A new ransomware strain, identified as The Gentlemen, is causing significant concern in the cybersecurity sector. Written in the Go programming language and obfuscated with Garble, this ransomware combines robust per-file encryption with a highly effective automatic network propagation mechanism, operating without human intervention.
Global Impact and Ransomware-as-a-Service Model
The Gentlemen has already impacted organizations across sectors such as education, healthcare, transportation, and finance, spanning continents including North America, South America, Europe, Africa, and Asia. Functioning as a ransomware-as-a-service (RaaS), its developers offer access to this malware to affiliates. This model, initially closed, widened to include affiliates in September 2025 after its mid-year emergence, and now collaborates with BreachForums, a notorious cybercriminal marketplace, to recruit penetration testers and initial access brokers.
Double Extortion and Unique Attack Strategy
According to Microsoft Threat Intelligence, tracking the group as Storm-2697, The Gentlemen employs a dual extortion strategy: encrypting data and stealing sensitive information to threaten publication if ransoms remain unpaid. This tactic, coupled with its broad adoption, poses a significant risk as the group’s partnership with BreachForums may attract more criminal affiliates.
The ransomware’s attack is multifaceted, disabling antivirus solutions, erasing backups, clearing system logs, and removing forensic traces before encryption. Its self-propagating nature allows it to infiltrate other machines across a network autonomously, complicating containment efforts for security teams.
Technical Sophistication and Network Propagation
One of The Gentlemen’s distinctive features is its method of obtaining elevated system privileges. By executing a Windows scheduled task named gentlemen_system under the SYSTEM account, the malware achieves high-level access, allowing it to encrypt files beyond the reach of standard user accounts. This is accomplished by deleting any pre-existing tasks with that name and initiating a new one, signaling its background operation via an environment variable.
When activated, The Gentlemen can transform into a worm, deploying itself across every reachable system on a local network. It uses shared folders, network shares, and multiple execution methods such as PsExec, WMI, and PowerShell remoting to ensure widespread infection, employing redundancy to overcome potential blockades.
Defense Strategies and Indicators of Compromise
To mitigate risks, experts recommend enabling controlled folder access, utilizing cloud-based antivirus protection, and reducing attack surfaces by blocking processes from PsExec and WMI commands. Employing endpoint detection and response tools in block mode and configuring automatic attack disruption is also advised.
Indicators of Compromise (IoCs) include SHA-256 hashes, file names, extensions, and registry keys related to The Gentlemen’s activity. For instance, the ransomware encryptor binary is identified by a specific SHA-256 hash, and a ransom note titled README-GENTLEMEN.txt is left in each affected directory.
Stay informed on cyber threats by following us on Google News, LinkedIn, and X, and consider setting CSN as your preferred source for instant updates.
