Gentlemen ransomware, first identified in August 2025, has rapidly evolved into a significant threat targeting corporate networks globally.
Operating on a double extortion model, this group exfiltrates sensitive data before encrypting it, ensuring they can leverage stolen information even if backups exist.
The ransomware is developed in the Go programming language, allowing for efficient cross-platform execution and robust performance in varied enterprise environments.
The group employs advanced tactics such as Group Policy Objects (GPO) manipulation and Bring Your Own Vulnerable Driver (BYOVD) techniques to breach systems.
These methods allow them to disable security defenses and propagate internally across networks.
Reports indicate that the ransomware has already impacted organizations in at least 17 countries, spanning diverse industries like healthcare, manufacturing, and insurance.
ASEC analysts noted that Gentlemen has become one of the most active emerging ransomware groups in 2025 due to its sophisticated propagation procedures.
The group appears to specifically target medium to large organizations, utilizing detection evasion techniques to bypass standard security monitoring.
.webp "New Gentlemen Ransomware Breaching Corporate Networks to Exfiltrate and Encrypt Sensitive Data 3")
Its rapid expansion across regions like North America, South America, and the Middle East highlights the urgent need for continuous monitoring.
Execution and Encryption Protocols
Upon execution, the malware initiates a rigorous command-line argument parsing routine designed to strictly control its behavior.
A critical feature is the requirement of a specific –password argument; without this valid credential, the ransomware terminates immediately.
This simple yet effective anti-analysis technique prevents security researchers from executing the payload in sandbox environments.
Operators can specify various modes, such as –silent to avoid file renaming or –full to target both local and network shares.
Before encryption begins, the malware disables Windows Defender and terminates backup and database services, including Veeam, MSSQL, and MongoDB.
.webp "New Gentlemen Ransomware Breaching Corporate Networks to Exfiltrate and Encrypt Sensitive Data 4")
This ensures that files are not locked by other processes and impedes recovery efforts. The Gentlemen executable arguments highlight these extensive command options.
The encryption phase utilizes X25519 for key exchange and XChaCha20 for file encryption, generating unique keys for every file.
The threat actor’s public key is decoded directly in memory to generate shared secrets.
.webp "New Gentlemen Ransomware Breaching Corporate Networks to Exfiltrate and Encrypt Sensitive Data 5")
For larger files, it selectively encrypts segments based on defined percentages—such as 9% for –fast or 1% for –ultrafast—to optimize speed while rendering data unrecoverable.
Calculating the scope of encryption. Finally, a ransom note named README-GENTLEMEN.txt is created in all processed directories.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
