Threat intelligence researchers have identified a new ransomware-as-a-service (RaaS) operation called The Gentlemen’s RaaS, being actively recruited on underground hacking forums by an operator using the handle zeta88.
The cross-platform threat represents a significant evolution in ransomware capabilities, offering attackers specialized encryption lockers for Windows, Linux, and ESXi systems coded in both Go and C programming languages.
This development underscores the growing sophistication and commercialization of ransomware operations targeting enterprise infrastructure across multiple operating systems.
The Gentlemen’s RaaS is employing an unusually favorable affiliate program designed to attract experienced threat actors and organized crime groups.
The operator is offering affiliates an impressive 90 percent share of ransom proceeds, retaining only a 10 percent operational fee.
This generous revenue split distinguishes the operation from competing RaaS platforms and suggests the operator has significant confidence in their technical infrastructure and victim acquisition capabilities.
Crucially, the affiliate program grants partners complete control over ransom negotiations, allowing them to manage communications and extortion tactics independently while the operator handles the technical backend and victim data hosting.
Technical Architecture and Encryption
The technical specifications of The Gentlemen’s RaaS reveal careful engineering across multiple platforms.
The Windows and Linux locker, developed in Go, targets a broad range of systems including network-attached storage (NAS) and BSD systems. The ESXi locker, coded in C, maintains an exceptionally small footprint at approximately 32 kilobytes, enabling stealthy deployment on virtual infrastructure.
Both components employ military-grade cryptography utilizing XChaCha20 encryption combined with Curve25519 key exchange mechanisms, with ephemeral keys generated on a per-file basis to prevent bulk decryption attacks.
The ransomware employs multiple sophisticated propagation mechanisms to spread laterally across compromised networks.
Self-propagation capabilities leverage Windows Management Instrumentation (WMI), WMIC, scheduled tasks (SCHTASKS), service controller (SC), and PowerShell remoting to move between systems without requiring user interaction.
For persistence, the malware establishes run-on-boot functionality through scheduled tasks and registry modifications, ensuring infected systems maintain the malware across system reboots.
Automated network reconnaissance enables comprehensive share discovery and encryption, systematically identifying and encrypting accessible network resources.
Operational Security and Distribution
The Gentlemen’s RaaS implements several operational security measures reflecting professional criminal organization standards.
The operation includes password-protected customized builds and decryptors, preventing unauthorized execution and analysis. Notably, the operator has implemented a universal decryptor capable of restoring files encrypted across all operational modes, a technical feature distinguishing this platform from less sophisticated competitors.
Geographic boundaries are enforced through avoidance of Russian and Commonwealth of Independent States (CIS) regions, a pattern commonly observed in Russian-speaking cybercriminal operations.
The operation maintains a dedicated data-leak website for publishing exfiltrated information, following the established double-extortion model of modern ransomware operations.
Security researchers emphasize that all claimed features remain unverified independent assessments pending observation of active campaigns.
The emergence of this platform demonstrates the persistent commercialization of ransomware development, with threat actors investing significantly in cross-platform capabilities and operational infrastructure to compete within the criminal services market.
Organizations operating Windows, Linux, and virtualized environments face elevated risk from sophisticated, well-resourced threat actors now equipped with this multi-platform toolset designed for maximum impact across enterprise networks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
