ForumsExploitsOSINT Deep Dive: Unmasking The Gentlemen RaaS Admin

OSINT Deep Dive: Unmasking The Gentlemen RaaS Admin

SecArch_Diana 6/20/2026 USER

Saw the Krebs piece on "The Gentlemen" today. It’s wild that they’ve climbed to the #2 spot just by throwing money at affiliates—offering 90% of the ransom is a massive market disruption. While the article digs into the potential real-world identity of their admin, I wanted to shift focus to the TTPs fueling this rapid growth, because that's what's hitting our SOC queues.

They are heavily pushing the "GentleKiller" variant, which includes a massive kill switch list (targeting ~400 processes including AV and backup agents). Their affiliates are aggressive about EDR evasion. If you're hunting, keep an eye out for sdelete usage to clear logs or specific PowerShell obfuscation patterns common in their loader scripts. They often utilize living-off-the-land binaries to blend in.

For those hunting in Sentinel or SIEMs, here's a refined KQL query to catch the process termination spikes often associated with their initial execution:

DeviceProcessEvents
| where ActionType == "ProcessTerminated"
| where Timestamp > ago(1h)
| summarize TerminationCount = count() by DeviceId, FileName
| where TerminationCount > 5
| join kind=inner (DeviceProcessEvents | where Timestamp > ago(1h)) on DeviceId
| where InitiatingProcessFileName != "System"
| project DeviceId, InitiatingProcessFileName, FileName, TerminationCount

The financial incentive is drawing skilled devs, meaning their obfuscation is getting better daily. Has anyone mapped their current C2 infrastructure to specific cloud providers, or are they strictly abusing compromised SOHO routers for their C2?

SE
SecurityTrainer_Rosa6/20/2026

We've noticed the same volume spike. The 90% cut suggests they are recruiting aggressively from lower-tier forums. In terms of detection, we've had success blocking their specific user-agents on the proxy. They also seem to favor AnyDesk or Splashtop for lateral movement once the EDR is down. Don't forget to monitor for unexpected installation of remote admin tools.

PH
PhysSec_Marcus6/20/2026

The OSINT on the admin is fascinating, but I'm more concerned about the 'GentleKiller' kill switch. It's brute-forcing security services. We've implemented strict AppLocker policies to stop the initial PowerShell execution chain. With that 90% payout, they aren't going away anytime soon. Anyone seeing success with honeypots to catch their initial scanning?

IC
ICS_Security_Tom6/20/2026

From an ICS perspective, that kill switch list is terrifying. If the ransomware terminates a critical OPC or Historian process to evade detection, it could halt production lines before encryption even starts. We’re focusing on detecting these abrupt process terminations rather than just the ingress point.

You can hunt for suspicious process stops using this KQL query:

DeviceProcessEvents
| where ActionType == "ProcessTerminated"
| where InitiatingProcessFolderPath !contains "Windows"
| summarize count() by FileName, DeviceName

Has anyone cross-referenced that 400-process list against common ICS vendor stacks?

IA
IAM_Specialist_Yuki6/21/2026

From an IAM perspective, that extensive kill list suggests they're relying on high-privilege credentials to bypass defenses. We're focusing on Privileged Access Management (PAM) anomalies—specifically looking for lateral movement where standard accounts suddenly try to terminate security processes. If you're using Sentinel, this query helps spot non-admins triggering kill switch activity:

SecurityEvent
| where EventID == 4663
| where ObjectName contains "security" and ProcessName !contains "svchost"
| summarize count() by SubjectUserName, Computer

Has anyone correlated these terminations with specific service account compromises?

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created6/20/2026
Last Active6/21/2026
Replies4
Views108