CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Gentlemen Ransomware Exploits Vulnerable Driver to Disable Security Software

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The Gentlemen ransomware gang is using a vulnerable driver to disable security software in enterprise environments. The group employs a bring-your-own-vulnerable-driver (BYOVD) attack to terminate antivirus and extended detection and response (EDR) processes. The ransomware exploits CVE-2025-7771, a high-severity vulnerability in the ThrottleStop driver. The gang has demonstrated advanced capabilities, including tailored bypasses for specific security vendors. The attacks have been observed since this summer, with the group adapting its tactics mid-campaign. The use of legitimate, signed drivers complicates detection and defense. The ransomware was first observed this summer. The Gentlemens have been exploiting vulnerable, Internet-facing infrastructure and VPNs in their attacks. The group uses PowerRun.exe and Allpatch2.exe to escalate privileges and disable security products. Recently, the group targeted Oltenia Energy Complex, Romania's largest coal-based energy producer, on December 26, 2025. The attack encrypted documents and temporarily disabled several computer applications, including ERP systems, document management applications, the company's email service, and website. The company is cooperating with authorities and working to restore its IT systems using backups. Organizations are advised to implement zero-trust controls and monitor for unusual process combinations to defend against these attacks.

Timeline

  1. 29.12.2025 16:26 1 articles · 23h ago

    Gentlemen Ransomware Targets Romanian Energy Provider

    The Gentlemen ransomware group targeted Oltenia Energy Complex, Romania's largest coal-based energy producer, on December 26, 2025. The attack encrypted documents and temporarily disabled several computer applications, including ERP systems, document management applications, the company's email service, and website. The company's activity was partially affected, but the operation of the National Energy System was not jeopardized. The company is cooperating with authorities and working to restore its IT systems using backups. The impact of the incident is still being assessed, including the possibility of data theft before encryption. The incident was reported to the National Cyber Security Directorate, the Ministry of Energy, and DIICOT.

    Show sources
    Open in new tab
  2. 11.09.2025 23:42 2 articles · 3mo ago

    Gentlemen Ransomware Exploits Vulnerable Driver to Disable Security Software

    The Gentlemen ransomware gang has been observed using a vulnerable driver to disable security software in enterprise environments. The group employs a bring-your-own-vulnerable-driver (BYOVD) attack to terminate antivirus and extended detection and response (EDR) processes. The ransomware exploits CVE-2025-7771, a high-severity vulnerability in the ThrottleStop driver. The gang has demonstrated advanced capabilities, including tailored bypasses for specific security vendors. The attacks have been observed since this summer, with the group adapting its tactics mid-campaign. The use of legitimate, signed drivers complicates detection and defense. The ransomware has been exploiting vulnerable, Internet-facing infrastructure and VPNs in its attacks. The group uses PowerRun.exe and Allpatch2.exe to escalate privileges and disable security products. The group targeted Oltenia Energy Complex, Romania's largest coal-based energy producer, on December 26, 2025. The attack encrypted documents and temporarily disabled several computer applications. The company is cooperating with authorities and working to restore its IT systems using backups. The impact of the incident is still being assessed, including the possibility of data theft before encryption.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Kraken Ransomware Implements System Benchmarking for Encryption Optimization

Kraken ransomware, active since early 2025 and linked to the defunct HelloKitty operation, benchmarks systems to determine optimal encryption methods. The ransomware targets Windows, Linux, and VMware ESXi systems, using temporary files to decide between full or partial encryption. Kraken employs SMB vulnerabilities for initial access, deploys Cloudflared and SSHFS for data exfiltration, and encrypts data based on system performance to avoid detection. Victims include organizations in the US, UK, Canada, Panama, Kuwait, and Denmark. Kraken also operates a cybercrime forum, 'The Last Haven Board,' and demands ransoms up to $1 million in Bitcoin. The group was observed in August 2025 by Cisco Talos, detailing intrusions where SMB flaws were abused for entry, followed by the use of Cloudflare for persistence and SSHFS for data theft before encryption.

Open in new tab

Conti Ransomware Member Extradited from Ireland to US

Oleksii Oleksiyovych Lytvynenko, a 43-year-old Ukrainian national, has been extradited from Ireland to the United States and appeared in a Tennessee court on charges related to the Conti ransomware operation. He is accused of conspiring to deploy Conti ransomware, extorting over $500,000 in cryptocurrency from victims in the Middle District of Tennessee, and publishing stolen information. The Conti ransomware operation has been linked to over 1,000 victims worldwide, with ransom payments exceeding $150 million as of January 2022. Lytvynenko faces charges that could lead to 25 years in prison, including 20 years for wire fraud conspiracy and 5 years for computer fraud conspiracy. He was arrested in July 2023 by Irish authorities and detained until his extradition. The Conti group, initially a ransomware operation, evolved into a larger cybercrime syndicate, controlling multiple malware operations. After shutting down, its members have infiltrated other cybercrime groups. The FBI estimates Conti's malware was used in more critical infrastructure attacks than any other ransomware variant.

Open in new tab

Flax Typhoon APT Group Exploits ArcGIS for Persistent Access

The Flax Typhoon APT group, also tracked as Ethereal Panda and RedJuliett, exploited a legitimate ArcGIS application to establish a persistent backdoor for over a year. The attack involved modifying the ArcGIS server’s Java server object extension (SOE) to function as a web shell, enabling command execution, lateral movement, and data exfiltration. The malicious SOE persisted even after remediation and patching, highlighting the need for proactive threat hunting and treating all public-facing applications as high-risk assets. The group targeted a public-facing ArcGIS server connected to an internal server, compromising a portal administrator account and deploying a malicious SOE. They used a base64-encoded payload and a hardcoded key to execute commands and upload a renamed SoftEther VPN executable for long-term access. The attack targeted IT staff workstations within the scanned subnet, demonstrating the potential for significant operational disruption and data exposure. The attackers used a public-facing ArcGIS server connected to a private, internal ArcGIS server for backend computations, a common default configuration. They sent disguised commands to the portal server, creating a hidden system directory that became Flax Typhoon's private workspace. The attackers ensured the compromised component was included in system backups, turning the organization's own recovery plan into a guaranteed method of reinfection. ReliaQuest worked with the customer organization and Esri to fully evict Flax Typhoon actors from the environment, which included rebuilding the entire server stack and deploying custom detections for the threat activity. ReliaQuest urged organizations to treat all public-facing applications as high-risk assets and recommended security teams audit and harden such applications. The researchers also highlighted the need for behavioral analytics to complement signature-based detection, as Flax Typhoon did not use any malware or known malicious files. Strong credential hygiene was emphasized, noting that a weak administrator password gave the attackers a foothold in the organization's network. ReliaQuest recommended implementing multifactor authentication and practicing the principle of least privilege to enhance security. The ArcGIS geographic information system (GIS) is developed by Esri and supports server object extensions (SOE) that can extend basic functionality. The software is used by municipalities, utilities, and infrastructure operators to manage spatial and geographic data through maps. Researchers at cybersecurity company ReliaQuest have moderate confidence that the threat actor is Flax Typhoon. The attackers used valid administrator credentials to log into a public-facing ArcGIS server linked to a private, internal ArcGIS server. The malicious SOE accepted base64-encoded commands through a REST API parameter (layer) and executed them on the internal ArcGIS server. The exchange was protected by a hardcoded secret key, ensuring only the attackers had access to this backdoor. The attackers downloaded and installed SoftEther VPN Bridge, registering it as a Windows service that started automatically. The VPN established an outbound HTTPS tunnel to the attacker's server at 172.86.113[.]142, linking the victim's internal network to the threat actor's machine. The VPN used normal HTTPS traffic on port 443, blending with legitimate traffic, and remained active even if the SOE was detected and deleted. The attackers scanned the local network, moved laterally, accessed internal hosts, dumped credentials, or exfiltrated data using the VPN connection. The attackers targeted two workstations belonging to the target organization's IT staff, attempting to dump the Security Account Manager (SAM) database, security registry keys, and LSA secrets. Flax Typhoon is known for espionage campaigns to establish long-term, stealthy access through legitimate software. The FBI linked Flax Typhoon to the massive "Raptor Train" botnet, impacting the U.S. The Treasury's Office of Foreign Assets Control (OFAC) sanctioned companies that supported the state-sponsored hackers. Esri confirmed this is the first time an SOE has been used this way and will update their documentation to warn users of the risk of malicious SOEs. The attackers used the JavaSimpleRESTSOE ArcGIS extension to invoke a REST operation to run commands on the internal server via the public portal. The attackers specifically targeted two workstations belonging to IT personnel to obtain credentials and further burrow into the network. The attackers reset the password of the administrative account.

Open in new tab

RondoDox botnet exploits 56 n-day vulnerabilities in global attacks

The RondoDox botnet has been actively exploiting over 50 vulnerabilities across more than 30 vendors since May 2025. The botnet uses an 'exploit shotgun' strategy to maximize infections, targeting both older and more recent vulnerabilities. The list of exploited vulnerabilities includes CVE-2023-1389, a flaw in the TP-Link Archer AX21 Wi-Fi router, and others demonstrated at Pwn2Own events. The botnet's activity poses significant risks, especially for devices that have reached end-of-life and are more likely to remain unpatched. Many users also tend to ignore firmware updates for supported hardware, increasing the risk of exploitation. The botnet targets 35 to 40 vulnerabilities found in consumer-oriented devices, which are often unmanaged and rarely updated. In late September, a 230% surge in the botnet's attacks was reported, fueled by the exploitation of weak credentials, unsanitized input, and old CVEs. The infected devices are abused for cryptocurrency mining, distributed denial-of-service (DDoS) attacks, and for hacking into enterprise networks. The botnet's impact scale is potentially quite large, though not yet fully known. To mitigate the threat, users are advised to apply the latest firmware updates, replace end-of-life equipment, segment their networks, and use strong, unique passwords.

Open in new tab

Clop extortion campaign targets Oracle E-Business Suite

The **Clop ransomware gang** has escalated its extortion campaign targeting **Oracle E-Business Suite (EBS)**, with the **University of Phoenix breach** now confirmed as one of the largest data theft incidents of 2025, impacting **3.5 million individuals**. The attack, part of a broader wave exploiting the **zero-day vulnerability CVE-2025-61882**, occurred between **August 13–22, 2025**, but went undetected until **November 21**, when the university was listed on Clop’s leak site. Compromised data includes **Social Security numbers, bank account details, and personal identifiers**, though no leaked data has surfaced publicly as of December 23, 2025. This follows Clop’s months-long exploitation of **CVE-2025-61882**, which has breached **over 100 organizations**—including Harvard University, The Washington Post, GlobalLogic, and Barts Health NHS Trust—since August 2025. The gang’s pattern of targeting **enterprise resource planning (ERP) and file transfer platforms** (e.g., Accellion FTA, GoAnywhere MFT, MOVEit Transfer) continues, with the **U.S. Department of State offering a $10 million reward** for ties to foreign state sponsorship. The campaign underscores Clop’s focus on **high-value data exfiltration** via zero-days, often leveraging **third-party vulnerabilities** to compromise multiple victims simultaneously. Oracle has since patched the flaw, but the scale of breaches—now including **educational institutions, healthcare providers, and Fortune 500 companies**—highlights persistent risks in unpatched enterprise systems.

Open in new tab