Trend Micro Reveals TTPs of The Gentlemen Ransomware Group Targeting Critical Industries
Trend Micro research details the tactics, techniques, and procedures of The Gentlemen ransomware group, which has targeted manufacturing, healthcare, and other critical sectors across 17 countries since August 2025.
Trend Micro researchers have published a detailed analysis of The Gentlemen ransomware group, an emerging threat actor that has been targeting organizations across multiple critical industries since August 2025. The group's campaign has affected at least 17 countries, with a heavy focus on the Asia-Pacific region, particularly Thailand and the United States. The manufacturing sector has been the hardest hit, followed by construction, healthcare, and insurance, raising concerns about the group's disregard for critical infrastructure and public safety.
The attack chain begins with initial access likely achieved through compromised credentials or exploitation of internet-facing services. Once inside, the attackers deploy network reconnaissance tools such as Advanced IP Scanner to map the network and identify valuable targets. During the discovery phase, they examine Active Directory structures, focusing on privileged accounts like domain administrators and enterprise administrators. A batch script named 1.bat was observed performing mass account enumeration, querying over 60 user accounts across the domain.
A key aspect of The Gentlemen's operations is their sophisticated defense evasion techniques. The group deploys a legitimate signed driver (ThrottleBlood.sys) in conjunction with a custom executable (All.exe) to perform kernel-level manipulation, effectively terminating security software processes. This technique, previously documented by other researchers, allows the attackers to bypass enterprise endpoint protections. The group also abuses Group Policy Objects (GPO) to facilitate domain-wide compromise and uses custom anti-AV utilities tailored to specific security vendors.
Lateral movement is achieved through Cobalt Strike, a legitimate penetration testing tool that has been widely adopted by cybercriminals. The attackers establish persistence via AnyDesk remote access software and modified registry settings. Data exfiltration is performed over encrypted channels using WinSCP, a legitimate file transfer tool. Before encryption, the group exfiltrates sensitive data, a common double-extortion tactic.
The ransomware payload itself employs advanced encryption and multi-stage execution to evade detection. The group's ability to adapt their tools mid-campaign—shifting from generic anti-AV utilities to highly targeted variants—demonstrates their versatility and determination. Trend Micro notes that the group's substantial victim count and lack of prior threat intelligence suggest either a rebranding by experienced operators or the emergence of a well-funded new entrant in the ransomware ecosystem.
Trend Micro's Vision One platform detects and blocks the indicators of compromise (IOCs) associated with this campaign. The company has provided hunting queries, threat intelligence, and mitigation recommendations to help organizations defend against The Gentlemen. The report underscores the evolving sophistication of ransomware operations, where attackers conduct extensive reconnaissance to tailor their attacks to specific environments, moving beyond opportunistic exploitation to targeted, systematic compromise.