A misconfigured server hosted on a Russian bulletproof hosting provider has exposed the complete operational toolkit of a TheGentlemen ransomware affiliate, including harvested victim credentials and plaintext authentication tokens. This significant data leak offers an unprecedented look into the techniques used by this Ransomware-as-a-Service (RaaS) group, which has been actively targeting organizations globally. The exposed server, identified at IP address 176.120.22[.]127, contained a wealth of material detailing the group’s pre-ransomware deployment tactics.
The server, operating over port 80 on Proton66 OOO infrastructure, was discovered by Hunt.io analysts on March 12, 2026. It held 126 files totaling approximately 140 megabytes, categorizing primarily into ‘Exploit’ and ‘Config’ scripts. These scripts detail methods for altering security settings, escalating privileges, and importantly, contain sensitive authentication tokens. The AI-driven analysis flagged routines for credential dumping, disabling security software, clearing event logs, and establishing persistent remote access tunnels.
Deep Dive into TheGentlemen Ransomware Operations Toolkit
The operational material found on the exposed server paints a detailed picture of the attack methodology employed by TheGentlemen ransomware affiliates. The RaaS model allows affiliates to leverage the group’s established tools and infrastructure, leading to widespread attacks across various sectors. The group’s reported capabilities extend to Windows, Linux, and ESXi environments, and their attack timelines are notably rapid, often shifting from initial access to full encryption within hours.
The server contained evidence not only of pre-attack preparation but also of actual deployment against victims. This dual nature of the exposed data makes it a critical resource for cybersecurity professionals seeking to understand and defend against TheGentlemen ransomware. The Infrastructure involved, tied to previous campaigns from SuperBlack ransomware, WeaXor, and XWorm, highlights a continued connection to known malicious actors.
Inside the Pre-Ransomware Deployment Script: z1.bat
The most revealing file discovered on the server is a batch script named z1.bat. This 35-kilobyte script appears to consolidate nearly every pre-encryption preparation step into a single execution, designed for maximum impact when speed is paramount. The script systematically targets and disables a wide array of security software and enterprise applications, aiming to create an unimpeded path for ransomware deployment.
According to the analysis, z1.bat initiates its operation by deleting and disabling services associated with over a dozen security vendors, including prominent names like Sophos, Kaspersky, Trend Micro, and McAfee. This broad sweep aims to neutralize endpoint protection measures before they can detect or halt the subsequent stages of the attack. This aggressive approach underscores the affiliates’ intent to ensure full encryption coverage.
Targeting Enterprise Services and Backup Systems
Beyond endpoint security, the script extends its disruptive reach to critical enterprise services. It targets over 30 Microsoft Exchange services, Oracle databases, MySQL instances, multiple Tomcat versions, Veeam backup infrastructure, and Hyper-V. The disabling of these services is crucial, as it ensures that ransomware can encrypt vital data stored within exchange databases, SQL server files, and backup vaults without interference.
The script also performs a comprehensive registry cleanup, targeting security product entries from nearly 20 different vendors dating back several years. Furthermore, it creates open SMB shares across all accessible drive letters, from C through K, granting unrestricted access to all users. This configuration allows ransomware running on any compromised host to access and encrypt shared drives across the entire network.
Establishing Persistence and Evading Detection
A classic technique for establishing persistent access is also incorporated into z1.bat. The script installs Image File Execution Options (IFEO) debugger redirects on Windows accessibility tools, such as sethc.exe (Sticky Keys) and utilman.exe. These tools are replaced with cmd.exe, enabling a SYSTEM-level command prompt to be accessed directly from the Windows login screen, even before a user logs in. This creates a backdoor that can survive the removal of other remote access tools.
In conjunction with enabling Remote Desktop Protocol (RDP), disabling Network Level Authentication (NLA), and setting User Account Control (UAC) to off, this persistence mechanism significantly strengthens the attackers’ foothold. The script concludes its preparations by deleting all Volume Shadow Copies, wiping Windows event logs, clearing the Recycle Bin, and terminating all processes with a PID above 1000. This comprehensive cleanup aims to erase any traces of its activity and clear the environment for the ransomware payload.
Proactive Defense Against TheGentlemen Ransomware
Security teams are advised to monitor for specific behaviors indicative of this toolkit’s deployment. On the endpoint, this includes observing PowerRun execution, mass changes to Windows Defender service states, batch-based event log clearing via wevtutil, LSASS memory access consistent with credential dumping tools like Mimikatz, IFEO debugger modifications on accessibility binaries, WDigest registry changes, and the creation of bulk network shares. Network monitoring should focus on blocking connections to 176.120.22[.]127 and detecting ngrok tunnel activity.
Alerts should be triggered by vssadmin.exe Delete Shadows execution, mass service disabling patterns, and EnableLUA registry modifications. For enhanced configuration hardening, organizations should enable Credential Guard, maintain offline immutable backups, activate endpoint tamper protection, audit Group Policy Objects for unauthorized changes to security configurations, and implement application whitelisting for directories where users can write files. The continuous evolution of ransomware tactics necessitates ongoing vigilance and adaptation of defense strategies.