CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Gentlemen Ransomware Exploits Vulnerable Driver to Disable Security Software

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

The Gentlemen ransomware group, active since summer 2025, continues to evolve its tactics while leveraging a ransomware-as-a-service (RaaS) model. The group employs dual extortion, targeting Windows, Linux, and ESXi environments, with initial access often gained through exploitation of exposed FortiGate VPN devices. Affiliates use PowerShell and WMI for lateral movement, deploy anti-forensic tools, and target backup/security systems to maximize impact. The group is known for advanced evasion techniques, including BYOVD attacks via CVE-2025-7771 in the ThrottleStop driver, tailored to disable specific security vendors' products. The gang emerged from a dispute within the Qilin RaaS ecosystem and rapidly established itself using existing tooling. Its attacks have targeted critical infrastructure, including Romania's Oltenia Energy Complex on December 26, 2025, where documents were encrypted and multiple applications (ERP, email, document management) were temporarily disabled. The company cooperated with authorities and restored systems from backups. The group uses PowerRun.exe and Allpatch2.exe for privilege escalation and ransom notes with the .7mtzhh extension. While the National Energy System was not jeopardized, the incident is still under assessment for potential data theft. The group has added nearly four dozen victims to its leak site but has not yet listed Oltenia Energy Complex, likely due to ongoing negotiations.

Timeline

  1. 29.12.2025 16:26 2 articles · 2mo ago

    Gentlemen Ransomware Targets Romanian Energy Provider

    The Gentlemen ransomware group targeted Oltenia Energy Complex, Romania's largest coal-based energy producer, on December 26, 2025. The attack encrypted documents and temporarily disabled several computer applications, including ERP systems, document management applications, the company's email service, and website. The company's activity was partially affected, but the operation of the National Energy System was not jeopardized. The company is cooperating with authorities and working to restore its IT systems using backups. The impact of the incident is still being assessed, including the possibility of data theft before encryption. The incident was reported to the National Cyber Security Directorate, the Ministry of Energy, and DIICOT.

    Show sources
    Open in new tab
  2. 11.09.2025 23:42 3 articles · 6mo ago

    Gentlemen Ransomware Exploits Vulnerable Driver to Disable Security Software

    The Gentlemen ransomware gang has been observed using a vulnerable driver to disable security software in enterprise environments. The group employs a bring-your-own-vulnerable-driver (BYOVD) attack to terminate antivirus and extended detection and response (EDR) processes. The ransomware exploits CVE-2025-7771, a high-severity vulnerability in the ThrottleStop driver. The gang has demonstrated advanced capabilities, including tailored bypasses for specific security vendors. The attacks have been observed since this summer, with the group adapting its tactics mid-campaign. The use of legitimate, signed drivers complicates detection and defense. The ransomware has been exploiting vulnerable, Internet-facing infrastructure and VPNs in its attacks. The group uses PowerRun.exe and Allpatch2.exe to escalate privileges and disable security products. The group targeted Oltenia Energy Complex, Romania's largest coal-based energy producer, on December 26, 2025. The attack encrypted documents and temporarily disabled several computer applications. The company is cooperating with authorities and working to restore its IT systems using backups. The impact of the incident is still being assessed, including the possibility of data theft before encryption. This article confirms The Gentlemen's RaaS model origins within a dispute in the Qilin ecosystem, its dual-extortion tactics, multi-platform targeting (Windows, Linux, ESXi), and primary initial access method via systematic exploitation of exposed FortiGate VPN devices. Affiliates employ PowerShell/WMI for lateral movement, anti-forensic tools, and advanced defense evasion including BYOVD and aggressive log deletion.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Interlock ransomware leverages Cisco FMC insecure deserialization zero-day (CVE-2026-20131) for root access

A critical insecure deserialization vulnerability in Cisco Secure Firewall Management Center (FMC) Software, tracked as CVE-2026-20131 (CVSS 10.0), is being actively exploited by the Interlock ransomware group to gain unauthenticated remote root access on unpatched systems. The flaw enables unauthenticated remote attackers to bypass authentication and execute arbitrary Java code with root privileges via crafted HTTP requests to a specific endpoint. Exploitation has been observed as a zero-day since January 26, 2026, more than a month before public disclosure and patch availability. Cisco issued its first advisory for CVE-2026-20131 on March 4, 2026, and Amazon Threat Intelligence confirmed active exploitation by Interlock starting in late January. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and ordered federal agencies to patch by March 22, 2026, under BOD 22-01. Post-exploitation tooling includes custom JavaScript/Java RATs, PowerShell reconnaissance scripts, Linux reverse proxy configuration tools, memory-resident web shells, and ConnectWise ScreenConnect for persistence. Compromised environments are leveraged for ransomware operations and secondary monetization.

Open in new tab

LeakNet ransomware expands operations with ClickFix social engineering and Deno-based in-memory execution

LeakNet ransomware has expanded its operations by adopting the ClickFix social engineering tactic delivered through compromised websites, which instruct users to run malicious 'msiexec.exe' commands via fake CAPTCHA checks. The group continues to deploy a Deno-based in-memory loader to execute Base64-encoded JavaScript payloads, fingerprint systems, and stage follow-on malware via polling loops, while maintaining a consistent post-exploitation chain involving DLL sideloading, credential discovery via 'klist', lateral movement via PsExec, and data staging using compromised Amazon S3 buckets. LeakNet first emerged in November 2024, presenting itself as a 'digital watchdog' focused on internet freedom and transparency, and has targeted industrial entities according to Dragos. The group’s shift away from initial access brokers reduces per-victim costs and operational bottlenecks. ReliaQuest also observed a separate intrusion attempt using Microsoft Teams-based phishing leading to a Deno-based loader, suggesting either a broadening of LeakNet’s tactics or adoption by other actors. The operation’s average of three monthly victims may increase as the group scales its new initial access and execution methods.

Open in new tab

New Vect RaaS Group Targets Organizations in Brazil and South Africa

A new ransomware-as-a-service (RaaS) group named Vect has emerged, targeting organizations in Brazil and South Africa. The group, which began recruiting affiliates in December 2025, uses custom-built C++ malware with ChaCha20-Poly1305 AEAD encryption and intermittent encryption techniques. Vect operates with a high level of maturity, offering cross-platform ransomware targeting Windows, Linux, and VMware ESXi, and employs strong operational security measures. The group has already claimed two victims and operates a double extortion model. Vect's malware is notable for its speed and disruption capabilities, and the group's infrastructure is exclusively hosted on TOR hidden services. Initial access is likely achieved through exposed RDP/VPN, stolen credentials, phishing, or vulnerability exploitation.

Open in new tab

eScan Antivirus Supply Chain Compromise Delivers Signed Malware

A supply chain compromise in eScan antivirus products led to the distribution of multi-stage malware via legitimate update channels on January 20, 2026. The malware, signed with a compromised eScan certificate, established persistence, enabled remote access, and blocked further updates. Morphisec Threat Labs detected and mitigated the attack, while eScan took its update system offline for remediation. The malware modified system files and registry settings to prevent automatic remediation and communicated with external C2 infrastructure. Affected organizations are advised to search for malicious files, review scheduled tasks, inspect registry keys, block C2 domains, and revoke the compromised certificate. The breach was limited to a two-hour window on January 20, 2026, affecting only customers downloading updates from a specific regional update cluster. eScan detected the issue internally through monitoring and customer reports on January 20, isolated the affected infrastructure within hours, and issued a security advisory on January 21. eScan disputes Morphisec's claims of being the first to discover or report the incident, stating it conducted proactive notifications and direct outreach to impacted customers. The incident did not involve a vulnerability in the eScan product itself but was due to unauthorized access to a regional update server configuration. The malicious update was signed with what appears to be eScan's code-signing certificate, but both Windows and VirusTotal show the signature as invalid. The command and control servers observed include hxxps://vhs.delrosal.net/i, hxxps://tumama.hns.to, hxxps://blackice.sol-domain.org, hxxps://codegiant.io/dd/dd/dd.git/download/main/middleware.ts, 504e1a42.host.njalla.net, and 185.241.208.115.

Open in new tab

US Charges 87 in ATM Jackpotting Conspiracy Linked to Venezuelan Crime Syndicate

The US has charged 87 individuals in a conspiracy involving ATM jackpotting fraud, linked to the Venezuelan crime syndicate Tren de Aragua. The defendants allegedly used Ploutus malware to hack ATMs, causing $40.73 million in losses by August 2025. The conspiracy involved surveillance, malware deployment, and money laundering to fund further criminal activities. In July 2025, the U.S. government sanctioned key members of Tren de Aragua, including Hector Rusthenford Guerrero Flores, for their involvement in various criminal activities. Two Venezuelan nationals, Luz Granados and Johan Gonzalez-Jimenez, were convicted of stealing hundreds of thousands of dollars from U.S. banks using ATM jackpotting and will be deported after serving their sentences. The FBI reported 1,900 ATM jackpotting incidents since 2020, with 700 occurring in 2025, and losses of more than $20 million in 2025 due to these incidents. Threat actors exploit the eXtensions for Financial Services (XFS) API to bypass bank authorization and control ATMs. Ploutus malware interacts directly with ATM hardware, bypassing the original ATM software's security. The FBI recommends physical security measures, hardware security, logging, auditing, IP whitelisting, endpoint detection and response, threat intelligence sharing, and updated security awareness training to mitigate jackpotting risks.

Open in new tab