Ransomware‑as‑a‑Service Group “The Gentlemen” Deploys Custom Go Backdoors via VPN/Firewall Credential Abuse
What Happened — The Gentlemen, a fast‑growing RaaS operation, has been observed inserting custom Go‑based backdoors and ransomware into victim environments after gaining initial access through vulnerable internet‑exposed VPN/ firewall appliances or by exploiting leaked and weak credentials. Their tactics include deep internal reconnaissance, GPO abuse, and lateral movement via PsExec.
Why It Matters for Compliance & Audit Readiness
- The scenario exemplifies a failure of access‑control safeguards that SOC 2 CC6.1 (Logical Access) is designed to prevent and evidence.
- Continuous monitoring of privileged‑account usage and credential hygiene provides audit‑ready proof that access was appropriately managed.
- Security‑awareness training and credential‑handling policies are essential controls to demonstrate due diligence during a SOC 2 audit.
Who Is Affected — Large enterprises across sectors (technology, finance, critical infrastructure) that expose VPNs, firewalls, or other remote‑access services to the internet.
Recommended Actions
- Review and harden remote‑access configurations; enforce MFA and disable default accounts.
- Implement continuous privileged‑access monitoring and log‑aggregation to capture anomalous GPO or PsExec activity.
- Refresh security‑awareness programs focusing on credential reuse and phishing.
Source: SecureList – The Gentlemen are knocking: custom backdoors and evolving tactics
Technical Notes — Initial access via VPN/firewall exploitation or stolen credentials; custom Go backdoor deployed, later leveraged to drop Go‑based ransomware; lateral movement via GPO deployment and PsExec; reconnaissance tools include SharpADWS, NetScan, Advanced IP Scanner. Source: same as above