Misconfigured Server Exposes TheGentlemen Ransomware Toolkit, Credentials
Key Takeaways A misconfigured server, hosted in Russia, exposed the complete operational toolkit of a TheGentlemen ransomware affiliate. The exposed data included not only ransomware tools but also...
Key Takeaways
- A misconfigured server, hosted in Russia, exposed the complete operational toolkit of a TheGentlemen ransomware affiliate.
- The exposed data included not only ransomware tools but also stolen victim credentials and authentication tokens used for covert remote access.
- The toolkit reveals a sophisticated pre-ransomware deployment script designed for rapid execution, disabling security products, critical services, and establishing persistence.
- The incident underscores the ongoing threat posed by Ransomware-as-a-Service (RaaS) operations and the importance of monitoring for specific TTPs.
TheGentlemen Ransomware Toolkit Exposed on Misconfigured Server
A critical misconfiguration on a server linked to a Russian bulletproof hosting provider has inadvertently revealed the full scope of an affiliate’s operational toolkit for TheGentlemen ransomware. This significant exposure encompasses not only the tools themselves but also sensitive victim credentials and plaintext authentication tokens, which facilitate hidden remote access tunnels.
Table Of Content
TheGentlemen operates as a prominent Ransomware-as-a-Service (RaaS) model, where a core group develops the ransomware and infrastructure, while affiliates execute attacks using shared resources. This group has been observed targeting organizations across the Americas, Europe, and the Middle East, demonstrating capabilities against Windows, Linux, and ESXi environments. Their modus operandi is characterized by swift execution, often compressing the entire attack chain from initial access to full encryption into a matter of hours. The gravity of this particular leak lies in the fact that the server contained direct evidence of these tools having already been deployed against actual victims, not merely preparatory materials.
Server Details and Discovery
The compromised server was identified at IP address 176.120.22[.]127, communicating over port 80, and residing on Proton66 OOO infrastructure. This autonomous system has a documented history associated with various malicious campaigns, including SuperBlack ransomware, WeaXor, and XWorm. The open directory on the server contained 126 files distributed across 18 subdirectories, accumulating approximately 140 megabytes of operational data.
Analysts at Hunt.io discovered the exposed directory on March 12, 2026. Their investigation was initiated while pivoting on indicators of compromise (IOCs) previously published in a CyberXTron report concerning TheGentlemen ransomware group. Utilizing the AttackCapture IOC search capability, a query yielded a single result pointing directly to the unauthenticated server, which had been active for at least 24 days prior to the analysis.
Every script analyzed from the server was automatically categorized as malicious. These classifications fell into two primary groups: “Exploit,” for scripts designed to alter security settings and escalate privileges, and “Config,” for scripts containing sensitive authentication tokens. AI-driven text file analysis further flagged routines for credential dumping, disabling Windows Defender, clearing event logs, setting up ngrok tunnels, and establishing persistence mechanisms across multiple files.
Inside the Pre-Ransomware Deployment Script: z1.bat
Among the most revealing artifacts within the exposed directory is “z1.bat,” a 35-kilobyte batch script. This file registered the highest malware indicator count on the server, consolidating nearly all pre-encryption preparation steps into a single execution. Its design prioritizes speed, intended for immediate deployment before ransomware execution, when rapid action often outweighs stealth.
The script initiates by systematically deleting and disabling services associated with over a dozen prominent security vendors, including Sophos, Kaspersky, Trend Micro, McAfee, ESET, Webroot, AVG, Malwarebytes, Panda, and Quick Heal. This stop-and-disable logic extends to critical enterprise applications, encompassing more than 30 Microsoft Exchange services, Oracle databases, MySQL, multiple Tomcat versions, Veeam backup infrastructure, and Hyper-V. The termination of these services is crucial for ransomware to gain access to locked files within Exchange databases, SQL Server files, and backup vaults, ensuring maximum encryption coverage.
Beyond service termination, z1.bat executes a registry-wide purge targeting security product entries from nearly 20 vendors. This includes Kaspersky versions spanning almost a decade, the entire McAfee product suite, and additional products such as Bitdefender, COMODO, ESET, Avira, Norton, and Qihoo 360. The script also creates open Server Message Block (SMB) shares on every drive letter from C through K, granting full access to all users. This mechanism allows ransomware, once active on any compromised host, to traverse and encrypt data across all shared network drives.
The script proceeds to install Image File Execution Options (IFEO) debugger redirects on Windows accessibility tools like sethc.exe, utilman.exe, Magnify.exe, and HelpPane.exe, replacing their default executables with cmd[.]exe. This technique, commonly known as the “Sticky Keys backdoor,” enables a SYSTEM-level command prompt to be launched directly from the Windows login screen. Coupled with enabling Remote Desktop Protocol (RDP), disabling Network Level Authentication (NLA), and turning off User Account Control (UAC), this establishes persistent access that can withstand the removal of other remote access tools. The script concludes by deleting all Volume Shadow Copies, clearing all Windows event log channels, emptying the Recycle Bin, and terminating all processes with a Process ID (PID) above 1000, effectively sanitizing the execution environment for the impending ransomware launch.
What You Should Do
- Endpoint Monitoring: Look for PowerRun execution, bulk Windows Defender service state changes, batch-based event log clearing via
wevtutil, LSASS memory access indicative of Mimikatz, IFEO debugger modifications on accessibility binaries, WDigest registry changes, and mass network share creation. - Network Monitoring: Block all connections to IP address 176.120.22[.]127. Actively monitor for ngrok tunnel activity directed towards ngrok infrastructure.
- Behavioral Alerts: Configure alerts for
vssadmin.exe Delete Shadowsexecution, patterns of mass service disabling, andEnableLUAregistry modifications. - Configuration Hardening: Enable Credential Guard, maintain immutable offline backups, activate endpoint tamper protection, audit Group Policy Objects (GPOs) for unauthorized Defender changes, and implement application whitelisting in user-writable directories.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.