Prevent undetectable malware and 0-day exploits with AppGuard!

Why The Gentlemen Ransomware Should Be a Red Flag for Every Business

Tony Chiappetta
by Tony Chiappetta
November 22, 2025

Ransomware threats are growing more cunning by the day — and few pose as serious a risk to businesses right now as the newly emerged gang known as The Gentlemen. As reported by Cyber Security News, this group is using a dangerous and highly effective dual-extortion approach, combining data encryption with exfiltration of sensitive information. Cyber Security News

In this blog post, we’ll unpack what makes The Gentlemen ransomware especially alarming — and why business owners should rethink their cybersecurity strategy to emphasize isolation and containment, not just detection and response.

What Makes The Gentlemen Ransomware So Dangerous

Here’s a breakdown of how this threat works, based on recent threat reports:

  1. Dual-extortion model
    The Gentlemen don’t just encrypt your files — they also steal them.

    • They threaten to publish or leak the stolen data on a darknet “leak site” unless their ransom demands are met.

    • This means that even if you recover from backups, you may still face a serious data-leak crisis, regulatory risk, reputational damage, or litigation.

  2. Advanced encryption & persistence

    • The malware uses XChaCha20 paired with Curve25519 encryption — a cryptographic combo that is very strong.

    • It supports automatic restart and “run-on-boot,” making it persist on infected systems.

  3. Kernel-level defense evasion
    The group abuses a legitimate, signed Windows driver — ThrottleBlood.sys — to gain kernel-level access.

    • With this, they can disable or terminate security tools (like antivirus) without triggering typical alerts.

    • They also deploy dynamically modified binaries (like Allpatch2.exe) specifically designed to target and disable security agents.

  4. Network propagation & lateral movement
    Once inside, The Gentlemen move laterally using enterprise tools and techniques:

    • Windows Management Instrumentation (WMI) and PowerShell remoting to spread.

    • They exploit Group Policy Objects (GPOs) and NETLOGON shares to push their payload across domain-joined systems.

    • They target critical services: database systems like MSSQL and MySQL, virtualization environments (like VMware ESXi), and backup utilities.

  5. Anti-forensics & cover-up

    • The malware deletes Windows Event Logs, Prefetch data, and even RDP connection logs to make detection harder and forensic investigation more difficult.

    • It disables Windows Defender and other protections via PowerShell, and adds exclusion rules so future scans won’t catch it.

  6. Exfiltration at scale

    • The attackers use WinSCP over encrypted channels (e.g., SFTP) to exfiltrate data.

    • They maintain a professional leak site on the dark web, increasing pressure on victims by publicly naming them.

    • Communication is handled securely: they publish a TOX ID for negotiation, avoiding easily traceable channels.

  7. Global reach, targeted industries

    • According to intelligence reports, The Gentlemen are active in at least 17 countries.

    • Their victims appear to come from critical sectors: manufacturing, healthcare, construction, insurance, and more.

    • Even in the Philippines, intelligence firm CYFIRMA observed an attack on 2GO Group Inc., a major logistics company. 

Why Traditional “Detect and Respond” Isn’t Enough Anymore

Many businesses lean heavily on solutions that detect ransomware early and respond once an attack is underway. But with a threat like The Gentlemen, this approach has major blind spots:

  • Kernel-level evasion: Because they exploit signed drivers, The Gentlemen can disable defenses before many security products even realize something is happening.

  • Persistence: Their malware can restart on boot, making traditional response slower and less effective.

  • Data exfiltration before encryption: Even if you catch the encryption, your data might already be compromised and heading to a leak site.

  • Lateral spread: Their use of enterprise tools means that once they’re in, they can quickly propagate across your network — affecting backups, shared drives, and critical systems.

In short: detecting an attack is no longer half the battle. By the time you react, damage — both in terms of system access and data loss — may already be done.

A Better Strategy: Move to Isolation and Containment with AppGuard

To defend against advanced threats like The Gentlemen, businesses need to shift their security posture. That means prioritizing isolation and containment, not just detection.

Here’s where AppGuard comes in. AppGuard is a proven endpoint protection solution with over 10 years of real-world success, now available for commercial organizations. Here’s why it matters:

  • Proactive protection: AppGuard doesn’t wait to detect malicious behavior. It isolates and confines potentially dangerous processes, preventing ransomware from gaining kernel-level control.

  • Containment by design: Even if a threat actor gains a foothold, AppGuard limits what they can do. Critical parts of the system remain protected, and lateral movement is blocked.

  • Minimal reliance on signatures: Unlike traditional antivirus that depends on identifying malware, AppGuard enforces policies to prevent untrusted or abnormal behavior — making it resilient against new, unseen threats.

  • Proven track record: Over a decade, AppGuard has been battle-tested across many types of threat landscapes — and now that maturity is available for your business.

By isolating processes and containing potential threats early, AppGuard drastically reduces the risk of both encryption and exfiltration.

The Urgency Is Real

The emergence of The Gentlemen ransomware group underscores how high-stakes the threat landscape has become:

  • Their dual-extortion model means traditional backups may not be enough.

  • Their technical sophistication allows them to neutralize security tools, persist through reboots, and move laterally in enterprise networks.

  • Their professionalized leak site adds pressure, public shaming, and long-term risk even after paying ransom.

If your business relies only on detecting ransomware — and then responding — you may already be vulnerable.

Call to Action

Business leaders: it's time to rethink how you protect your endpoints. Don’t continue relying solely on “detect and respond.” The threat is evolving, and so must your defense strategy.

Talk to us at CHIPS today to explore how AppGuard can help you move to a stronger security posture — one that emphasizes isolation and containment, not just detection. With AppGuard in place, you can dramatically reduce the risk of having your data not only encrypted, but also stolen.

Let’s build a defense that’s ready for the next generation of ransomware.

Like this article? Please share it with others!

 
Tags:
AppGuard, 0-day, Ransomware
Tony Chiappetta
Post by Tony Chiappetta
November 22, 2025
Follow me on my website Follow me on LinkedIn

Comments
How You Can Achieve Zero Trust Protection on an Endpoint

How You Can Achieve Zero Trust Protection on an Endpoint

Some IT Professionals say Zero Trust is impossible to implement however, the US Federal Government has been using these principles for decades.  Download our White Paper to learn how to fully secure your computers.