Rhysida and Interlock ransomware operations have shifted to a modular supply chain model, leveraging Initial Access Brokers (IABs) and specialized crypter services to target VMware ESXi hypervisors. By employing the "GentleKiller" framework—an EDR-terminating toolset targeting over 400 security processes across 48 products—affiliates (including Storm-2697) disable guest-level defenses before deploying Go-based, self-propagating encryptors. This strategy enables the mass encryption of multiple virtual machines simultaneously at the virtualization layer, utilizing per-file ephemeral key encryption to maximize operational paralysis and extortion leverage.
-
Industrialized Supply Chain: Modular Access and Evasion
- Shift from monolithic malware to a symbiotic ecosystem utilizing IABs for valid credential and session token acquisition.
- Use of professional crypter services to wrap payloads, ensuring high rates of undetectability against modern EDR solutions.
- Integration of specialized tools distributed to affiliates to streamline the transition from initial access to full environment encryption.
-
EDR Neutralization: The GentleKiller Framework
- Deployment of "GentleKiller," a framework designed by The Gentlemen RaaS (operated by hastalamuerte/zeta88) to disable security software.
- Capability to terminate over 400 unique security processes across 48 different security products.
- Lowering the technical barrier for affiliates, such as Storm-2697, to maintain persistence and execute payloads without interference.
-
Technical Deep Dive: VMware ESXi Exploitation
- Deployment of specialized Linux-based ransomware binaries engineered specifically for the VMware ESXi hypervisor environment.
- Strategic targeting of the virtualization layer to bypass security controls implemented within individual guest virtual machines (VMs).
- Execution of mass encryption across dozens or hundreds of VMs simultaneously, inducing systemic operational failure.
-
Payload Analysis: Go-Based Encryptors
- Utilization of Go-based self-propagating encryptors for rapid lateral movement across enterprise networks.
- Implementation of per-file ephemeral key encryption, increasing the complexity of decryption without the operator's private keys.
- High-efficiency encryption routines designed for high-throughput server environments to minimize the time between detection and total lockout.
-
Defensive Actions: Hardening and Detection
- Strict hardening of VMware ESXi environments, including the disablement of unnecessary services and limiting administrative access.
- Implementation of hypervisor-aware security monitoring to detect the execution of unauthorized Linux binaries on the host.
- Monitoring for anomalous credential usage and session hijacking patterns characteristic of IAB-sourced entry.
Related posts
- Cybereason
- S2w
- Hexnode
- microsoft.com — The Gentlemen ransomware: Dissecting a self-propagating Go encryptor
- Trendmicro
- gbhackers.com — Rhysida and Interlock Ransomware Groups Linked to Initial Access Brokers and Crypter Ecosystem
- gurucul.com — Threat Actor Profile: The Gentlemen
- helpnetsecurity.com — GentleKiller targets more than 400 security processes across 48 products
- Welivesecurity
- bleepingcomputer.com — Gentlemen ransomware uses multiple EDR killers to disable defenses
- feeds.feedburner.com — The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes
- Securityonline
- Hhs
- Broadcom
- Shieldworkz
- Eset
- Secarma
- Kaspersky Securelist — The Gentlemen are knocking: сustom backdoors and evolving tactics
- Krebs on Security — Who Runs the Ransomware Group ‘The Gentlemen?’
- Group-ib
- Fortiguard
- Industrialcyber
- feeds.feedburner.com — The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm
- Cybersecurityventures
- Darkreading
- Blackkite
- 5234018
- Prnewswire
- Securitybrief
- Industrialcyber
- Europarl
- Crowdstrike
- Cybersecurity-insiders
- Securityboulevard
- Industrialcyber
- Thebullvine
- Blackkite
- Bankersadda
- Health-isac
- Wasacon
- Socradar
- Dexpose
- Vayuaerospace
- Labs
- Cypro
- Me-en
- Kaspersky
- Thesmallbusinesscybersecurityguy
- Connect
- Globenewswire
- Sorintsec
- Darkreading
- Securityaffairs
- Sosransomware
- Research
- Scworld
- Chintangurjar
- Eleconomista
- Democrata
- Malpedia
- Shakthiiacademy
- Indragroup
- News4Hackers — NATO Contractor Indra Group Hit by Ransomware: Hackers Threaten Data Leak in 9 Days
- Galaxywarden
- Darknetsearch
- Socradar
- Cybersecurity-insiders