A newly analyzed ransomware strain called The Gentlemen is raising serious alarms across the cybersecurity community.
Built in the Go programming language and obfuscated with a tool called Garble, it combines powerful per-file encryption with an aggressive ability to spread itself silently across entire networks without any human intervention.
Organizations in education, healthcare, transportation, and finance across North America, South America, Europe, Africa, and Asia have already felt its damaging impact.
The Gentlemen operates as a ransomware-as-a-service (RaaS) platform, meaning its core developers rent access to the malware to other criminals known as affiliates.
It first emerged around mid-2025 as a closed group, then opened its doors to affiliates in September 2025.
More recently, its operators forged a formal partnership with BreachForums, a well-known cybercriminal marketplace, actively recruiting penetration testers and initial access brokers to carry out attacks on their behalf.
Microsoft Threat Intelligence, which tracks the group behind the malware as Storm-2697, noted that the operators use double extortion tactics.
They encrypt a victim’s data and simultaneously steal sensitive files, threatening to release the stolen information publicly if the ransom is not paid.
Microsoft said in a report shared with Cyber Security News (CSN) that the threat is already widely adopted and this new partnership could attract an even broader pool of criminal actors going forward.
What sets The Gentlemen apart is its layered attack strategy. It disables antivirus tools, deletes backups, clears system logs, and wipes forensic traces before encryption even begins.
Once active, it can reach across a network and plant itself on other machines automatically, making containment far more difficult for incident responders and security teams.
The ransomware requires a build-specific password to execute, and operators can control nearly every aspect of its behavior through command-line arguments.
These options include setting encryption speed, enabling network spreading, and choosing how the malware persists after a reboot. That level of operational control makes it unusually flexible and customizable for a criminal tool deployed at scale.
Ransomware Uses SYSTEM Scheduled Task
One of the most technically notable behaviors in The Gentlemen is how it achieves the highest possible system privileges before encrypting local drives.
.webp)
When the ransomware receives the right command-line instruction, it creates a Windows scheduled task named gentlemen_system that runs the malware executable under the SYSTEM account, which is the most powerful level of access on a Windows machine.
To do this cleanly, it first deletes any existing task with that name, then registers and immediately triggers a fresh one. Once running under this elevated context, the malware sets an internal environment variable called LOCKER_BACKGROUND=1 to signal that it is operating as a background encryption process with full privileges.
This design allows the ransomware to reach and encrypt files that would otherwise be protected or inaccessible to standard user-level accounts.
Self-Propagation Across the Network
The Gentlemen does not stop at a single machine. When its spreading feature is activated, it transforms into a self-propagating worm capable of deploying itself to every system it can reach on the local network.
It stages its own binary in a shared folder, copies it across administrative network shares, and attempts to execute it on remote hosts using eight different methods simultaneously.
These methods include PsExec, Windows Management Instrumentation, scheduled tasks in both user and SYSTEM contexts, Windows services, and PowerShell remoting.
.webp)
The malware attempts 21 separate remote execution operations per target host. This redundancy is central to its strategy because even if most methods are blocked, a single successful execution on one new host is enough to restart the entire propagation cycle.
Defenders can reduce exposure by enabling controlled folder access, turning on cloud-delivered antivirus protection, and blocking process creations originating from PsExec and WMI commands through attack surface reduction rules.
Running endpoint detection and response tools in block mode is also strongly recommended, as is configuring automatic attack disruption to contain active threats before they spread further across the environment.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 | The Gentlemen ransomware encryptor binary |
| File Name | README-GENTLEMEN.txt | Ransom note dropped in each encrypted directory |
| File Extension | .umc16h | Extension appended to all encrypted files |
| File Name | gentlemen.bmp | Desktop wallpaper bitmap dropped to %TEMP% after encryption |
| Scheduled Task Name | gentlemen_system | SYSTEM-privileged scheduled task created for elevated encryption |
| Scheduled Task Name | UpdateSystem | Persistence scheduled task running payload as SYSTEM at startup |
| Scheduled Task Name | UpdateUser | Persistence scheduled task running payload as current user at startup |
| Registry Key Value | GupdateS (HKLM) | System-wide autorun registry persistence key |
| Registry Key Value | GupdateU (HKCU) | User-scoped autorun registry persistence key |
| File Path | C:Temppsexec.exe | PsExec binary dropped for lateral movement |
| File Name | wipefile.tmp | Temporary file used for free disk space wiping |
| Environment Variable | LOCKER_BACKGROUND=1 | Internal flag indicating SYSTEM-context background encryption execution |
| Hardcoded Password | 9VoAvR7G | Build-specific operator authentication password embedded in analyzed sample |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
