Microsoft Threat Intelligence detailed a growing RaaS (ransomware-as-a-service) operation known as The Gentlemen, tracked by Microsoft as Storm-2697, warning that the threat combines strong file encryption with aggressive self-propagation capabilities that can compromise entire enterprise networks. The analysis disclosed that the Go-based ransomware uses per-file ephemeral key encryption built on Curve25519 and XChaCha20, while simultaneously leveraging multiple lateral movement techniques to spread across connected systems, significantly increasing the speed and impact of attacks once initial access is obtained.
Researchers mentioned that The Gentlemen emerged in mid-2025 before evolving into a RaaS platform that recruits affiliates to conduct attacks at scale. The company noted that the malware’s self-propagation module enables broad network compromise, making it more dangerous than conventional ransomware focused solely on file encryption. The operation has been linked to widespread attacks across multiple sectors and regions, with threat actors using the ransomware alongside data theft and extortion tactics to maximize pressure on victims.
In addition to using per-file ephemeral Curve25519 keys with XChaCha20 stream cipher, The Gentlemen ransomware attempts to spread across an environment using a series of simultaneous, distinct lateral movement methods, increasing likelihood of widespread impact once initial access is achieved. Microsoft has observed The Gentlemen ransomware impacting organizations across education, transportation, healthcare, and financial industries in North America, South America, Europe, Africa, and Asia.
“Emerging around mid-2025, The Gentlemen initially started as a closed ransomware group, then began offering its RaaS to affiliates in September 2025,” researchers from the Microsoft Threat Intelligence team wrote in a blog post last week. “More recently, The Gentlemen operators established an official partnership with BreachForums, a popular cybercriminal marketplace, to recruit affiliates, including penetration testers and initial access brokers. Given that The Gentlemen is already a widely adopted RaaS platform, this partnership may lead to increased activity as the program becomes accessible to a broader pool of threat actors.”
They added that the operators behind the ransomware use double extortion tactics, encrypting data while also exfiltrating sensitive information to pressure victims through the threat of public release if the ransom is not paid. The ransomware is written in Go and obfuscated with Garble to target Windows environment.
Before encryption begins, The Gentlemen ransomware processes a wide range of command-line arguments that allow operators to control encryption scope, speed, lateral movement, persistence, and cleanup operations. The malware can target local drives, mapped network shares, or both simultaneously through a dual-process execution mode. It also attempts to elevate privileges by relaunching itself through scheduled tasks running under the SYSTEM account.
Before encrypting files, the ransomware disables security controls, establishes persistence through scheduled tasks and registry run keys, and enumerates network shares to identify additional targets. To avoid destabilizing compromised systems, it excludes specific operating system directories, security software folders, and critical file types from encryption.
During file encryption, The Gentlemen uses a hybrid cryptographic model that combines Curve25519 elliptic-curve cryptography with the XChaCha20 stream cipher. For every file, it generates a unique ephemeral key pair, derives a shared secret using the operator’s embedded public key, and uses the resulting value as the encryption key. Files smaller than 1 MB are fully encrypted, while larger files undergo partial encryption across three distributed chunks to accelerate execution while still rendering data unusable.
The ransomware also modifies file ownership and permissions to guarantee write access, appends the [dot]umc16h extension to encrypted files, and stores metadata within a structured footer that enables later decryption and identifies files compromised by the malware.
Following encryption, The Gentlemen shifts focus to victim notification, propagation, and anti-recovery measures. Unless operating in silent mode, it drops a custom bitmap image and replaces the desktop wallpaper to signal that encryption has been completed.
When the self-propagation feature is enabled, the ransomware transforms into a worm-like threat, using network shares, scheduled tasks, remote process execution, and credential-based lateral movement techniques to spread across reachable systems. It can also overwrite free disk space with random data to prevent recovery of deleted files and eliminate forensic artifacts. Finally, unless instructed otherwise, the malware deletes its own executable through a temporary batch script, reducing evidence left behind on compromised systems and complicating incident response efforts.
To reduce impact of The Gentlemen ransomware, organizations should adopt a comprehensive ransomware defense strategy that combines strong credential hygiene, system hardening, and layered security controls. Security teams should ensure that cloud-based threat intelligence and machine learning protections are enabled within their security stack to improve the detection of rapidly evolving and previously unknown ransomware variants. Security services should also be protected against tampering to prevent attackers from disabling defenses during an intrusion.
Organizations should implement controls that protect critical data from unauthorized modification and encryption. Restricting access to sensitive folders and files to trusted applications can help prevent ransomware from encrypting valuable information. Endpoint detection and response capabilities should be configured to automatically identify, block, and remediate malicious activity, including threats that may bypass traditional antivirus defenses. Automated investigation and remediation can further accelerate incident response and reduce the time attackers remain active within an environment.
Additional resilience can be achieved by deploying measures that automatically contain active attacks, limit lateral movement, and reduce the overall impact of a compromise. Security teams should also implement attack surface reduction policies that restrict the execution of untrusted or low-reputation files and limit the misuse of administrative tools commonly leveraged for remote execution and lateral movement. These controls can help disrupt ransomware campaigns in their early stages and prevent attackers from gaining the level of access required to carry out widespread encryption and extortion activities.
