The Gentlemen: 90% Affiliate Payouts, Aggressive Growth
A ransomware group called The Gentlemen has rapidly become the second most active by victim count, according to recent research from Krebs on Security. Their strategy is simple and effective: offer affiliates 90 percent of any ransom paid by victims. That’s an aggressive commission structure designed to attract talented hackers and scale operations quickly.
It’s working. More affiliates means more attacks. More attacks means more encrypted files, more downtime, more ransom payments.
The security industry’s response to groups like The Gentlemen typically follows a familiar pattern: identify the malware variant, analyze it, create a signature, push an update. That process takes time — hours or days. The window between a new ransomware release and when your antivirus can detect it is exactly when attacks happen.
And The Gentlemen’s affiliate model makes that window wider. More affiliates means more variants, more customization, more payloads that haven’t been seen before.
Ransomware Requires File Operations — Control the Operations, Stop the Attack
Ransomware has to write encrypted versions of your files to your hard drive. That’s not optional. It’s how encryption works. There’s no way around it.
FileSure Defend operates at the Windows kernel level and intercepts every file operation before it completes. You define rules that control which users, programs, and machines can perform which file operations.
Two rules stop The Gentlemen’s ransomware — and every other ransomware variant — at different points in the attack chain:
Rule 1: Block executable payload delivery
Ransomware delivered via email, browser, or remote access has to write an executable file to disk before it can run. Block unauthorized programs from writing .exe, .dll, .vbs, .wsh files to the system. The payload never lands. Encryption never starts.
- File name filter:
*.exe, *.dll, *.vbs, *.wsh - Operations: Write, Create
- Drive type: All
- Allowed programs: Authorized deployment tools, Windows Update, approved software installers
- Result: Email clients, browsers, and remote access tools cannot write executable files. The ransomware payload is blocked before it touches the file system.
Rule 2: Detect and block bulk encryption
If a ransomware payload somehow executes (you missed step one, or an insider runs it intentionally), it begins mass-encrypting files. A threshold rule detects the bulk modification pattern and blocks further encryption.
- File name filter:
*(all files) - Operations: Write, Rename / Move
- Drive type: Hard drives, Network drives, Removable drives
- Threshold: 20 matches within 60 minutes
- Result: Normal file save operations pass without restriction. Ransomware encryption events — which modify hundreds of files per minute — cross the threshold within seconds. Subsequent operations are blocked. Damage is contained to the files modified before the threshold fired.
No signature update required. No waiting for your vendor to analyze The Gentlemen’s latest variant. Works on ransomware that doesn’t exist yet, because it doesn’t try to recognize the threat. It just enforces the rules.
Stop Playing Whack-a-Mole
The Gentlemen is the second most active ransomware group by victim count. How many more “most active” groups do we need to see before we stop chasing signatures and start controlling file operations?
FileSure Defend runs on Windows systems from Server 2003 through Server 2022. Quick installation, low overhead, no signature database to maintain.
Start your free 21-day trial at bystorm.com and see it block a simulated ransomware attack in real time.
Source: Who Runs the Ransomware Group ‘The Gentlemen?’
Category: Ransomware
Tags: the gentlemen ransomware, bulk encryption detection, kernel filter driver, file system security, ransomware prevention, executable write blocking, threshold rules
