GBHackers

Go-Based Gentlemen Ransomware Uses PsExec, WMIC, and PowerShell Remoting for Network Propagation


Gentlemen, a Go-based ransomware-as-a-service (RaaS) active since mid-2025, has distinguished itself with a potent combination of modern cryptography, aggressive worm-like propagation, and a broad toolkit for remote execution.

Operators offer the platform to affiliates, and recent recruitment ties to major breach forums appear to have expanded its reach since the affiliate program launch in late 2025.

Technically, Gentlemen is notable for three capabilities that increase both impact and survivability: per-file ephemeral-key encryption using Curve25519 and XChaCha20, an extensive defense-evasion sequence that sabotages recovery and detection, and a self-propagation module that tries up to 21 remote-execution techniques per target host.

The hybrid encryption scheme generates a new Curve25519 ephemeral key pair for every file, derives an ECDH shared secret with an embedded operator public key, and uses that secret as the XChaCha20 key while taking the nonce from the ephemeral public key.

The ephemeral public key is appended to the encrypted file footer, enabling decryption only for an actor who possesses the operator’s private key.

Files are renamed with the .umc16h extension; small files are fully encrypted while large files receive multiple encrypted chunks with per-chunk nonce variation to avoid keystream reuse.

AttributeDetail
Malware typeRansomware-as-a-service (RaaS) with worm-like self-propagation
First seenAround mid-2025 (RaaS affiliate program launched September 2025)
Language and packingWritten in Go, obfuscated with Garble
Target platformWindows environments
Encryption schemeHybrid Curve25519 elliptic-curve cryptography with the XChaCha20 stream cipher, using unique per-file ephemeral keys
Encrypted file extension.umc16h
Ransom noteREADME-GENTLEMEN.txt
Industries targetedEducation, transportation, healthcare, and financial services
Regions affectedNorth America, South America, Europe, Africa, and Asia

This design yields fast, robust encryption with strong per-file uniqueness, complicating offline recovery.

Researchers in Picussecurity said, Gentlemen, Written in Go and obfuscated with Garble, Gentlemen targets Windows environments across education, transportation, healthcare, and financial sectors on five continents.

Go-Based Gentlemen Ransomware

On initial execution, Gentlemen requires an operator-supplied password and can elevate to SYSTEM via scheduled-task creation when the –system or –full flags are used.

Before encryption begins, the malware runs an automated defense-evasion routine: it disables Microsoft Defender access and adds broad exclusions, deletes Volume Shadow Copies and prefetch artifacts, wipes logs and PowerShell histories, and terminates services and processes for databases, backup solutions, EDR agents, and virtualization platforms.

The propagation module is where Gentlemen behaves like a worm. When invoked with –spread (using explicit credentials or the current session token), the infected host copies the binary to C:Temp, exposes a hidden anonymous SMB share, drops PsExec, and enumerates reachable systems.

Against each target it first executes a compact PowerShell “defense-evasion blob” remotely to disable Defender, firewall profiles, enable legacy SMB1, and relax anonymous-access registry values.

It then attempts a sequence of remote-execution methods remote file copy to administrative shares, PsExec, WMIC, scheduled tasks, service creation, PowerShell remoting (WinRM), and direct WMI process creation up to 21 distinct operations per host.

This redundancy is intentional: even hardened networks frequently have at least one enabled vector that allows lateral movement.

Operators combine encryption with data theft for double extortion: exfiltrated data is threatened with public release if ransom demands are not met.

The Picus Platform includes modules to simulate Gentlemen ransomware attacks across both network infiltration and email infiltration vectors, enabling defenders to validate controls against its tactics.

Detection and mitigation should focus on reducing the available lateral vectors and limiting credential reuse: enforce least privilege and segmentation, disable legacy SMB1, block or restrict administrative shares and remote execution tools, apply robust EDR with behavioral detections for mass file access.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link