A poorly set up server on a Russian bulletproof hosting service has made public the full set of tools that a TheGentlemen ransomware affiliate uses to do business This article explores tools thegentlemen ransomware. . There were 126 files in the directory, spread out over 18 subdirectories.

The total size of the files was about 140 megabytes. The file z1 is the most useful for operations in the whole directory.bat is a 35-kilobyte batch script that has the most malware indicators of any file on the server. The script starts by systematically deleting and turning off services linked to more than a dozen security companies, such as Sophos, Kaspersky, Trend Micro, McAfee, ESET, Webroot, AVG, Malwarebytes, Panda, and Quick Heal.

It also makes SMB shares open on every drive letter from C to K, giving all users full access. This means that ransomware on any compromised host can reach every shared drive on the network. The script ends by deleting all Volume Shadow Copies, clearing all Windows event log channels, emptying the Recycle Bin, and stopping all processes with a PID higher than 1000.

Security teams need to keep an eye out for a number of behaviors that are directly linked to this toolkit. Look out for PowerRun execution, mass changes to the state of the Windows Defender service, batch-based clearing of the event log with wevtutil, LSASS memory access that looks like Mimikatz, IFEO debugger changes to accessibility binaries, and WDigest registry changes.

To make your configuration more secure, turn on Credential Guard, keep offline backups that can't be changed, turn on endpoint tamper protection, check Group Policy Objects for unauthorized Defender changes, and use application whitelisting in directories that users can write to. On the network side, block connections to 176.120.22[. ]127 and keep an eye on ngrok tunnel traffic going to ngrok infrastructure.

Warning about vssadmin.exe Remove patterns for Shadows execution and mass service disabling.