A sophisticated new ransomware group known as “Gentlemen” has emerged as a significant threat to global enterprise security, employing a ruthless double extortion model that combines data theft with advanced encryption protocols.
First identified in August 2025, the group has rapidly escalated its operations, impacting organizations across 17 countries in North America, South America, the Middle East, and the Asia-Pacific (APAC) region.
The attackers primarily target medium- to large-sized enterprises in critical sectors such as manufacturing, construction, healthcare, and insurance.
Gentlemen distinguishes itself through highly targeted attacks rather than indiscriminate campaigns.
Security researchers have categorized it as one of the most active emerging threats of late 2025 due to its rapid expansion and sophisticated internal propagation procedures.
The group employs tactics characteristic of advanced persistent threats (APTs), including Group Policy Object (GPO) manipulation and Bring Your Own Vulnerable Driver (BYOVD) techniques to turn off security solutions.
Once inside a network, the ransomware executes a precise initial routine designed to cripple defensive measures.
This includes disabling Windows Defender, terminating backup services such as Veeam, and stopping database processes like MSSQL and MongoDB to ensure files are not locked during the encryption phase.
The malware also deletes system logs and traces to hinder post-incident forensics. While currently operating as a cohesive unit, it remains unclear if Gentlemen utilizes a Ransomware-as-a-Service (RaaS) model or is a rebranding of a defunct criminal syndicate.
Technical Sophistication
Developed in the Go programming language, the Gentlemen ransomware exhibits high-level anti-analysis behaviors. A defining feature of this strain is its requirement for a specific password argument upon execution.
If the correct password is not provided via the command line, the malware immediately terminates. This failsafe prevents security researchers and automated sandboxes from analyzing the payload in uncontrolled environments.
The ransomware offers granular control over its impact through various command-line arguments, allowing operators to specify encryption speeds, target directories, and network propagation methods.
ArgumentDescription
| Argument | Description |
|---|---|
| –password PASS | Required password to execute the ransomware; termination occurs if incorrect. |
| –path DIRS | Specifies particular directories and disks to target for encryption. |
| –T MIN | Sets a delay timer before the encryption process begins. |
| –silent | Prevents the renaming of files after they have been encrypted. |
| –system | Limits encryption to local drives only. |
| –shares | Targets only mapped network drives and available UNC shares. |
| –full | Combines targeting of both local drives and network shares. |
| –fast | Encrypts 9% of the file content for rapid impact. |
| –superfast | Encrypts 3% of the file content. |
| –ultrafast | Encrypts only 1% of the file content. |
Advanced Encryption Mechanisms
The cryptographic architecture of Gentlemen is robust, utilizing a combination of X25519 and XChaCha20 algorithms.
Following encryption, the malware drops a ransom note titled README-GENTLEMEN.txt, threatening to leak stolen data on their Data Leak Site (DLS) if the victim does not engage in negotiations.
The malware decodes an embedded public key in memory and generates a shared secret using a random number and X25519 operations.
the Gentlemen ransomware changes its encryption target based on the file size. If the file size is less than 0x100000 bytes (about 1 MB), the entire file is encrypted.
This shared secret derives the key for the XChaCha20 stream cipher, which performs the actual file encryption.
Uniquely, the malware generates a new key and nonce for every file it encrypts, maximizing the difficulty of decryption without the threat actor’s private key.
To optimize performance on large datasets, Gentlemen employs an intermittent encryption strategy. Files smaller than 1 MB are encrypted entirely, while larger files undergo selective encryption of specific segments.
Security teams are advised to monitor for these specific execution parameters and anomalous GPO activities to detect this threat early.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.