An improperly configured server on a Russian hosting platform has inadvertently disclosed the full operational toolkit of a TheGentlemen ransomware affiliate. This exposure includes victim credentials and authentication tokens used for establishing covert remote access tunnels.
Ransomware-as-a-Service Operations
TheGentlemen operates as a Ransomware-as-a-Service (RaaS), allowing affiliates to execute attacks with shared resources. This group has been identified in attacks targeting organizations in the Americas, Europe, and the Middle East. Their operations are known to affect systems running Windows, Linux, and ESXi environments.
The group’s attack strategy is notably rapid, with the interval between initial access and full encryption condensed into mere hours. The significance of this server exposure lies in its contents, which not only included operational tools but also evidence of their deployment against actual victims.
Details of the Exposed Server
The exposed server, located at IP address 176.120.22[.]127 and operating on port 80, was part of the Proton66 OOO infrastructure. This autonomous system has previously been associated with SuperBlack ransomware, WeaXor, and XWorm campaigns. The server’s directory contained 126 files across 18 subdirectories, amounting to approximately 140 MB of operational data.
Hunt.io analysts discovered this open directory on March 12, 2026, while examining indicators of compromise from a prior CyberXTron report on TheGentlemen ransomware. The server had been active for at least 24 days before being analyzed, revealing a range of malicious scripts aimed at exploiting and configuring systems.
Analysis of Malware Scripts
The scripts on the server were categorized as malicious, falling into two primary groups: Exploit scripts, which modify security settings and escalate privileges, and Config scripts, which contain sensitive authentication tokens. The AI-driven analysis flagged routine credential dumps, disabling of security defenses, and the establishment of persistence mechanisms.
Among these scripts, the z1.bat file stood out due to its comprehensive pre-encryption preparation steps, crucial for quick ransomware deployment. This script systematically disables services from numerous security vendors, ensuring that ransomware can encrypt files without hindrance.
Additionally, the script performs a registry purge targeting security entries and creates open SMB shares, facilitating network-wide access for ransomware. It also manipulates Windows accessibility tools to create persistent backdoors and deletes system restore points to clear the path for ransomware execution.
Security Recommendations
Security teams are advised to monitor for behaviors linked to this toolkit, such as changes in Windows Defender states, batch event log clearing, and unauthorized access to LSASS memory. Network monitoring should focus on blocking connections to the exposed IP and detecting ngrok tunnel activities.
To prevent similar attacks, organizations should enable Credential Guard, maintain offline backups, enforce endpoint tamper protection, and implement application whitelisting in user-accessible directories. Regular audits of Group Policy Objects for unauthorized changes are also recommended.
Stay updated with the latest cybersecurity news by following us on Google News, LinkedIn, and X. Set CSN as your preferred source on Google for more instant updates.
