The Gentlemen RaaS Operation: Defending Against Worm-Like Propagation and Double Extortion

A new and concerning threat has emerged in the ransomware landscape: "The Gentlemen." Recent analysis reveals this financially motivated operation has already claimed 478 victims. Unlike traditional single-vector attacks, The Gentlemen operates as a sophisticated affiliate, leveraging the destructive capabilities of major RaaS ecosystems—specifically LockBit (Tenacious Mantis), Qilin (Pestilent Mantis), and Medusa (Venomous Mantis).

The critical differentiator here is the operation's worm-like propagation capabilities. This suggests that once an initial foothold is established, the malware can spread laterally across the network without manual intervention, significantly accelerating the encryption timeline and increasing the blast radius. For defenders, this demands immediate action to identify initial access vectors and contain lateral movement before the double-extortion phase—encryption and data exfiltration—completes.

Technical Analysis

Threat Actor Profile: The Gentlemen Motivation: Financial (Double Extortion) Infection Vector: Initial access typically follows standard affiliate patterns: compromised credentials, valid accounts, or exploitation of external services.

Attack Mechanics:

The Gentlemen operation is unique in its modular approach. The core affiliate utilizes a loader that deploys payloads from established RaaS families. This polymorphic strategy creates detection challenges, as IOCs shift between the distinct signatures of LockBit, Qilin, and Medusa.

Initial Compromise: The affiliate gains access, often via phishing or exposed RDP.
Payload Deployment: A dropper executes, fetching the encryption binary. This binary may be a variant of LockBit 4.0, Qilin, or Medusa depending on the target's architecture or the affiliate's preference.
Worm-Like Propagation: The malware contains capabilities to copy itself to accessible admin shares (ADMIN$, C$) or use remote execution tools (like PsExec or WMI) to run on neighboring hosts. This automates the spread, mimicking worm behavior rather than manual hands-on-keyboard lateral movement.
Double Extortion: Prior to encryption, the group exfiltrates sensitive data to leverage for ransom demands.

Exploitation Status: Confirmed active exploitation with 478 identified victims. The threat is currently active and spreading in the wild.

Detection & Response

Given the lack of a specific CVE in this report, detection relies heavily on identifying the behaviors common to the underlying RaaS families (LockBit, Qilin, Medusa) and the "worm-like" propagation methods employed by The Gentlemen.

SIGMA Rules

Detecting the activities of The Gentlemen requires monitoring for the common TTPs of the RaaS tools they utilize and the lateral movement indicative of a worm.

YAML

---
title: Potential The Gentlemen Activity - RaaS Shadow Copy Deletion
id: 8a4b2c9d-1e5f-4a3b-9c6d-1e5f4a3b9c6d
status: experimental
description: Detects attempts to delete shadow copies using vssadmin or wbadmin, a common step across LockBit, Qilin, and Medusa payloads used by The Gentlemen affiliate.
references:
  - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\vssadmin.exe'
      - '\wbadmin.exe'
      - '\wmic.exe'
    CommandLine|contains:
      - 'delete shadows'
      - 'delete catalog'
      - 'shadowcopy delete'
  condition: selection
falsepositives:
  - System administration (rare)
level: high
---
title: The Gentlemen Worm Propagation via Remote Services
id: 9b5c3d0e-2f6a-5b4c-0d7e-2f6a5b4c0d7e
status: experimental
description: Detects the creation of remote services or scheduled tasks, a technique often used by worm-like ransomware to propagate across the network.
references:
  - https://attack.mitre.org/techniques/T1021/
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.lateral_movement
  - attack.t1021.002
logsource:
  category: process_creation
  product: windows
detection:
  selection_sc:
    Image|endswith:
      - '\sc.exe'
      - '\schtasks.exe'
    CommandLine|contains:
      - '\\'
      - 'create'
  selection_psexec:
    Image|contains:
      - 'psexec'
      - 'psexec64'
  condition: 1 of selection*
falsepositives:
  - Legitimate remote administration by IT staff
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for the combination of process execution (common to the listed RaaS families) and network volume indicative of exfiltration or worm propagation.

KQL — Microsoft Sentinel / Defender

// Hunt for RaaS processes and unusual network connections
let RaaSProcesses = dynamic(["lockbit", "qilin", "medusa", "gentlemen"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessVersionInfoOriginalFileName in ("vssadmin.exe", "powershell.exe", "cmd.exe", "wmic.exe") 
   or ProcessCommandLine has_any ("delete shadows", "enc", "-iex")
| join kind=inner (
    DeviceNetworkEvents 
    | where Timestamp > ago(7d) 
    | where RemotePort in (445, 135, 3389) or SentBytes > 10000000 
    | summarize TotalSentBytes=sum(SentBytes), RemoteIPCount=dcount(RemoteIP) by DeviceId, Timestamp 
) on DeviceId, Timestamp
| project Timestamp, DeviceName, FileName, ProcessCommandLine, TotalSentBytes, RemoteIPCount
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for the presence of common ransomware note extensions or processes running from suspicious locations often used by these RaaS variants.

VQL — Velociraptor

-- Hunt for The Gentlemen/RaaS indicators
SELECT * FROM foreach(
    glob(globs='/*/.txt'), 
    {
        SELECT Mtime, Size, FullPath
        FROM stat(filename=_)
        WHERE Mtime > now() - 24h 
          AND Size < 10000 
          AND FullPath =~ '(C:\\|/)(README|RECOVER|info|HOW_TO).*'
    }
)
UNION ALL
-- Hunt for suspicious processes running from temp or public folders
SELECT Pid, Name, Exe, CommandLine, StartTime
FROM pslist()
WHERE Exe =~ '(C:\\Users\\Public\\|C:\\Windows\\Temp\\|/tmp/|/var/tmp/).*'
  AND Name !~ 'explorer.exe'

Remediation Script (PowerShell)

Use this script to isolate potentially infected endpoints by disabling common worm propagation vectors and checking for persistence mechanisms associated with these RaaS families.

PowerShell

# The Gentlemen RaaS - Isolation and Hardening Script
# Requires Administrator Privileges

Write-Host "[+] Initiating The Gentlemen Containment Protocols..." -ForegroundColor Cyan

# 1. Disable Administrative Shares (Stops Worm propagation via C$ / ADMIN$)
Write-Host "[*] Restricting Administrative Shares..."
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
if (!(Test-Path $regPath)) { New-Item -Path $regPath -Force }
Set-ItemProperty -Path $regPath -Name "AutoShareWks" -Value 0 -Type DWord -Force
Set-ItemProperty -Path $regPath -Name "AutoShareServer" -Value 0 -Type DWord -Force

# 2. Disable Remote Desktop (Common initial vector)
Write-Host "[*] Disabling RDP if not strictly required..."
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1 -Type DWord -Force

# 3. Block WinRM (Used heavily in modern ransomware lateral movement)
Write-Host "[*] Disabling WinRM Service..."
Stop-Service -Name WinRM -Force -ErrorAction SilentlyContinue
Set-Service -Name WinRM -StartupType Disabled -ErrorAction SilentlyContinue

# 4. Check for Scheduled Task Persistence (Common in LockBit/Qilin)
Write-Host "[*] Scanning for suspicious Scheduled Tasks created in the last 24h..."
$suspiciousTasks = Get-ScheduledTask | Where-Object { 
    $_.Date -gt (Get-Date).AddHours(-24) -and 
    $_.Author -eq '' -or 
    $_.TaskName -match 'Update|Chrome|Flash' 
}

if ($suspiciousTasks) {
    Write-Host "[!] WARNING: Found suspicious tasks:" -ForegroundColor Red
    $suspiciousTasks | Select-Object TaskName, Date, Author
    # Uncomment to disable automatically (Use with caution)
    # $suspiciousTasks | Disable-ScheduledTask -ErrorAction SilentlyContinue
} else {
    Write-Host "[+] No suspicious tasks found."
}

Write-Host "[+] Hardening complete. Please verify backup integrity immediately." -ForegroundColor Green

Remediation

Immediate Isolation: If a system is suspected of infection, immediately disconnect it from the network (physical disconnect or NIC disable) to prevent the worm-like propagation to neighboring hosts.
Credential Reset: Assume that credentials have been compromised. Force a reset of all local administrator passwords and domain administrator credentials, particularly for accounts used in the last 90 days.
Network Segmentation: Ensure VLANs are strictly enforced. The Gentlemen relies on lateral movement; segmenting critical servers from user workstations limits the "blast radius."
Audit RDP and SMB: Since The Gentlemen affiliates often exploit exposed services, ensure RDP is behind a VPN or Zero-Trust Gateway and disable SMBv1 across the environment.
Backup Verification: Validate that offline backups are immutable and have not been encrypted. Test a restoration of critical data in an isolated environment.
Vendor Advisory Review: While no single CVE is responsible for this campaign, review recent advisories for LockBit, Qilin, and Medusa to ensure your EDR signatures are up to date for their specific encryption behaviors.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub