Gentlemen Ransomware Emulation Explained

SOC Prime Team

Gentlemen Ransomware Emulation Explained

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

The Gentlemen ransomware group has been active since July 2025 and follows a double-extortion model, combining file encryption with data theft and leak-site extortion. The malware is written in Go, supports Windows, Linux, and ESXi environments, and uses a hard-coded password argument during the encryption process. Operators also rely on broad reconnaissance, abuse of Group Policy Objects, and legitimate tools such as WinSCP to move and exfiltrate data in encrypted form.

Investigation

AttackIQ published an emulation that recreates the tactics, techniques, and procedures described by multiple security vendors, spanning initial access, persistence, defense evasion, discovery, lateral movement, and impact. The emulation includes behaviors such as creation of scheduled tasks, registry Run keys, malicious services, firewall rule changes, and deletion of volume shadow copies.

Mitigation

Defenders should watch for suspicious PowerShell activity, unexpected scheduled task creation, registry changes related to null sessions and Microsoft Defender exclusions, and attempts to enable SMBv1. Network segmentation and least-privilege access controls can help limit the group’s ability to move laterally through shared resources.

Response

If Gentlemen-related activity is detected, isolate the affected system immediately, collect volatile evidence, preserve the ransomware sample and associated registry artifacts, and begin incident response procedures to recover shadow copies and event logs from backups where possible. A full forensic investigation should also be performed to identify credential theft and any lateral movement across the environment.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef builtin fill:#dddddd %% Action nodes act_system_info["Action – T1082 System Information Discovery Collect OS version, hostname and other host details"] class act_system_info action act_persistence["Action – Persistence Setup"] class act_persistence action act_scheduled_task["Action – T1053.005 Scheduled Task Create task that runs at startup"] class act_scheduled_task action act_registry_run["Action – T1547.001 Registry Run Keys / Startup Folder Add Run key under HKLM\Software\Microsoft\Windows\CurrentVersion\Run"] class act_registry_run action act_windows_service["Action – T1543.003 Windows Service Create new service via sc.exe"] class act_windows_service action act_defense_evasion["Action – Defense Evasion"] class act_defense_evasion action act_disable_defender["Action – T1562.001 Disable or Modify Tools Disable Windows Defender realu2011time monitoring"] class act_disable_defender action act_add_exclusions["Action – T1562.001 Disable or Modify Tools Add process and directory exclusions via Setu2011MpPreference"] class act_add_exclusions action act_enable_firewall["Action – Enable unrestricted network discovery"] class act_enable_firewall action act_discovery["Action – Discovery Phase"] class act_discovery action act_ad_domain["Action – T1482 Domain Trust Discovery Query AD domain information with Getu2011ADDomain"] class act_ad_domain action act_ad_computers["Action – T1018 Remote System Discovery Enumerate domainu2011joined computers with Getu2011ADComputer"] class act_ad_computers action act_wmi_info["Action – T1082 System Information Discovery Collect system data via WMI"] class act_wmi_info action act_file_enum["Action – T1083 File and Directory Discovery Enumerate files and directories using FindFirstFileW/FindNextFileW"] class act_file_enum action act_volume_disc["Action – T1680 Local Storage Discovery Enumerate volumes with Win32_Volume and Getu2011PSDrive"] class act_volume_disc action act_network_share["Action – T1049 Network Share Discovery Discover network shares via WNetOpenEnum/WNetEnumResource"] class act_network_share action act_lateral_movement["Action – Lateral Movement"] class act_lateral_movement action act_create_share["Action – T1021 Remote Services Create hidden SMB share with full access using net share"] class act_create_share action act_modify_acls["Action – T1222.001 Permission Groups Discovery Grant anonymous full rights with icacls"] class act_modify_acls action act_null_session["Action – T1556.009 Access Token Manipulation Alter NullSessionShares, EveryoneIncludesAnonymous, RestrictAnonymous registry keys"] class act_null_session action act_copy_payload["Action – Copy ransomware payload to remote host"] class act_copy_payload action act_execute_wmi["Action – T1047 Windows Management Instrumentation Execute payload on remote hosts via WMI/WMIC"] class act_execute_wmi action act_impact["Action – Impact Phase"] class act_impact action act_delete_shadow["Action – T1490 Inhibit System Recovery Delete Volume Shadow Copies with wmic and vssadmin"] class act_delete_shadow action act_clear_logs["Action – T1070.001 Clear Windows Event Logs Clear logs using wevtutil.exe"] class act_clear_logs action act_encrypt_files["Action – T1486 Data Encrypted for Impact Encrypt files in place with XChaCha20 and protect keys with Curve25519"] class act_encrypt_files action %% Connections illustrating flow act_system_info –>|leads_to| act_persistence act_persistence –>|creates| act_scheduled_task act_persistence –>|creates| act_registry_run act_persistence –>|creates| act_windows_service act_persistence –>|leads_to| act_defense_evasion act_defense_evasion –>|uses| act_disable_defender act_defense_evasion –>|uses| act_add_exclusions act_defense_evasion –>|uses| act_enable_firewall act_defense_evasion –>|leads_to| act_discovery act_discovery –>|includes| act_ad_domain act_discovery –>|includes| act_ad_computers act_discovery –>|includes| act_wmi_info act_discovery –>|includes| act_file_enum act_discovery –>|includes| act_volume_disc act_discovery –>|includes| act_network_share act_discovery –>|leads_to| act_lateral_movement act_lateral_movement –>|creates| act_create_share act_lateral_movement –>|modifies| act_modify_acls act_lateral_movement –>|modifies| act_null_session act_lateral_movement –>|copies| act_copy_payload act_lateral_movement –>|executes| act_execute_wmi act_execute_wmi –>|leads_to| act_impact act_impact –>|includes| act_delete_shadow act_impact –>|includes| act_clear_logs act_impact –>|includes| act_encrypt_files "

Attack Flow

Attack Narrative & Commands

An adversary who has gained low‑privilege execution on a domain‑joined Windows server wishes to prepare the environment for ransomware deployment. They use native PowerShell cmdlets to:

Disable real‑time protection (Set-MpPreference).
Open firewall ports (Enable-NetFirewallRule).
Enable additional Windows features (Import-Module ServerManager + Enable-WindowsOptionalFeature).
Harvest domain information (Get-ADDomain, Get-ADComputer).
Enumerate system details (Get-WmiObject Win32_ComputerSystem, Get-PSDrive).
Copy malicious payloads to a remote share (Copy-Item).

Each step is executed in a separate PowerShell process to ensure that the command line of each process contains one of the strings the Sigma rule watches for, thereby generating the required telemetry.

Regression Test Script

# -------------------------------------------------
# Simulation script – triggers The Gentlemen ransomware detection rule
# -------------------------------------------------
# NOTE: Run this on a non‑production, isolated Windows host.

# 1. Disable Windows Defender Real‑Time Monitoring
powershell.exe -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

# 2. Enable a firewall rule (e.g., allow inbound SMB)
powershell.exe -Command "Enable-NetFirewallRule -DisplayGroup 'File and Printer Sharing'"

# 3. Install Server Manager module and enable a Windows feature
powershell.exe -Command "Import-Module ServerManager; Enable-WindowsOptionalFeature -Online -FeatureName TelnetClient -NoRestart"

# 4. Enumerate AD domain information
powershell.exe -Command "Get-ADDomain | Out-Null"

# 5. List AD computers (discovery)
powershell.exe -Command "Get-ADComputer -Filter * | Select-Object Name | Out-Null"

# 6. Query WMI for system details
powershell.exe -Command "Get-WmiObject Win32_ComputerSystem | Out-Null"

# 7. Show current PS drives
powershell.exe -Command "Get-PSDrive | Out-Null"

# 8. Copy a dummy file to a remote share to simulate lateral movement
#    (Replace \REMOTE-SERVERShare with a reachable SMB share in your lab)
$dummy = "$env:TEMPdummy.txt"
"test" | Out-File -FilePath $dummy -Encoding ASCII
powershell.exe -Command "Copy-Item -Path '$dummy' -Destination '\\REMOTE-SERVER\Share\dummy.txt'"

# Cleanup dummy file locally
Remove-Item $dummy -Force

Cleanup Commands

# -------------------------------------------------
# Cleanup script – restores the host to its pre‑test state
# -------------------------------------------------
# Re‑enable Windows Defender real‑time protection
Set-MpPreference -DisableRealtimeMonitoring $false

# Disable the firewall rule added above (if still present)
Disable-NetFirewallRule -DisplayGroup 'File and Printer Sharing'

# Remove the dummy file from the remote share (requires write permission)
Remove-Item -Path '\REMOTE-SERVERSharedummy.txt' -Force -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free