Threat Hunt: Detecting The Gentlemen RaaS Activity Amidst Volume Surge
Team,
Krebs dropped an interesting update on 'The Gentlemen' today. They've surged to the #2 spot for victim counts, largely fueled by that aggressive 90% affiliate cut. While the business model is notable (and the admin doxxing is being discussed elsewhere), I want to shift focus to the detection challenges this volume creates.
With the influx of new affiliates attracted by the high payouts, we're seeing a rise in 'noisy' attacks. The core 'GentleKiller' utility remains consistent, but the delivery methods are varying wildly. We are focusing on detecting the process termination behavior that precedes encryption.
I've been using this KQL query to spot the rapid termination of security processes, which seems to be a hallmark of their newer variants:
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ActionType == "ProcessCreated"
| where FileName in~ ("taskkill.exe", "powershell.exe")
| extend ProcessCmd = parse_command_line(ProcessCommandLine, "windows")
| where ProcessCmd has "/F" or ProcessCmd has "/IM"
| summarize count() by DeviceName, bin(Timestamp, 2m)
| where count_ > 50 // High threshold to catch bulk kills
| project DeviceName, Timestamp, TotalKills = count_
Has anyone else noticed a shift in their TTPs recently? I'm curious if the new affiliates are sticking to the script or getting creative with the initial access vector.
We've definitely noticed the drop in OpSec with the new affiliates. Instead of the manual cleanup we saw from the core team last year, we're catching automated scripts running taskkill /F /IM loops that fail basic privilege checks. Your KQL query is solid; we added a correlation for cmd.exe spawning directly from svchost.exe to catch the odd parent-child relationships we're seeing.
The 90% cut explains the sheer volume we're seeing in our honeypots. Most are still relying on unpatched VPN appliances for initial access rather than zero-days. I'd recommend checking your VPN logs for excessive failed auth attempts followed by a successful one from a different geo-ip—that's been their entry point in 3 of our incident responses this month.
Good post. We've moved away from process termination hunting because of the noise from legimate admin tools. Instead, we're monitoring for the specific ransom note file extensions they drop. Even if affiliates change the note content, they often forget to rename the extension in the builder config. Looking for *.gentlemen or *.gent in FileCreated events has been high-fidelity for us.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access