Ddos 
Trend Micro researchers have revealed a new ransomware campaign orchestrated by The Gentlemen, an emerging threat group that combines legitimate driver abuse, Group Policy manipulation, and custom anti-security tools to bypass enterprise defenses. The campaign, observed since August 2025, highlights the increasing sophistication of ransomware operators who tailor their attacks to specific enterprise environments.
According to Trend Micro, “The Gentlemen ransomware group launched a campaign involving advanced, highly tailored tools specifically designed to bypass enterprise endpoint protections.” The group systematically studied deployed defenses, adapting their malware from generic anti-AV utilities into custom variants crafted to neutralize security solutions .
Among their methods: exploiting legitimate signed drivers, abusing Group Policy Objects (GPO) for domain-wide compromise, and deploying Allpatch2.exe, a specialized anti-security tool. These techniques allowed the attackers to stealthily disable protections before launching their ransomware payloads.
The Gentlemen demonstrated skill in lateral movement and persistence. Trend Micro notes, “The group also engineered ransomware deployment via privileged domain accounts and created evasion methods to persist against security controls.” By compromising domain administrators and enterprise accounts, they gained the highest level of access.
Persistence was ensured through tools like AnyDesk for covert remote access and registry modifications that weakened authentication and remote desktop protocols, ensuring continued footholds even during incident response.
Like many modern ransomware operators, The Gentlemen pursued double extortion. They staged sensitive files in hidden directories and exfiltrated them through encrypted channels. Trend Micro explains, “The group demonstrated operational security practices by utilizing encrypted channels for data exfiltration via WinSCP and establishing redundant persistence mechanisms.”
This approach not only guaranteed leverage during ransom negotiations but also minimized the chance of detection during exfiltration.
The campaign impacted multiple industries worldwide. “The group targeted multiple industries and regions, focusing heavily on a range of industries such as manufacturing, construction, healthcare, and insurance, with attacks spanning at least 17 countries.”
Healthcare and insurance targets are particularly concerning, as disruptions in these sectors can have direct consequences on public safety.
The Gentlemen ransomware campaign underscores the rapid evolution of ransomware tactics — from indiscriminate mass attacks to sophisticated, highly customized operations. By combining legitimate tool abuse, encrypted exfiltration, and custom-built utilities, the group has demonstrated both adaptability and persistence.
As Trend Micro concludes, “The Gentlemen show advanced capabilities by systematically compromising enterprise environments, using versatile tools from generic anti-AV utilities to targeted variants, highlighting serious threat to organizations despite security measures.”
Organizations are urged to strengthen monitoring of administrative activity, enforce strict account controls, and proactively hunt for signs of ransomware staging before attackers can deliver their final payload.
Donate