Listen to this Post

Introduction:
The Gentlemen ransomware-as-a-service (RaaS) operation has quickly evolved from a mid‑2025 startup into one of the most active ransomware programs on the underground, claiming over 332 victims in the first five months of 2026 alone. The group’s signature strategy involves turning exposed Fortinet and Cisco edge devices into an initial‑access highway, then using NTLM relay abuse and aggressive EDR evasion to move laterally and deploy double‑extortion ransomware across entire enterprise networks.
Learning Objectives:
- Understand how The Gentlemen RaaS uses Fortinet and Cisco edge appliances to breach enterprise perimeters.
- Identify the specific vulnerabilities (CVE‑2024‑55591, CVE‑2025‑32433, CVE‑2025‑33073) and attacker tactics.
- Learn to harden edge devices, mitigate NTLM relay attacks, and disable known EDR‑killer techniques.
- Exposed Edge Devices: The Fast Lane Into Your Network
The Gentlemen’s entire business model relies on a highly efficient initial‑access pipeline. Affiliates scan the internet for exposed Fortinet VPNs and Cisco ASA/VPN appliances, then compromise them by brute‑forcing credentials, exploiting known vulnerabilities, or purchasing ready‑made access from underground brokers. Once they find a vulnerable or misconfigured device, they use it as a gateway to the internal network.
Step‑by‑step hardening of Fortinet FortiGate appliances (CLI):
1. Disable HTTP/HTTPS administrative access on WAN interfaces config system interface edit "wan1" set allowaccess ping next end <ol> <li>Enable multi‑factor authentication for all administrative accounts config system admin edit "admin" set two-factor enable set two-factor-auth fortitoken next end</p></li> <li><p>Apply critical patches (example for FortiOS 7.6.x) execute restore image tftp <patched-firmware-file> <tftp-server-ip>
For Cisco ASA devices:
Apply patches for vulnerabilities such as CVE‑2025‑32433 (Erlang SSH flaw) immediately. Disable any unnecessary management interfaces and enforce MFA for all VPN users.
Windows commands to locate exposed RDP/SMB (often used after edge compromise):
Scan internal network for SMB and RDP services (run from a secured jump host) Test-NetConnection -ComputerName 192.168.1.0/24 -Port 445 Test-NetConnection -ComputerName 192.168.1.0/24 -Port 3389
- NTLM Relay Abuse: How They Hop From One Machine to Another
Once inside, The Gentlemen uses NTLM relay attacks to move laterally. A key operator known as qbit was observed scanning for Fortinet VPNs and running NTLM relay checks using a tool called RelayKing. The targeted vulnerability CVE‑2025‑33073 facilitates these attacks. By coercing a privileged machine to authenticate to an attacker‑controlled server, the affiliate can relay those credentials to another system and gain access.
Step‑by‑step mitigation of NTLM relay on Windows domain controllers (Group Policy):
- Open Group Policy Management Console → navigate to
Default Domain Controllers Policy. - Disable NTLM authentication entirely where possible (Kerberos is the safer alternative).
- Require SMB signing on both server and client sides:
– Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options.
– Set `Microsoft network server: Digitally sign communications (always)` to Enabled.
– Set `Microsoft network client: Digitally sign communications (always)` to Enabled.
4. Restrict outgoing NTLM traffic via registry (run as Administrator):
Restrict NTLM to trusted servers only reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v RestrictSendingNTLMTraffic /t REG_DWORD /d 2 /f
These steps prevent attackers from relaying NTLM authentication to SMB, shutting down a key lateral‑movement vector.
3. EDR Evasion: Bringing Their Own Vulnerable Driver
Before deploying the final ransomware payload, The Gentlemen’s affiliates disarm endpoint security. They use a bring‑your‑own‑vulnerable‑driver (BYOVD) technique, abusing a driver named `ThrottleStop.sys` (renamed ThrottleBlood.sys) to exploit CVE‑2025‑7771 and kill EDR processes. This tactic is increasingly common among RaaS affiliates.
Step‑by‑step detection and mitigation of BYOVD attacks:
- Enable Windows Defender Application Control (WDAC) to block loading of unsigned or untrusted drivers.
- Deploy a driver blocklist using Microsoft’s recommended block rules (HVCI):
Check if Hypervisor‑protected Code Integrity (HVCI) is running Get-ComputerInfo -Property "DeviceGuard" Enable HVCI if not already active (requires reboot) Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -Type DWord -Value 1
- Monitor for driver load events (Event ID 6: Driver loaded) and alert on known malicious driver hashes.
- Post‑Exploitation Playbook: From Edge Compromise to Full Domain Takeover
After gaining a foothold, The Gentlemen follows a structured, repeatable process:
- Active Directory reconnaissance – using tools like `BloodHound` or custom scripts.
- Credential harvesting – dumping LSASS memory with `Mimikatz` or
Procdump. - Lateral movement – via PsExec, WMI, or RDP.
- Disabling security tools – using the BYOVD driver and other kill‑switches.
- Ransomware deployment – using weaponized Group Policy Objects to push the locker domain‑wide.
Step‑by‑step detection of AD reconnaissance and lateral movement:
- Enable advanced audit policies on domain controllers:
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable
- Monitor for unusual `net group “Domain Admins” /domain` commands (Command Line Auditing must be enabled).
- Deploy a SIEM query for Event ID 4624 (successful logins) with non‑standard source workstations.
5. Cloud Tunneling for Persistent, Undetected C2
The Gentlemen uses Cloudflare tunnels and other cloud‑based tunneling services to maintain covert, long‑term access without triggering traditional network detections. This allows them to exfiltrate stolen data and issue commands over HTTPS, blending in with legitimate cloud traffic.
Step‑by‑step detection of cloud tunneling:
- Implement SSL/TLS inspection on your perimeter firewall to decrypt and inspect traffic bound for cloud IP ranges.
- Create a custom Snort/Suricata rule to detect Cloudflare‑specific headers (
CF‑Ray,CF‑Worker):
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"Potential Cloudflare Tunneling Detected"; content:"CF-RAY|3a|"; http_header; sid:1000001; rev:1;)
- Correlate outbound connections to known cloud IP ranges with spikes in data volume (indicating exfiltration).
What Undercode Say:
- “The only way of completely solving NTLM relay vulnerabilities is to disable NTLM authentication entirely and use Kerberos.”
- “All the sophisticated defense‑evasion techniques have shifted to the user‑mode components of EDR killers.”
The Gentlemen RaaS shows that old weaknesses – unpatched edge devices, weak authentication, and over‑reliance on NTLM – are still the most effective attack vectors. Their 90/10 affiliate split proves that financial incentives, not zero‑days, drive ransomware scale. Organizations must move beyond patch‑and‑pray and adopt proactive hardening: enforce MFA, disable legacy protocols, and assume that a perimeter compromise is inevitable. Monitoring for BYOVD and cloud tunneling, as outlined above, can buy critical minutes to stop an attack before encryption begins.
Prediction:
Within the next 12 months, RaaS groups like The Gentlemen will fully automate the initial‑access pipeline – from scanning exposed edge devices to deploying EDR‑killers – using AI agents. Defenders will shift from reactive patching to real‑time integrity monitoring of kernel‑mode drivers and mandatory certificate‑based authentication for all management interfaces. The group that wins this arms race will not be the one with the most exploits, but the one that makes lateral movement computationally unaffordable for the attacker.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Cybersecuritynews Gbhackers – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


