The Gentlemen Ransomware
Who Is Behind This Threat?
The Gentlemen is a Ransomware-as-a-Service (RaaS) operation tracked by the Swiss cybersecurity firm PRODAFT under the name Phantom Mantis. The group is led by a Russian-speaking cybercriminal known by the alias LARVA-368, whose real identity has since been publicly disclosed by journalist Brian Krebs as a 36-year-old from the Russian city of Izhevsk.
The operation did not emerge from nowhere. LARVA-368 spent years working as an affiliate for established ransomware groups — including LockBit, Qilin (Pestilent Mantis), and Medusa (Venomous Mantis) — building technical expertise and developing a playbook before launching an independent operation. In July 2025, following a payment dispute with Qilin, LARVA-368 broke away and launched The Gentlemen as a standalone criminal enterprise.
The group has been active since March 2025 and has refined its operation at an alarming pace, releasing same-day patches to counter publicly released decryptors. This is not a disorganized crew — it is a structured, AI-assisted criminal enterprise with clear division of roles.
Oil and gas, financial services, and government sectors in Kuwait and across the GCC operate large, complex networks with significant internet-facing infrastructure — exactly the environment this group targets. A successful intrusion into a critical sector organization carries consequences well beyond data loss.
How The Gentlemen Operates: The Full Attack Chain
What makes this group exceptionally dangerous is the combination of methodical patience and automated destruction. Their average dwell time is two to six weeks — meaning they are silently inside an environment for over a month before the encryption event that signals their presence. By then, the damage is already catastrophic.
Attackers gain entry through internet-facing infrastructure — Fortinet FortiGate firewalls, Cisco appliances, and VPN gateways. Known vulnerabilities CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073 are actively exploited. Stolen credentials are also used where available.
Red team utilities including NetExec, PrivHound, CertiHound, and TaskHound are deployed to map the Active Directory environment, identify privileged accounts, enumerate file shares, and abuse certificate services for privilege escalation.
Tools such as EDRStartupHinder and gfreeze are used to disable endpoint protection. The Bring Your Own Vulnerable Driver (BYOVD) technique allows attackers to load kernel-level drivers that terminate EDR solutions — rendering most traditional endpoint defenses useless.
Group Policy Objects (GPOs) are manipulated to propagate across the domain. The Velociraptor DFIR tool is repurposed for command-and-control (C2). Windows Event Logs are cleared and Microsoft Defender is disabled to eliminate forensic traces.
The ransomware — written in Go and obfuscated with Garble — is deployed with the --spread argument, transforming it into a self-propagating worm that autonomously deploys itself to every reachable system on the network. No manual effort required.
Files are encrypted using a hybrid X25519 key exchange and XChaCha20 symmetric encryption scheme. When deployed with the --wipe argument, the ransomware performs a post-encryption routine that eliminates all recoverable artifacts from disk — making recovery without a pre-existing offline backup virtually impossible.
The Vulnerabilities Being Actively Exploited
The group tracks and evaluates modern vulnerabilities with a disciplined approach. The following CVEs have been confirmed as part of their active exploitation pipeline. Organizations running affected platforms should treat patching as an immediate priority — not a scheduled maintenance item.
| CVE | Affected Platform | Impact | Status |
|---|---|---|---|
| CVE-2024-55591 | Fortinet FortiOS / FortiProxy | Authentication bypass on management interface | Actively exploited |
| CVE-2025-32433 | Erlang/OTP SSH | Unauthenticated remote code execution | Actively exploited |
| CVE-2025-33073 | VMware Aria Operations | Privilege escalation in management layer | Actively exploited |
Beyond these specific CVEs, the group also targets known vulnerabilities in VMware infrastructure, Cisco systems, and Microsoft software — all commonly deployed across enterprise environments in Kuwait and the broader GCC.
How to Defend Against This Threat
The Gentlemen's attack chain is sophisticated, but it follows a predictable pattern — and every step in that chain has a corresponding defensive control. The organizations that will survive this threat are those that have already built layered security into their infrastructure, not those scrambling to respond after the fact.
Below we break down the essential defensive measures, organized by the phase of the attack they disrupt.
1. Close the Door: Patch and Harden Edge Infrastructure
Every intrusion in The Gentlemen's documented attack chain begins at an internet-facing device. A Fortinet FortiGate appliance or Cisco system with a known, unpatched vulnerability is the attacker's starting point. There is no substitute for keeping this layer current.
- Immediately patch all FortiGate, FortiOS, and FortiProxy devices for CVE-2024-55591 and related advisories
- Audit VPN and firewall management interfaces — restrict access to internal networks only
- Disable unused remote management protocols and legacy authentication methods
- Implement continuous vulnerability scanning for all internet-facing assets
- Subscribe to vendor security advisories and treat critical patches as P1 operational tasks
2. Govern Who Has Access to What: Identity and Privilege Management
Once inside the network, The Gentlemen rely almost entirely on over-permissioned accounts and weak Active Directory hygiene to move laterally, escalate privileges, and deploy ransomware at scale. This is where identity security becomes your most powerful defensive layer — not your firewall.
The group specifically exploits Active Directory certificate services (AD CS), manipulates GPOs, and abuses privileged credentials. None of these attacks succeed against an organization that has implemented rigorous identity governance.
Enforce least-privilege access across all users and systems. Ensure identities are verified, access is scoped, and permissions are regularly reviewed and recertified. IAM removes the "all or nothing" access model that attackers depend on.
Vault, rotate, and monitor all privileged credentials. PAM ensures that even if an attacker gains a foothold, they cannot access the administrative accounts needed to deploy ransomware domain-wide. This directly breaks The Gentlemen's lateral movement chain.
Enforce MFA on all remote access, administrative portals, and privileged accounts. Stolen credentials — a key initial access vector — become useless without the second factor.
Audit and harden Active Directory configurations. Disable legacy protocols, restrict GPO modification rights, monitor AD CS for abuse, and enforce tiered administrative models. Direct hardening against this group's core technique.
Eliminate implicit trust inside the network. Every access request — internal or external — must be verified. Zero Trust directly limits the lateral movement that makes worm-propagation ransomware possible.
Replace legacy VPN with Zero Trust Network Access (ZTNA) solutions. Ensure remote access is application-specific, identity-verified, and continuously monitored — not a broad tunnel into the corporate network.
Organizations that have deployed PAM and IAM solutions with enforced least-privilege see a dramatic reduction in ransomware blast radius — even when initial access is achieved. When an attacker cannot escalate privileges or move laterally, the ransomware cannot spread. Containment replaces catastrophe.
3. Protect the Endpoint: Go Beyond Basic Antivirus
The Gentlemen specifically invest in disabling EDR solutions via the BYOVD technique. This means organizations running commodity antivirus without deeper kernel-integrity controls are effectively unprotected once this group reaches the endpoint layer.
- Deploy EDR solutions with kernel-level integrity monitoring and driver vulnerability protection
- Enable Windows Credential Guard and LSA Protection to prevent credential dumping
- Implement application whitelisting to block unauthorized tool execution
- Monitor for unusual process behavior — especially tools like NetExec, Velociraptor, and EDRStartupHinder
- Deploy Data Loss Prevention (DLP) to detect and alert on large-scale data exfiltration before encryption begins
4. Stop the Spread: Network Segmentation
The worm-propagation capability of The Gentlemen ransomware is only effective on flat, unsegmented networks. In a properly segmented environment, the ransomware can be deployed — but it cannot reach beyond its initial subnet. The difference between an incident and a catastrophe is often network architecture.
- Implement micro-segmentation across business units, OT/IT boundaries, and data tiers
- Enforce east-west traffic controls — not just north-south perimeter defenses
- Isolate critical systems (VMware infrastructure, backup servers, domain controllers) in hardened segments
- Monitor and alert on unusual lateral traffic patterns within the network
5. Assume Breach: Detection and Response
Given a two-to-six week dwell time, the organizations that survive ransomware attacks are those that detect intrusions during the reconnaissance and privilege escalation phase — not after encryption begins. This requires continuous monitoring, threat hunting, and a mature incident response capability.
- Deploy SIEM with behavioral analytics capable of detecting AD abuse, GPO modification, and unusual authentication patterns
- Conduct regular threat hunting exercises specifically targeting the TTPs documented for this group
- Monitor for the presence of red team tools — NetExec, RelayKing, TaskHound, CertiHound — on corporate systems
- Establish and test an incident response playbook specifically for ransomware scenarios
- Consider Managed SOC services if internal detection capability is limited
6. The Last Line of Defense: Backup Integrity
The Gentlemen ransomware includes a --wipe argument that performs a post-encryption routine specifically designed to destroy recovery artifacts. This is not accidental — it is deliberate. Backups that are accessible from the network will be destroyed. Your recovery strategy must account for this.
- Maintain immutable, offline backups that are not accessible from the production network
- Test recovery procedures regularly — not just backup creation
- Follow the 3-2-1-1 backup rule: 3 copies, 2 different media, 1 offsite, 1 air-gapped
- Protect backup management consoles with the same privilege controls as domain controllers
The Bottom Line
The Gentlemen are not a passing threat. They are a structured, AI-assisted criminal enterprise that has evolved over years of RaaS affiliate experience into one of the most active ransomware operations in the world. They are methodical, patient, and technically sophisticated — and they specifically target the infrastructure profiles common across Kuwait and the GCC.
The organizations that will emerge from this threat landscape intact are not those that respond faster — they are those that have already built the right defensive architecture. Identity governance, privileged access management, network segmentation, and continuous monitoring are not aspirational controls. In 2026, they are the baseline.
The question is not whether your organization will face a threat like this. The question is whether your security posture reflects the maturity of the adversary.
Is Your Organization Protected Against This Threat?
Shaarait helps GCC enterprises build the identity security, privileged access controls, and endpoint defenses that make ransomware attacks containable — before they start.
Talk to Our Security Team