The Gentlemen

The malware uses WMI via wmic.exe to create remote processes... The first command executes the defense evasion blob, the second runs the payload from the infected host’s SMB share, and the third runs the pre-staged copy from the target’s local C:\Temp directory.

When the -- system argument is provided... the malware creates a scheduled task to re-execute itself as SYSTEM... The encryptor can establish persistence for itself through two mechanisms: scheduled tasks and registry keys.

This is complemented by the use of Cobalt Strike, Mimikatz, and domain-wide propagation via GPO, indicating a tightly coordinated, human-operated attack workflow...

Before attempting to run the payload on a remote system, the malware executes the following PowerShell command on the remote target to weaken local defenses... disables Microsoft Defender real-time monitoring, adds broad Defender exclusions, turns off Windows Firewall across all profiles...

To relaunch itself as SYSTEM, it issues the following sequence of commands... It first deletes any existing task named gentlemen_system... creates a new one-time task... and finally triggers that task.

When the -- system argument is provided... the malware creates a scheduled task to re-execute itself as SYSTEM... The encryptor can establish persistence for itself through two mechanisms: scheduled tasks and registry keys.

For establishing persistence with the registry... The GupdateS value under HKEY_LOCAL_MACHINE (HKLM) provides device-wide persistence... while the GupdateU value under HKEY_CURRENT_USER (HKCU) provides user-scoped persistence.

When the -- system argument is provided... the malware creates a scheduled task to re-execute itself as SYSTEM... The encryptor can establish persistence for itself through two mechanisms: scheduled tasks and registry keys.

For deployment and impact, the group has been observed using domain-level mechanisms such as Group Policy and NETLOGON-based staging to push ransomware across compromised environments.

Ransomware components use generic names (r.exe, g.exe, o.exe) and common locations (C:\ProgramData\, C:\Temp\, admin shares) to blend with normal tools and admin activity.

Every time the payload ran it stopped services, added Microsoft Defender process and path exclusions, deleted shadow copies with vssadmin and wmic, killed wbadmin to block recovery, cleared the Security event log, encrypted the host, and dropped a ransom note named README-GENTLEMEN.txt.

These commands remove a variety of forensic artifacts, including prefetch files that track program execution, Defender diagnostic and support logs, and Remote Desktop Protocol (RDP) logs... If the -- keep flag is not provided, the malware attempts to remove its executable from disk after completing encryption.

The malware binary carries an embedded copy of PsExec and drops it to C:\Temp\psexec.exe... If the embedded PsExec payload cannot be extracted successfully, the malware falls back to downloading PsExec directly from Microsoft’s Sysinternals Live service.

For establishing persistence with the registry... The GupdateS value under HKEY_LOCAL_MACHINE (HKLM) provides device-wide persistence... while the GupdateU value under HKEY_CURRENT_USER (HKCU) provides user-scoped persistence.

For deployment and impact, the group has been observed using domain-level mechanisms such as Group Policy and NETLOGON-based staging to push ransomware across compromised environments.

This is complemented by the use of Cobalt Strike, Mimikatz...

In addition to terminating processes, the malware disables and stops a list of Windows services using the commands...

After dropping PsExec, the malware attempts to enumerate and discover remote systems on the network, including workstations, servers, and domain controllers. Each discovered host becomes a candidate target for propagation.

The -- spread argument accepts either explicit credentials in domain/user:password format for authenticated lateral movement, or an empty string to reuse the current session’s authentication token.

The malware stops a list of running processes using the command... The table below summarizes the different categories and processes being targeted.

The malware can only perform this task if it’s executed from an account with administrator privilege.

To enumerate all available volumes on the system, the malware executes the following PowerShell command sequence... performs a secondary enumeration routine by iterating through drive letters A through Z...

When the command-line argument -- shares is provided, the malware initiates network share discovery and enumeration. It begins by probing all drive letters A through Z to identify mapped network drives...

Before encryption, the malware attempts to stop services and processes associated with databases, backup software, virtualization platforms, remote access tools, and enterprise applications.

The commands copy the malware executable into C:\Temp, creates a hidden Server Message Block (SMB) share named share$ pointing to that directory... other systems on the network can retrieve the payload from \\<self>\share$. | The malware executes the following command sequence to create three Windows services on the target host... These services run as SYSTEM by default, which provides another high-privilege execution path for the ransomware payload on the remote system.

Using PowerShell remoting, the malware executes commands directly on the target using Invoke-Command. This method leverages Windows Remote Management (WinRM)...

The malware first stages its payload on the remote system by copying the encryptor binary over the administrative C$ share.

The adoption of SystemBC proxy malware, a SOCKS5-based botnet with over 1,570 infected corporate hosts, marks a transition from isolated intrusions to botnet-assisted, covert payload delivery at scale.

The group also steals data before locking systems, using that stolen information as additional lever to pressure victims into paying.

The operators behind the ransomware use double extortion tactics, encrypting data while also exfiltrating sensitive information to pressure victims through the threat of public release if the ransom is not paid.

The Gentlemen ransomware group, tracked by Microsoft as Storm-2697, claimed responsibility for the attack and added Mackay Sugar to its Tor-based data leak site on June 15.

In addition to terminating processes, the malware disables and stops a list of Windows services... backup, storage, and recovery software... EDR... Microsoft Exchange...

Every time the payload ran it stopped services, added Microsoft Defender process and path exclusions, deleted shadow copies with vssadmin and wmic, killed wbadmin to block recovery, cleared the Security event log, encrypted the host...

The Gentlemen ransomware group, tracked by Microsoft as Storm-2697, claimed responsibility for the attack and added Mackay Sugar to its Tor-based data leak site on June 15. At this time, no data has been leaked yet, which usually means negotiations are still ongoing.

Defense evasion: Microsoft Defender disabled, exclusions added, Security event log cleared ... On the backup server they disabled Microsoft Defender real time protection at 20:51 UTC ... Every time the payload ran it ... added Microsoft Defender process and path exclusions.

Before starting file encryption, the malware executes a sequence of commands to disable defensive controls... disable Microsoft Defender real-time monitoring... adds its own executable to the Defender exclusion list... excludes the entire C:\ volume from scanning.