Fast Facts
- The Gentlemen ransomware group uses a vulnerable driver (ThrottleStop.sys) to bypass security measures by executing a bring-your-own-vulnerable-driver (BYOVD) attack, enabling kernel-level process termination of security tools.
- This group dynamically adapts its tactics, shifting from generic utilities to targeted, customized tools like All.exe and Allpatch2.exe, which specifically disable antivirus and endpoint protection components based on reconnaissance.
- The vulnerability CVE-2025-7771 in ThrottleStop.sys, combined with the use of legitimate but exploited drivers like ThrottleBlood.sys, allows the ransomware to escalate privileges and disable security defenses while evading detection.
- To combat these tactics, experts recommend implementing zero-trust controls, monitoring for suspicious process combinations, and focusing on detecting renamed or unusual instances of malicious executables rather than driver filenames alone.
Key Challenge
Earlier this week, Trend Micro researchers uncovered an advanced ransomware operation called The Gentlemen, which employs sophisticated tactics to bypass enterprise security defenses. This group is exploiting a known vulnerability in a legitimate driver, ThrottleStop.sys, by leveraging a high-severity flaw (CVE-2025-7771) to disable antivirus and endpoint detection tools. They use a technique called bring-your-own-vulnerable-driver (BYOVD) attack, which gives the ransomware kernel-level access to terminate security processes and facilitate file encryption. Notably, The Gentlemen evolved from using generic tools to creating customized, targeted malware variants, demonstrating significant adaptability and a high level of technical skill to evade detection, especially by exploiting the legitimate digital signatures of drivers that are hard for conventional security measures to flag.
This attack primarily affected enterprise networks, targeting their defenses by conducting detailed reconnaissance and then deploying tailored evasion methods, including the use of legitimate tools like PowerRun.exe and a customized AV killer called Allpatch2.exe. The researchers suspect that the threat actors are using these tactics to attack specific organizations, capitalizing on vulnerabilities in exposed internet infrastructure and VPNs. Trend Micro warns that because ThrottleBlood.sys is a signed driver, typical signature checks are ineffective, making behavioral monitoring and vigilance against suspicious process combinations crucial. Overall, the report emphasizes the growing sophistication of The Gentlemen and recommends organizations adopt zero-trust security measures and heightened monitoring to mitigate such evolving threats.
Critical Concerns
The Gentlemen ransomware gang has demonstrated an advanced and adaptive approach to cyber threats by exploiting a vulnerability in the legitimate driver ThrottleStop.sys (renamed ThrottleBlood.sys) to disable enterprise security defenses. Using a novel bring-your-own-vulnerable-driver (BYOVD) technique, they leverage kernel-level access to terminate antivirus and EDR processes, effectively shutting down protective measures. Their tactics include deploying customized tools like All.exe and Allpatch2.exe, which are tailored to bypass specific security infrastructures and evade detection, highlighting a shift from generic to highly targeted attacks. By exploiting signed, legitimate drivers and conducting detailed reconnaissance on defenses, the group elevates the risk to organizations, emphasizing the importance of vigilant monitoring for unusual process activity and implementing zero-trust controls to mitigate such sophisticated threats.
Fix & Mitigation
Addressing the vulnerabilities exploited by the "Gentlemen" Ransomware, particularly its abuse of vulnerable drivers, is crucial to preventing widespread damage and safeguarding sensitive data. Prompt remediation minimizes the risk of escalation and ensures system stability.
Mitigation Strategies
Update Drivers
Regularly apply latest security patches to outdated or vulnerable drivers to close exploited entry points.
Disable Suspect Drivers
Identify and disable or uninstall drivers known to be exploited by the ransomware.
Security Patches
Keep operating systems and all software up-to-date with the most recent security patches.
Endpoint Protection
Implement advanced endpoint detection and response (EDR) tools to identify malicious activity early.
Network Segmentation
Segment networks to limit lateral movement of malware and contain potential infections.
Backup Data
Maintain regular, secure backups of critical data to enable swift recovery if an attack occurs.
User Education
Train staff to recognize phishing attempts and suspicious activity that could lead to driver exploitation.
Monitoring & Response
Establish continuous monitoring and incident response plans to rapidly detect and contain infections.
Advance Your Cyber Knowledge
Discover cutting-edge developments in Emerging Tech and industry Insights.
Understand foundational security frameworks via NIST CSF on Wikipedia.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
