TheGentlemen Ransomware - Exposed Toolkit and Victim Data
Basically, a server leak showed how a ransomware group operates and stole victim information.
A misconfigured server has exposed TheGentlemen ransomware's toolkit, including victim credentials and Ngrok tokens. This breach poses significant risks to organizations globally. Security teams must act quickly to mitigate potential impacts.
What Happened
A misconfigured server hosted on a Russian bulletproof hosting provider has revealed the complete operational toolkit of a TheGentlemen ransomware affiliate. This exposure includes harvested victim credentials and plaintext authentication tokens used for establishing hidden remote access tunnels. The TheGentlemen group operates as a Ransomware-as-a-Service (RaaS), allowing affiliates to carry out attacks using shared tools and infrastructure. This particular incident sheds light on their rapid attack capabilities, which can encrypt files within hours of initial access.
The exposed server was identified at IP address 176.120.22[.]127 and was found to be active for at least 24 days before discovery. Analysts from Hunt.io discovered the open directory while investigating indicators of compromise linked to prior reports on TheGentlemen group. The directory contained 126 files across 18 subdirectories, totaling around 140 megabytes of operational material, indicating that these tools had already been deployed against real victims.
Who's Being Targeted
The TheGentlemen ransomware group has been known to target organizations across various regions, including the Americas, Europe, and the Middle East. Their operations span multiple environments, including Windows, Linux, and ESXi. The group’s swift attack methodology compresses the time between initial access and full encryption, making them a significant threat to organizations that may not be prepared for such rapid assaults.
This exposure is particularly alarming as it not only reveals the tools available to the affiliates but also the operational readiness of these tools. The scripts found on the server are designed for immediate deployment, showcasing the group's ability to execute attacks efficiently and effectively.
Signs of Infection
One of the most revealing files on the server is z1.bat, a batch script that consolidates nearly every pre-encryption preparation step. This script disables security services from multiple vendors, including Kaspersky, McAfee, and Trend Micro. It also creates open SMB shares on every drive, allowing ransomware to access shared drives across the network easily.
Security teams should be vigilant for several behaviors associated with this toolkit. Indicators of compromise include mass changes to Windows Defender service states, unauthorized access to LSASS memory, and patterns of event log clearing. Additionally, monitoring for ngrok tunnel activity and blocking connections to the exposed server's IP address is crucial for preventing further exploitation.
How to Protect Yourself
Organizations should take immediate actions to mitigate risks associated with this exposure. Implementing Credential Guard, maintaining offline backups, and enabling endpoint tamper protection are essential steps. Regular audits of Group Policy Objects for unauthorized changes and application whitelisting in user-writable directories can help fortify defenses against such ransomware operations.
Furthermore, educating employees about the signs of ransomware attacks and ensuring robust incident response plans are in place can significantly reduce the risk of falling victim to similar attacks in the future. As the threat landscape continues to evolve, staying informed and prepared is key to maintaining cybersecurity resilience.