← Back to Daily Briefing

Rhysida and Interlock ransomware operations have shifted to a modular supply chain model, leveraging Initial Access Brokers (IABs) and specialized crypter services to target VMware ESXi hypervisors. By employing the "GentleKiller" framework—an EDR-terminating toolset targeting over 400 security processes across 48 products—affiliates (including Storm-2697) disable guest-level defenses before deploying Go-based, self-propagating encryptors. This strategy enables the mass encryption of multiple virtual machines simultaneously at the virtualization layer, utilizing per-file ephemeral key encryption to maximize operational paralysis and extortion leverage.

  • Industrialized Supply Chain: Modular Access and Evasion

    • Shift from monolithic malware to a symbiotic ecosystem utilizing IABs for valid credential and session token acquisition.
    • Use of professional crypter services to wrap payloads, ensuring high rates of undetectability against modern EDR solutions.
    • Integration of specialized tools distributed to affiliates to streamline the transition from initial access to full environment encryption.
  • EDR Neutralization: The GentleKiller Framework

    • Deployment of "GentleKiller," a framework designed by The Gentlemen RaaS (operated by hastalamuerte/zeta88) to disable security software.
    • Capability to terminate over 400 unique security processes across 48 different security products.
    • Lowering the technical barrier for affiliates, such as Storm-2697, to maintain persistence and execute payloads without interference.
  • Technical Deep Dive: VMware ESXi Exploitation

    • Deployment of specialized Linux-based ransomware binaries engineered specifically for the VMware ESXi hypervisor environment.
    • Strategic targeting of the virtualization layer to bypass security controls implemented within individual guest virtual machines (VMs).
    • Execution of mass encryption across dozens or hundreds of VMs simultaneously, inducing systemic operational failure.
  • Payload Analysis: Go-Based Encryptors

    • Utilization of Go-based self-propagating encryptors for rapid lateral movement across enterprise networks.
    • Implementation of per-file ephemeral key encryption, increasing the complexity of decryption without the operator's private keys.
    • High-efficiency encryption routines designed for high-throughput server environments to minimize the time between detection and total lockout.
  • Defensive Actions: Hardening and Detection

    • Strict hardening of VMware ESXi environments, including the disablement of unnecessary services and limiting administrative access.
    • Implementation of hypervisor-aware security monitoring to detect the execution of unauthorized Linux binaries on the host.
    • Monitoring for anomalous credential usage and session hijacking patterns characteristic of IAB-sourced entry.

Related posts

  1. Cybereason
  2. S2w
  3. Hexnode
  4. microsoft.com — The Gentlemen ransomware: Dissecting a self-propagating Go encryptor
  5. Trendmicro
  6. gbhackers.com — Rhysida and Interlock Ransomware Groups Linked to Initial Access Brokers and Crypter Ecosystem
  7. gurucul.com — Threat Actor Profile: The Gentlemen
  8. helpnetsecurity.com — GentleKiller targets more than 400 security processes across 48 products
  9. Welivesecurity
  10. bleepingcomputer.com — Gentlemen ransomware uses multiple EDR killers to disable defenses
  11. feeds.feedburner.com — The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes
  12. Securityonline
  13. Hhs
  14. Broadcom
  15. Shieldworkz
  16. Eset
  17. Secarma
  18. Kaspersky Securelist — The Gentlemen are knocking: сustom backdoors and evolving tactics
  19. Krebs on Security — Who Runs the Ransomware Group ‘The Gentlemen?’
  20. Group-ib
  21. Fortiguard
  22. Industrialcyber
  23. feeds.feedburner.com — The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm
  24. Cybersecurityventures
  25. Darkreading
  26. Blackkite
  27. 5234018
  28. Prnewswire
  29. Securitybrief
  30. Industrialcyber
  31. Europarl
  32. Crowdstrike
  33. Cybersecurity-insiders
  34. Securityboulevard
  35. Industrialcyber
  36. Thebullvine
  37. Blackkite
  38. Bankersadda
  39. Health-isac
  40. Wasacon
  41. Socradar
  42. Dexpose
  43. Vayuaerospace
  44. Labs
  45. Cypro
  46. Me-en
  47. Kaspersky
  48. Thesmallbusinesscybersecurityguy
  49. Connect
  50. Globenewswire
  51. Sorintsec
  52. Darkreading
  53. Securityaffairs
  54. Sosransomware
  55. Research
  56. Scworld
  57. Chintangurjar
  58. Eleconomista
  59. Democrata
  60. Malpedia
  61. Shakthiiacademy
  62. Indragroup
  63. News4Hackers — NATO Contractor Indra Group Hit by Ransomware: Hackers Threaten Data Leak in 9 Days
  64. Galaxywarden
  65. Darknetsearch
  66. Socradar
  67. Cybersecurity-insiders

LINK COPIED TO CLIPBOARD