{"id":13260,"date":"2026-05-30T10:03:36","date_gmt":"2026-05-30T10:03:36","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/30\/ransomware-uses-system-scheduled-task-to-encrypt-local-drives-with-elevated-privileges\/"},"modified":"2026-05-30T10:03:36","modified_gmt":"2026-05-30T10:03:36","slug":"ransomware-uses-system-scheduled-task-to-encrypt-local-drives-with-elevated-privileges","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/30\/ransomware-uses-system-scheduled-task-to-encrypt-local-drives-with-elevated-privileges\/","title":{"rendered":"Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges"},"content":{"rendered":"<p>    Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A newly analyzed ransomware strain called The Gentlemen is raising serious alarms across the cybersecurity community. <\/p>\n<p class=\"wp-block-paragraph\">Built in the Go programming language and obfuscated with a tool called Garble, it combines powerful per-file encryption with an aggressive ability to spread itself silently across entire networks without any human intervention. <\/p>\n<p class=\"wp-block-paragraph\">Organizations in education, healthcare, transportation, and finance across North America, South America, Europe, Africa, and Asia have already felt its damaging impact.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The Gentlemen operates as a ransomware-as-a-service (RaaS) platform, meaning its core developers rent access to the malware to other criminals known as affiliates. <\/p>\n<p class=\"wp-block-paragraph\">It first emerged around mid-2025 as a closed group, then opened its doors to affiliates in September 2025. <\/p>\n<p class=\"wp-block-paragraph\">More recently, its operators forged a formal partnership with BreachForums, a well-known cybercriminal marketplace, actively recruiting penetration testers and initial access brokers to carry out attacks on their behalf.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Microsoft Threat Intelligence, which tracks the group behind the malware as Storm-2697, noted that the operators use double extortion tactics. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgbZBwjYdUW5j13TWQ_uDLbBTGMWLpiz3pozrz1Szl11CFKOJ6C0B0wzZA0hm3DIgvNVD4Vu26MvTEMs89UJ3v1Fykppl_6BL4ufUbmqBmTgR1NECdClFveZIP2B64jElneRAYr_EbxmVF_xmPg43nUdLOJPvfpAOWiiBfeCf-j_Kqf75z82k9prqHa3Gs\/s16000\/Encryption%2520mode%2520command-line%2520arguments%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\" alt=\"Encryption mode command-line arguments (Source - Microsoft)\"><figcaption class=\"wp-element-caption\">Encryption mode command-line arguments (Source \u2013 Microsoft)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">They encrypt a <a href=\"https:\/\/cybersecuritynews.com\/hackers-weaponizing-svg-files-to-deliver-pureminer-malware\/\" id=\"128209\" target=\"_blank\" rel=\"noreferrer noopener\">victim\u2019s data and simultaneously steal sensitive files<\/a>, threatening to release the stolen information publicly if the ransom is not paid. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/28\/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor\/\" id=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/28\/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Microsoft said in a report<\/a> shared with\u00a0Cyber Security News (CSN)\u00a0that the threat is already widely adopted and this new partnership could attract an even broader pool of criminal actors going forward.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">What sets The Gentlemen apart is its layered attack strategy. It disables antivirus tools, deletes backups, clears system logs, and wipes forensic traces before encryption even begins. <\/p>\n<p class=\"wp-block-paragraph\">Once active, it can reach across a network and plant itself on other machines automatically, making containment far more difficult for incident responders and security teams.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The ransomware requires a build-specific password to execute, and operators can control nearly every aspect of its behavior through command-line arguments. <\/p>\n<p class=\"wp-block-paragraph\">These options include setting encryption speed, enabling network spreading, and choosing how the malware persists after a reboot. That level of operational control makes it unusually flexible and customizable for a criminal tool deployed at scale.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-ransomware-uses-system-scheduled-task\" class=\"wp-block-heading\"><strong>Ransomware Uses SYSTEM Scheduled Task<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">One of the most technically notable behaviors in The Gentlemen is how it achieves the highest possible system privileges before encrypting local drives. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiebL8YrJvauSOa1_OX9mDpirrk9oA1VsLecFW-UryYxcAR5p0Gtg6lN5DFt2BcGOcKlbvm4F9a_3YxI15wl2uCKWlMNvPNIjI4vDaymGOU4ZMmwHabL9Y0AqvYbB0eF79PFmrZCCObH10ufeW27Fl0rNL4NQUFH62ybpvHrWXBJQbG1pnYrYp22MK_ZJw\/s16000\/The%2520Gentlemen%2520ransomware%25E2%2580%2599s%2520persistence%2520mechanism%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\" alt=\"The Gentlemen ransomware\u2019s persistence mechanism (Source - Microsoft)\"><figcaption class=\"wp-element-caption\">The Gentlemen ransomware\u2019s persistence mechanism (Source \u2013 Microsoft)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">When the <a href=\"https:\/\/cybersecuritynews.com\/wanttocry-ransomware-abuses-smb-services\/\" id=\"150538\" target=\"_blank\" rel=\"noreferrer noopener\">ransomware receives the right command-line instruction<\/a>, it creates a Windows scheduled task named\u00a0<code>gentlemen_system<\/code>\u00a0that runs the malware executable under the SYSTEM account, which is the most powerful level of access on a Windows machine.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">To do this cleanly, it first deletes any existing task with that name, then registers and immediately triggers a fresh one. Once running under this elevated context, the malware sets an internal environment variable called\u00a0<code>LOCKER_BACKGROUND=1<\/code>\u00a0to signal that it is operating as a background encryption process with full privileges. <\/p>\n<p class=\"wp-block-paragraph\">This design allows the ransomware to reach and encrypt files that would otherwise be protected or inaccessible to standard user-level accounts.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-self-propagation-across-the-network\" class=\"wp-block-heading\"><strong>Self-Propagation Across the Network<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The Gentlemen does not stop at a single machine. When its spreading feature is activated, it transforms into a self-propagating worm capable of deploying itself to every system it can reach on the local network. <\/p>\n<p class=\"wp-block-paragraph\">It stages its own binary in a shared folder, copies it across administrative network shares, and attempts to execute it on remote hosts using eight different methods simultaneously.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/beyondtrust-privilege-management-for-windows\/\" id=\"118733\" target=\"_blank\" rel=\"noreferrer noopener\">These methods include PsExec, Windows Management Instrumentation<\/a>, scheduled tasks in both user and SYSTEM contexts, Windows services, and PowerShell remoting. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhEYPfRIlfuUr-zl2lPK1g8Qbkjyxplmx22BV-qO1SfqMyV3o3rzIaAY_TKCa4MADLg_yPhleEQq0Wg8JXjFELiiVkenh5AA3OUevQFwbMhFSB0Ji_TS910x9kMV4YU3GjGwMU3T93j6n0ppW5yVvdAWH9762iIUH1rto__l_Pg1sZaa4J56HKNRE6Sofc\/s16000\/The%2520Gentlemen%2520ransomware%25E2%2580%2599s%2520file%2520encryption%2520mechanism%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\" alt=\"The Gentlemen ransomware\u2019s file encryption mechanism (Source - Microsoft)\"><figcaption class=\"wp-element-caption\">The Gentlemen ransomware\u2019s file encryption mechanism (Source \u2013 Microsoft)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">The malware attempts 21 separate remote execution operations per target host. This redundancy is central to its strategy because even if most methods are blocked, a single successful execution on one new host is enough to restart the entire propagation cycle.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Defenders can reduce exposure by enabling controlled folder access, turning on cloud-delivered antivirus protection, and blocking process creations originating from PsExec and WMI commands through attack surface reduction rules. <\/p>\n<p class=\"wp-block-paragraph\">Running endpoint detection and response tools in block mode is also strongly recommended, as is configuring automatic attack disruption to contain active threats before they spread further across the environment.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\" id=\"h-indicators-of-compromise-iocs\"><strong>Indicators of Compromise (IoCs):-<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>SHA-256<\/td>\n<td><code>22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67<\/code><\/td>\n<td>The Gentlemen ransomware encryptor binary\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>File Name<\/td>\n<td><code>README-GENTLEMEN.txt<\/code><\/td>\n<td>Ransom note dropped in each encrypted directory\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>File Extension<\/td>\n<td><code>.umc16h<\/code><\/td>\n<td>Extension appended to all encrypted files\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>File Name<\/td>\n<td><code>gentlemen.bmp<\/code><\/td>\n<td>Desktop wallpaper bitmap dropped to %TEMP% after encryption\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Scheduled Task Name<\/td>\n<td><code>gentlemen_system<\/code><\/td>\n<td>SYSTEM-privileged scheduled task created for elevated encryption\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Scheduled Task Name<\/td>\n<td><code>UpdateSystem<\/code><\/td>\n<td>Persistence scheduled task running payload as SYSTEM at startup\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Scheduled Task Name<\/td>\n<td><code>UpdateUser<\/code><\/td>\n<td>Persistence scheduled task running payload as current user at startup\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Registry Key Value<\/td>\n<td>\n<code>GupdateS<\/code>\u00a0(HKLM)<\/td>\n<td>System-wide autorun registry persistence key\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Registry Key Value<\/td>\n<td>\n<code>GupdateU<\/code>\u00a0(HKCU)<\/td>\n<td>User-scoped autorun registry persistence key\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>File Path<\/td>\n<td><code>C:Temppsexec.exe<\/code><\/td>\n<td>PsExec binary dropped for lateral movement\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>File Name<\/td>\n<td><code>wipefile.tmp<\/code><\/td>\n<td>Temporary file used for free disk space wiping\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Environment Variable<\/td>\n<td><code>LOCKER_BACKGROUND=1<\/code><\/td>\n<td>Internal flag indicating SYSTEM-context background encryption execution\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Hardcoded Password<\/td>\n<td><code>9VoAvR7G<\/code><\/td>\n<td>Build-specific operator authentication password embedded in analyzed sample\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/df5cadfe-ebc6-487a-a745-283dbcc8876d\/Ransomware-Uses-SYSTEM-Scheduled-Task-to-Encrypt-Local-Drives-With-Elevated-Privileges.pdf?AWSAccessKeyId=ASIA2F3EMEYESR4GMYSA&amp;Signature=U17jOo7HR1LmuipwFaMAY9wWu7I%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJIMEYCIQDvV3EREtTvb5Cs0EPcuzJ1JpbQTwHiup5Cv2OtH%2ByyxgIhAKZ2WhOXy0s%2FAFpT8We2yIX5zic61oltub7Cs%2BRf7PsvKvwECMf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQARoMNjk5NzUzMzA5NzA1IgwYmKNT4DimcGLDIj0q0AQ1PmWxtxBnAHd0%2Bd9lQ63ql10Y2Jd21Som%2BE8evX%2FO1XTaBegB33tN%2BYh%2Fn6WjacxWX%2F08lGnkYaT7uQs2GaDRq0Dujy%2FEYmZv%2Bhp%2B0EVF%2FOxXYfLU0DdGas%2BYR7VtiKjavyuVcKb%2BhqEFCb9idw1GoelYJZW2OBhcSXt7T9dEQshcr2bDwIgFm9XAlUtdh90fqDuk2BAk5weE6xWwfxrunPx8jVKCyDbL%2B%2BcttGg717NU22fihUfXUX6SpJu304J9aE8MGmn%2BUACK2yapZ7AqAWopLuk7jVSgComUBpwXrevuTk42EsUHZOPy4N3aPIf4SXGuXaWQ%2Ff41bOiwmFolMHxHun%2BkXDTP8DgIPmd3%2FZ29TYH7FVhoZfjBjGUWiverd1C533uK%2ByiEZHOsN23MhBoG7maKCvHmi%2BHsu1zG2lhtPelqQZDqSisIRxlNPbSpZK2O58pkr1eWuNHfcK0I0orADJyO5wRTvYTWZ2Vvy6jEcRwAxRwAu00qsG4V7mX8Nyq5svlXDgj%2FuJX92w%2BdvQl86fRiSVwpzbtP3stDW7etv0PFtBuoq5j84fQWNsjbg9uLxuRBBrtTSb8uLtUwSgZHFC6crlYdARSLW8bqSCFh7FF5MU1Sti2P7sMKB8sI8Oxf9KvWJCV7mx5wV7EyF6ZNvoEWb3Wh9KzqfRObDaFIezYDM327%2FTWLRcD5DpInbTsrZ2ICjwl0dC5Qh8EtTyNWeNRio9azOwNWXz1b0EZe9NfN4cI9LPGjXnRVaQY7cEpEV7%2FLQlpbSgvYg8LWMK%2FA5tAGOpcBF4153OT3FMFQJ42nI3VCXUsmI%2BJaB4TSHflSXXFQNLJTG6zaHZvLKBewdqi4tsZc4QVzEH5fuahQBSjUqLkzFySBQlTQFTiFWIRrToU2Xc3l2EQcbcdpMayrIi9YCCC%2Bz0V4BI5jpJWfyA3sb8spQ0Q9eiL8XFkNxnUBoHXhq6ue6N7c3gq3xoxMenuojEtx7xCX2%2B7SrQ%3D%3D&amp;Expires=1780066392\"><\/a>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong> <strong><strong><a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a><\/strong><\/strong>.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/ransomware-uses-system-scheduled-task\/\">Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/ransomware-uses-system-scheduled-task\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges A newly analyzed ransomware strain called The Gentlemen is raising serious alarms across the cybersecurity community. Built in the Go programming language and obfuscated with a tool called Garble, it combines powerful per-file encryption with an aggressive ability to spread itself silently across [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-13260","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13260"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13260"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13260\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}