The Gentlemen Ransomware: 90% Affiliate Cuts & OpSec Leaks?
Just caught the KrebsOnSecurity deep dive on 'The Gentlemen.' It’s wild to see them shoot up to the #2 spot for victim count so fast. That 90% affiliate commission model is practically begging for lower-tier actors to jump ship from the bigger cartels like LockBit.
While the affiliate payout is the headline, the real story might be the opsec failures Krebs highlights regarding the admin's identity. But from a defensive standpoint, I'm more interested in the delivery vector. We're seeing a shift where these high-commission groups rely heavily on known, unpatched vulnerabilities to keep margins thin.
I've been hunting for indicators related to their initial access. It looks like they might be leveraging a specific PowerShell obfuscation pattern to disable defenses before encryption. I threw together a quick KQL query for our Sentinel environment to flag suspicious script blocks:
DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has "Enc" and ProcessCommandLine has "IEX"
| where ProcessCommandLine contains "-NoP" and ProcessCommandLine contains "-NonI"
| where InitiatingProcessFileName in ("explorer.exe", "cmd.exe", "winword.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
It captures the common 'NoProfile -NonInteractive -ExecutionPolicy Bypass' flags combined with encoded commands, which seems to be their playbook for executing the ransomware binary.
Given the aggressive recruitment, I'm betting we'll see a spike in low-quality encryption implementations. Has anyone else started seeing artifacts from this group in their telemetry? I’m curious if their aggressive recruitment is leading to sloppier TTPs that we can exploit for detection.
We picked up an infection last week fitting this MO. Entry was via compromised VPN credentials, not an exploit. Your KQL query caught the obfuscation, but they also aggressively used vssadmin to wipe shadow copies. I added this simple PowerShell filter to our EDR watchlist to catch the delete command:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663} | Where-Object {$_.Message -like '*vssadmin*' -and $_.Message -like '*delete*'}
High payouts are definitely attracting lower-tier affiliates who skip lateral movement.
The 90% model suggests they either have zero infrastructure costs or they're selling the victim data on the side. I suspect the latter. In my recent engagements, groups with these affiliate models often fail to disable EDR properly because the affiliates lack sophistication. I wrote a quick Python script to scan for their specific process fork pattern, if anyone wants to collaborate on the signature:
import psutil
for proc in psutil.process_iter(['pid', 'name', 'cmdline']):
if proc.info['cmdline'] and any('gentlemen' in c.lower() for c in proc.info['cmdline']):
print(f"Suspicious process found: {proc.info}")
Sloppiness usually breeds detection opportunities.
Regarding that delivery shift, we’ve noticed a pivot towards ISO-based phishing lures. Instead of macros, they're using disk images to drop the loader directly. It’s a classic tactic that effectively bypasses Mark of the Web (MotW) defenses if not handled correctly. I’d recommend blocking .iso attachments at the perimeter. You can hunt for suspicious mounting activity with this KQL:
DeviceProcessEvents | where FileName contains 'PowerShell' and ProcessCommandLine contains 'Mount-DiskImage'
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access