RaaS Market Disruption: The Gentlemen's 90% Affiliate Strategy
Just caught the KrebsOnSecurity piece regarding 'The Gentlemen' and their aggressive market entry. Offering affiliates a 90% cut of the ransom is practically unheard of in this space—most established RaaS operations cap out at 70-80%.
This economic model suggests they aren't prioritizing profit margins per infection, but rather sheer volume and market saturation. We've noticed a significant spike in traffic resembling their GentleKiller EDR evasion utility in our honeypots over the last 48 hours. The quality of the initial access vectors varies wildly, which supports the theory that they are onboarding lower-tier talent attracted by the payout promise.
The aggressive recruiting creates a 'spray and pray' dynamic that overwhelms defenders. I've started hunting for the mass process termination behavior often associated with their payloads. If you’re looking to detect the activity, keep an eye out for unsigned binaries spawning powershell.exe with encoded commands designed to kill AV processes.
Here is a quick KQL query I’m using to hunt for the process termination spikes associated with their recent campaigns:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in ("taskkill.exe", "powershell.exe")
| where ProcessCommandLine contains "-f" or ProcessCommandLine contains "Stop-Process"
| summarize count() by DeviceName, bin(Timestamp, 5m)
| where count_ > 50
Given the volatility of the cybercrime economy, does anyone think this 90% model is sustainable? Or are we looking at an exit scam setup where they vanish once the volume peaks?
Sustainability is definitely the question here. Infrastructure costs for a high-volume RaaS operation aren't trivial, especially if they are relying on bulletproof hosting and bespoke encryption tools. At a 10% cut, the admin has to process a massive number of successful decrypts just to keep the lights on. From an MSP perspective, we're treating every 'GentleKiller' signature as a critical breach, assuming the affiliates are desperate to meet quotas.
I think this is less about sustainability and more about a quick cash grab before law enforcement connects the dots. The Krebs article mentioned some loose OpSec regarding the admin's identity. When you offer 90%, you attract loud, noisy affiliates who draw heat. The sheer volume of traffic makes them easier to fingerprint. We've blocked several C2 domains associated with their initial droppers just this morning.
The technical barrier to entry for affiliates is the scary part. With a 90% incentive, you're essentially giving enterprise-grade ransomware to script kiddies. We're seeing instances where the affiliates fail to execute the encryption properly because they don't understand the environment, but the exfiltration logic runs anyway. We've added stricter egress filtering on our perimeter to combat the 'data theft first' methodology they seem to favor.
From a detection standpoint, the high volume lowers the quality of their initial access vectors. We’ve had success hunting for the process injection patterns linked to GentleKiller. For those using MDE, this advanced hunting query helps identify the EDR evasion attempts:
DeviceProcessEvents
| where FileName has "GentleKiller"
| where ProcessCommandLine contains "bypass"
| project Timestamp, DeviceName, InitiatingProcessFileName
Has anyone else observed lateral movement tools like Cobalt Strike being dropped immediately after execution?
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access