Inside 'The Gentlemen' Ransomware: TTPs, AI, and Network Hardening

In the landscape of Ransomware-as-a-Service (RaaS), a highly aggressive group known as "The Gentlemen" (previously tracked as the affiliate group Phantom Mantis) has rapidly ascended to become one of the most active threat actors. According to data from Ransomware.Live, the group has claimed at least 478 victims since its inception in early 2025.

What makes the group particularly notable for enterprise security teams is its combination of a highly lucrative 90/10 affiliate revenue split—significantly higher than the industry-standard 80/20 split—and a sophisticated, multi-platform technical stack. Led by a Russian-speaking operator identified as Alexander Andreevich Yapaev (who operates under aliases such as LARVA-368, Hastalamuerte, and Zeta88), the group leverages artificial intelligence for malware development and employs a devastating array of post-exploitation tools.

To defend against this threat, developers and system administrators must understand the group's specific Tactics, Techniques, and Procedures (TTPs) to harden their infrastructure.

Initial Access: Targeting the Edge

The Gentlemen do not rely on complex phishing campaigns for initial entry. Instead, they focus on internet-facing edge devices, specifically targeting vulnerable VPN appliances, firewalls, and gateway systems. Security analyses indicate a particular focus on platforms from vendors like Cisco and Fortinet.

Once inside, the threat actors move with extreme speed, often encrypting entire networks within hours of the initial compromise. To prevent security researchers and law enforcement from infiltrating their affiliate panel, the group enforces a strict vetting process: prospective affiliates must provide at least 1GB of exfiltrated victim data to the administrator before receiving access to the RaaS infrastructure.

Post-Exploitation and Active Directory Abuse

Once initial access is established, the group deploys a robust suite of red-teaming and post-exploitation tools to map the internal network, escalate privileges, and prepare for lateral movement. Developers and administrators should monitor their environments for the execution of the following utilities:

• NetExec: Used for network service scanning, credential harvesting, and lateral movement.
• TaskHound and PrivHound: Utilized to map Active Directory (AD) relationships and identify attack paths.
• CertiHound: Deployed specifically to find and exploit misconfigurations in Active Directory Certificate Services (ADCS).
• RelayKing: Used to orchestrate NTLM relay attacks across the local network.

By abusing AD trust relationships and certificate services, the attackers quickly gain domain-level administrative privileges, allowing them to manipulate Group Policy Objects (GPOs) to distribute their payloads across the enterprise.

Cross-Platform Lockers and Evasion Tactics

The Gentlemen's payload delivery is highly versatile. The group maintains five distinct versions of its ransomware, designed to target a wide variety of operating systems and storage architectures:

1. Windows (Standard modern enterprise environments)
2. Windows XP+ (Legacy systems)
3. Linux (General server infrastructure)
4. ESXi (Hypervisors and virtualized environments)
5. Logical Volume Manager (LVM) (Enterprise storage systems)

To ensure execution, the group employs Bring Your Own Vulnerable Driver (BYOVD) techniques. By installing legitimate but vulnerable third-party kernel drivers, the malware bypasses Endpoint Detection and Response (EDR) agents from kernel space. This is supported by custom evasion tools such as EDRStartupHinder, gfreeze, and glinker, alongside DumpBrowserSecrets for credential extraction. For command-and-control (C2) infrastructure, they rely on the open-source security monitoring tool Velociraptor.

Furthermore, the group's administrator reportedly relies heavily on generative AI tools to write, debug, and maintain these cross-platform lockers and post-exploitation scripts, lowering the development cycle time for new evasion techniques.

Hardening Your Infrastructure against The Gentlemen

Defending against a fast-moving, worm-like threat like The Gentlemen requires a multi-layered defense strategy focused on the group's primary entry and propagation vectors:

• Harden Edge Devices: Ensure all external-facing firewalls, VPNs, and gateways are fully patched. Implement strict multi-factor authentication (MFA) on all remote access portals and disable legacy protocols.
• Audit Active Directory Certificate Services: Run regular audits of ADCS configurations to identify and remediate vulnerable certificate templates that could allow low-privilege users to request certificates for domain administrators.
• Block Vulnerable Drivers: Implement driver blocklists (such as Microsoft's recommended driver block rules) to prevent attackers from loading known vulnerable drivers to execute BYOVD attacks.
• Restrict Lateral Movement: Segment networks to isolate critical ESXi hypervisors and Linux storage arrays from general corporate workstations. Limit the use of administrative accounts across different security zones.