A new cyber threat, known as The Gentlemen ransomware, has surfaced as a formidable adversary this year. This malware, utilizing strong encryption and a self-propagating mechanism, has the capability to compromise entire corporate networks starting from just one infected device.
The ransomware, developed in the Go programming language and masked with Garble, first emerged around mid-2025. It has since evolved into a comprehensive ransomware-as-a-service operation, posing significant risks to various sectors.
Self-Propagation and Network Infiltration
The distinguishing feature of The Gentlemen ransomware is its ability to extend beyond the initial infected system. Unlike typical ransomware, it actively seeks out additional computers within the same network to infect, transforming a single compromised device into a larger threat vector.
According to a report from Picus Security shared with Cyber Security News, the ransomware employs a meticulous approach, beginning with password validation and privilege escalation. It then proceeds with defense evasion, file encryption, and ultimately, network-wide dissemination.
Industries such as education, transportation, healthcare, and finance across continents, including North America, South America, Europe, Africa, and Asia, have already experienced its impact. The group responsible for this malware has also collaborated with BreachForums to recruit affiliates, broadening the potential pool of attackers.
Advanced Remote Execution Techniques
The Gentlemen ransomware is distinguished by a command line flag known as –spread, which facilitates its self-propagation. Once activated, the infected system becomes a distribution hub, copying its binary into a folder and sharing it over a hidden network share accessible anonymously.
Subsequently, the malware utilizes a legitimate system tool, PsExec, to scan the network for accessible machines, including workstations, servers, and domain controllers. Against each target, it employs scripts to disable security features and weaken defenses before deploying the ransomware payload.
The malware attempts up to 21 remote execution methods per target, relying on file copying, PsExec, scheduled tasks, Windows services, and PowerShell techniques, ensuring further spread if any method succeeds.
Encryption Strategies and Prevention Measures
Before encrypting files, the ransomware deactivates Microsoft Defender, removes forensic logs, and deletes Volume Shadow Copies twice. Additionally, it clears command history and removes backup tools, complicating system restoration.
For encryption, it combines Curve25519 elliptic curve cryptography with the XChaCha20 stream cipher, creating unique keys for each file. This approach makes decryption without attackers’ keys nearly impossible, with encrypted files receiving a specific extension.
Organizations are advised to focus on validating defenses specific to this attack chain rather than relying on generic ransomware protections. Implementing real attack simulations, maintaining offline backups, and monitoring for described commands and behaviors are crucial steps to mitigate this ransomware’s threat.
Despite the challenges posed by The Gentlemen ransomware, strengthening security operations centers and accelerating threat detection can significantly enhance organizational resilience against such sophisticated cyber threats.
