Exposed Ransomware Toolkit Uncovered on Russian Server
A significant cybersecurity breach has been reported, revealing a fully operational ransomware toolkit called TheGentlemen on an exposed server. The discovery has raised alarms among cybersecurity specialists due to the sensitive information and extensive resources it contains, including victim credentials, ngrok tokens, and a well-structured pre-encryption playbook designed for executing ransomware attacks.
Discovery of the Exposed Server
Investigators from Hunt.io made a critical finding on March 12, 2026, when they uncovered an unauthenticated HTTP server operating at the IP address 176.120.22[.]127. This server is serviced by Proton66 OOO, a Russian hosting provider notorious for its involvement in facilitating criminal cyber operations. The analysts discovered that the server hosted 126 files across 18 subdirectories and contained approximately 140 MB of data.
Proton66 is not new to the world of cybercrime; it has previously been linked to various ransomware groups including SuperBlack, WeaXor, and XWorm. The presence of TheGentlemen ransomware toolkit on this server underlines the ongoing challenges that cybersecurity professionals face in combating ransomware-as-a-service ecosystems that thrive in part due to such providers.
Contents of the Exposed Directory
The exposed directory was not merely a random repository of malware. Instead, it contained a well-structured and meticulously maintained toolkit that corresponds to various stages of a ransomware intrusion. Among the key folders, a notable one was named 64-bit_new, housing essential tools specifically designed for 64-bit Windows systems. In addition, there was a PowerRun subfolder intended for privilege escalation, as well as a directory labeled "MIMIMI," which contained Mimikatz logs and related infrastructure.
Root-level binaries featured prominently, with tools such as PC Hunter, PowerTool, RustDesk for remote access, and utility applications including 7-Zip, collectively making up around 120 MB of the exposed assets. Automated analysis conducted by Hunt.io identified that the examined scripts were malicious and categorized them under 21 patterns aligned with the MITRE ATT&CK framework. This framework is crucial for understanding attacker behaviors, encompassing aspects like reconnaissance, privilege escalation, and lateral movement.
The most alarming findings originated from the MIMIMI/mimikatz/!logs directory, which housed real-time logs of credential theft from previous compromises. This directory contained NTLM password hashes, usernames, and other credential artifacts, providing clear evidence that the toolkit had been employed against actual victims in prior attacks.
Alongside these sensitive logs, Hunt.io analysts also identified two ngrok authentication tokens embedded within configuration files. These tokens indicate direct tunnel access to additional network infrastructure utilized by the ransomware operators, presenting opportunities for law enforcement to trace or interrupt the group’s operations.
The z1.bat Pre-Encryption Weapon
Central to the functionalities of the toolkit is a script referred to as z1.bat, characterized as a "one-click" pre-encryption weapon. This 35 KB batch script is designed to initiate complex processes before deploying ransomware. An analysis deemed each examined script as malicious, categorizing them into classifications such as Exploit and Config.
Z1.bat executes a series of actions that include disabling several essential security services across the system. This not only involves altering registry settings and policies but also systematically erasing logs and scan histories from Windows Defender. Such aggressive actions ensure that any potential defenses are neutralized, while simultaneously creating wide-open SMB shares that facilitate the swift propagation of ransomware across the network.
The exposure of this Proton66 server provides an unusual, comprehensive look at TheGentlemen affiliates’ preparations for malicious ransomware attacks. The presence of authentic victim credentials alongside strategically built pre-encryption scripts indicates that this toolkit is a crucial component of ongoing cyber campaigns rather than merely experimental software.
Recommendations for Organizations
In light of these developments, organizations are urged to remain vigilant and monitor for any activity related to the Proton66 infrastructure, including any detected ngrok-based tunnel access. It is essential to implement measures such as rapid credential rotation, hardening of Remote Desktop Protocol (RDP) instances, and strict oversight of remote access tools, in order to thwart similar ransomware operations before they can escalate to encryption phases.
Through proactive measures and close monitoring of documented service and registry manipulations, organizations can better position themselves against the growing threat landscape represented by sophisticated ransomware toolkits like TheGentlemen. By understanding these risks, defenders can take steps to disrupt the operational flow of ransomware groups and protect sensitive data from falling into the hands of cybercriminals.