Back to Intelligence

The Gentlemen RaaS: Defending Against High-Volume Affiliate Encryption Attacks

SA
Security Arsenal Team
June 11, 2026
6 min read

The cybersecurity landscape in 2026 has been dominated by the meteoric rise of 'The Gentlemen,' a cybercrime group that has rapidly become the second most active encryption-based threat actor by victim count. Their ascent is fueled not by a novel zero-day exploit, but by a disruptive economic model: an aggressive recruitment strategy offering affiliates 90% of the ransom payments. This high-revenue incentive has attracted a significant pool of talent, increasing the attack volume and velocity against organizations across all sectors.

As reported by KrebsOnSecurity, intelligence points to a specific real-world identity behind the group's administration. However, for defenders, the identity of the administrator is secondary to the operational reality: we are facing a surge of highly motivated, financially incentivized affiliates leveraging成熟 ransomware binaries to maximize their "earnings." Defenders must shift focus from单纯的 attribution to active detection of the preparation and execution stages common to these affiliate operations.

Technical Analysis

Threat Overview: The Gentlemen operates as a Ransomware-as-a-Service (RaaS) platform. The group provides the encryption payload, negotiation infrastructure, and leak site, while affiliates handle initial access and lateral movement. The 90/10 revenue split is an outlier in the market (standard is often 70/30 or 80/20), designed to flood the ecosystem with attackers.

Attack Vector & Mechanism: While the specific CVE exploited for initial access in the latest campaigns varies by affiliate (often exploiting unpatched VPN appliances or compromised credentials), the post-exploitation behavior remains consistent with modern encryption-based incidents. Affiliates typically move laterally using remote management tools (e.g., RDP, AnyDesk, ScreenConnect) and deploy the payload.

The core threat is the encryption of files, but the operational security (OpSec) of The Gentlemen suggests the use of custom tooling to disable defenses. Preliminary telemetry suggests affiliates utilize scripts to delete Volume Shadow Copies to prevent recovery, a hallmark of aggressive ransomware operations seeking to force payment.

Exploitation Status: Active exploitation is confirmed globally. There is currently no specific CVE attached to the ransomware payload itself in the provided intelligence; rather, the threat is the human-operated ransomware service leveraging a variety of initial access vectors. The urgency for defenders lies in detecting the behaviors that precede encryption—specifically the mass deletion of shadow copies and unusual process execution patterns from user directories.

Detection & Response

Given the aggressive nature of The Gentlemen affiliates, detection must focus on the actions taken immediately prior to encryption. We cannot rely solely on signature-based detection of the payload, as affiliates frequently modify binaries. Instead, we hunt for the behaviors that facilitate data destruction.

Sigma Rules

These rules target the preparatory steps for encryption (Shadow Copy deletion) and the execution of payloads from suspicious user-land locations common in affiliate operations.

YAML
---
title: Potential Ransomware Activity - Shadow Copy Deletion
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects attempts to delete Volume Shadow Copies, often used by ransomware affiliates to prevent recovery. This is a critical precursor to encryption.
references:
 - https://krebsonsecurity.com/2026/06/who-runs-the-ransomware-group-the-gentlemen/
author: Security Arsenal
date: 2026/06/18
tags:
 - attack.impact
 - attack.t1490
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|endswith:
     - '\vssadmin.exe'
     - '\wmic.exe'
   CommandLine|contains:
     - 'delete shadows'
     - 'shadowcopy delete'
 condition: selection
falsepositives:
  - System administrators managing disk space (rare in production envs)
level: high
---
title: Suspicious Execution from User AppData
id: b2c3d4e5-6789-01bc-def2-345678901234
status: experimental
description: Detects execution of binaries from the AppData/Roaming or AppData/Local directories, a common persistence and execution method for ransomware droppers.
references:
 - https://krebsonsecurity.com/2026/06/who-runs-the-ransomware-group-the-gentlemen/
author: Security Arsenal
date: 2026/06/18
tags:
 - attack.execution
 - attack.t1204
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|contains:
     - '\AppData\Roaming\'
     - '\AppData\Local\'
   Image|endswith:
     - '.exe'
     - '.dll'
 filter:
   Image|contains:
     - '\Microsoft\'
     - '\Google\'
     - '\Local Programs\'
 condition: selection and not filter
falsepositives:
  - Legitimate software updates/installers (Chrome, Edge, etc.)
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for the correlation of process execution and file system events indicative of ransomware preparation or execution.

KQL — Microsoft Sentinel / Defender
// Hunt for Shadow Copy Deletion commands
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("vssadmin.exe", "wmic.exe")
| where ProcessCommandLine contains "delete" and (ProcessCommandLine contains "shadow" or ProcessCommandLine contains "shadowcopy")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend AlertDetails = "Potential Ransomware Preparation: Shadow Copy Deletion detected."

Velociraptor VQL

This artifact hunts for processes that indicate the system is being prepared for encryption or is currently under attack by scanning for specific command-line arguments used by ransomware affiliates.

VQL — Velociraptor
-- Hunt for ransomware precursor activity
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE CommandLine =~ 'delete.*shadow'
   OR CommandLine =~ 'shadowcopy.*delete'
   OR Name =~ 'vssadmin.exe'
   OR Name =~ 'wmic.exe'

Remediation Script (PowerShell)

In the absence of a specific CVE patch for the payload (since it is a human-operated threat), remediation focuses on hardening the environment against the common vectors used by The Gentlemen affiliates. This script disables common lateral movement pathways and ensures critical recovery mechanisms are active.

PowerShell
# Hardening Script: Mitigating RaaS Affiliate Access Vectors
# Run as Administrator

Write-Host "[+] Starting Ransomware Hardening Procedures..." -ForegroundColor Cyan

# 1. Disable Remote Desktop Protocol (RDP) if not strictly required
# Affiliates frequently exploit RDP for lateral movement.
$RDPStatus = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server").fDenyTSConnections
if ($RDPStatus -eq 0) {
    Write-Host "[!] WARNING: RDP is Enabled. Disabling RDP to prevent lateral movement." -ForegroundColor Yellow
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
    Disable-NetFirewallRule -DisplayGroup "Remote Desktop"
} else {
    Write-Host "[*] RDP is already disabled." -ForegroundColor Green
}

# 2. Stop and Disable vulnerable services (e.g., Print Spooler if not needed)
# Often used for Local Privilege Escalation.
$SpoolerService = Get-Service -Name Spooler -ErrorAction SilentlyContinue
if ($SpoolerService.Status -eq 'Running') {
    Write-Host "[!] WARNING: Print Spooler is running. Stopping service to reduce LPE risk." -ForegroundColor Yellow
    Stop-Service -Name Spooler -Force
    Set-Service -Name Spooler -StartupType Disabled
} else {
    Write-Host "[*] Print Spooler is not running or disabled." -ForegroundColor Green
}

# 3. Enable PowerShell Script Block Logging and Module Logging
# Critical for detecting malicious scripts used by affiliates.
Write-Host "[*] Enabling Enhanced PowerShell Logging..." -ForegroundColor Cyan
$basePath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell"
if (-not (Test-Path $basePath)) { New-Item -Path $basePath -Force | Out-Null }
Set-ItemProperty -Path "$basePath\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1 -Force
Set-ItemProperty -Path "$basePath\ScriptBlockLogging" -Name "EnableScriptBlockInvocationLogging" -Value 1 -Force
Set-ItemProperty -Path "$basePath\ModuleLogging" -Name "EnableModuleLogging" -Value 1 -Force
Set-ItemProperty -Path "$basePath\ModuleLogging" -Name "ModuleNames" -Value "*" -Force

Write-Host "[+] Hardening Complete." -ForegroundColor Green

Remediation

Since The Gentlemen is an operationally mature RaaS group relying on affiliates, remediation requires a layered defense strategy:

  1. Verify Backups: Ensure offline or immutable backups are available and tested. The 90% cut model incentivizes affiliates to be thorough in encryption; backups are your only guaranteed recovery method.
  2. Access Control Review: Audit accounts with privileged access immediately. affiliates often purchase initial access via valid credentials. Enforce MFA aggressively, particularly on VPNs and remote access tools.
  3. Network Segmentation: Limit lateral movement. If an affiliate compromises a workstation, they should not be able to reach the backup server or domain controller.
  4. Vendor Advisory: While there is no specific CVE in this alert, monitor updates from CISA (CISA KEV catalog) regarding any new exploits associated with RaaS initial access vectors.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirthe-gentlemenraasthreat-intel

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action