f2ae76c3d2ce913f7be650cea1d06990 | — | |
hash5761bd63da03686fc480245da7bd1e9f | — | |
hash6ae7c9a7ea0b8c40a64225734f6bd01d | — | |
hash8468cb5888fb383d25f9144c2b2f61c414cea3f8 | — | |
hashb67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6 | — | |
hashc7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73 | — | |
hash3b46a729db7ae6af8b19711c9452194d | — | |
hash5aea74bf3e70f38eb596f8002b3c02514daee4f0 | — | |
hash1af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2 | — | |
hash10ca9a4040001560d053b7e7885c1b95 | — | |
hashe7cc7b32d844ec6a2f41f0efbc64a0783afb56e4 | — | |
hash02944c8a5535cdb5b2cbb893db2d5acf | — | |
hash3c471ebc947cdf32240a90ffadf49b13 | — | |
hash4be8bb62f0ebbcf4ce52c35ab6f794f5 | — | |
hash53c616677bc7e2a0a03127f19166d007 | — | |
hash554e699c96b332468f1ae69c1ae81ef9 | — | |
hash5c3b9821fc82a9028cb63b9671950919 | — | |
hash5f0b2c6d9f442754258bf4dd841c8341 | — | |
hash608faf58353b65c45ef9833358ac3787 | — | |
hash73f0a8c3ea794a04e80c32038249f044 | — | |
hash846dc77c1246db20d976346e0e359502 | — | |
hashadac9984b3cc43d66a0d33079bbec299 | — | |
hashae0e536766788478263bf448a9381641 | — | |
hashb3e418d30312c1b2c58a791286868f42 | — | |
hashb9986a0f1f1f1a798dc3f0c59a80a1a3 | — | |
hashc2764744dcb4b0e1db79ca1e8bf65368 | — | |
hashd12a5b36dd00586cc374a1cae43efed4 | — | |
hashd2f72897e8986303d5567eb2384932b8 | — | |
hashde1522f9219497632f30f8a6e72f26b6 | — | |
hashedb1c480295250dd1a38f3aa1357deae | — | |
hashfdae2beb813778b4540a997706862096 | — | |
hashab5ad04bb822435e5453706cd86cc001ee555aee | — | |
hashcb747c0134f99d5033bac6e966864e2435a2a94244ca8e3f614f4992df93ff10 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip81.177.215.15 | — |
Threat ID: 6a43677227e9c79719412a92
Added to database: 06/30/2026, 06:51:30 UTC
Last enriched: 06/30/2026, 07:06:18 UTC
Last updated: 07/01/2026, 00:00:37 UTC
Views: 45
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.