Ransomware Toolkit Exposed: TheGentlemen Affiliate's Operations Uncovered

Severity: High (Score: 72.5)

Sources: Cybersecuritynews, Socprime, Gbhackers

Summary

Researchers found an exposed server on a Russian bulletproof hosting provider containing a complete ransomware toolkit linked to TheGentlemen affiliate. The toolkit includes various utilities for credential dumping, remote access, and defense evasion, along with plaintext ngrok tokens and victim credentials. The investigation revealed 126 files cataloged, including tools for privilege escalation and scripts for disabling security measures. TheGentlemen operates as a Ransomware-as-a-Service (RaaS), allowing affiliates to conduct attacks with shared resources. Analysts have mapped the toolkit components to MITRE ATT&CK techniques, emphasizing the need for defenders to monitor specific behaviors. Recommendations include blocking outbound connections to the identified IP and enforcing application whitelisting. Immediate incident response actions are advised upon detection of the toolkit's use. Key Points: • An exposed server has revealed a complete ransomware toolkit for TheGentlemen affiliates. • The toolkit includes tools for credential dumping, remote access, and defense evasion. • Defenders are advised to monitor specific behaviors and block connections to the identified IP.

Key Entities

• Ransomware (attack_type)
• 176.120.22.127 (ipv4)
• T1003.001 - Lsass Memory (mitre_attack)
• T1003 - OS Credential Dumping (mitre_attack)
• T1219 - Remote Access Tools (mitre_attack)
• T1572 - Protocol Tunneling (mitre_attack)
• Windows (platform)
• TheGentlemen (ransomware_group)
• Mimikatz (tool)
• Ngrok (tool)
• RustDesk (tool)