Exposed Server Leaks The Gentlemen Ransomware Toolkit and Stolen Credentials

A newly discovered exposed server has revealed critical insights into the operations of the TheGentlemen ransomware group, exposing a complete toolkit used in real-world cyberattacks.

Security researchers identified an open directory hosted on a bulletproof hosting provider, which contained a structured collection of malicious tools, scripts, and stolen data.

Unlike typical malware leaks, this was not a random dump. The server hosted over 120 files organized into multiple folders, covering every stage of a ransomware attack from reconnaissance to final deployment.

The discovery confirms that the toolkit was actively used against victims, as it included credential logs and operational data.

One of the most concerning findings was the presence of Mimikatz output logs containing stolen usernames and NTLM password hashes.

These logs prove that attackers had already compromised real systems and harvested sensitive credentials. This type of access allows threat actors to move laterally across networks and escalate privileges.

Full Attack Toolkit Exposed

The leaked toolkit demonstrates a high level of sophistication and automation. It includes tools for network scanning, privilege escalation, defense evasion, and persistence.

Researchers noted that the toolkit aligns with multiple MITRE ATT&CK techniques, showing a complete ransomware attack lifecycle.

[Main]
Language=Auto
HideWindowOnStartup=0
HideWhenMinimized=0
ManageSettingsShortcut=1
TamperVersion=1
BlockMpcmdrun=1

[Service_List]
WinDefend=2,4
WdFilter=0,4
WdNisDrv=3,4
WdNisSvc=3,4

A key component is a powerful batch script that prepares systems before ransomware deployment.

This script disables security software from multiple vendors, deletes system backups, enables remote access, and clears event logs to remove evidence.

It also creates open network shares, allowing the ransomware to spread quickly across compromised environments.

Additionally, the toolkit includes exposed Ngrok authentication tokens that attackers can use to create hidden remote access tunnels.

These hunt.io tunnels bypass firewalls, allowing attackers to maintain control of infected systems. The presence of multiple tokens suggests either multiple operators or redundant access methods.

Threat Infrastructure Component	Detailed Technical Value	Operational Significance
Malicious Server IP Address	176.120.22.127	Hosted the unauthenticated open directory containing 140 MB of ransomware operator tools .
Bulletproof Hosting Provider	Proton66 OOO	Russian infrastructure service historically associated with active SuperBlack and XWorm threat campaigns .
Core Exploitation Script	z1.bat	Automated the disabling of Windows Defender, cleared all event logs, and terminated enterprise database services .

The infrastructure choice is also notable. The server was hosted on a provider previously linked to other malware campaigns, indicating a broader ecosystem supporting ransomware-as-a-service (RaaS) operations.

Overall, this exposure provides rare visibility into how modern ransomware groups operate.

It highlights the importance of securing exposed servers, monitoring credential leaks, and detecting suspicious administrative activity early. As attackers continue to refine their techniques, such discoveries remain crucial for improving cyber defense strategies.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Exposed Server Leaks The Gentlemen Ransomware Toolkit and Stolen Credentials appeared first on Cyber Security News.