Cybereason Threat Intelligence Team has uncovered a sophisticated ransomware operation known as “The Gentlemen,” which emerged around July 2025 and quickly established itself as a formidable threat actor.
Operating with a dual-extortion methodology, the group encrypts sensitive files while simultaneously exfiltrating critical business data, threatening to publish stolen information on dark web leak sites unless victims comply with ransom demands.
This combination of established ransomware techniques with emerging attack vectors positions The Gentlemen as an increasingly persistent threat to organizations worldwide.
The Gentlemen began publishing victim data in September 2025, establishing their presence through a dedicated data-leak site where they’ve already published 48 compromised organizations in just two months of operation.
The group’s quick operational ramp reflects significant experience in ransomware development and deployment.
According to PRODAFT intelligence, The Gentlemen experimented with various affiliate models employed by other prominent ransomware groups before developing their own Ransomware-as-a-Service (RaaS) platform.
This methodical approach allowed the group to refine operational processes and create a sophisticated RaaS infrastructure that appeals to affiliates seeking advanced, configurable attack capabilities.
Advanced Technical Capabilities
Recent updates to The Gentlemen’s malware variants introduce formidable technical enhancements across Windows, Linux, and ESXi platforms.
The ransomware now features automatic self-restart and run-on-boot functionality, leveraging scheduled tasks and registry entries to maintain persistence on compromised systems.
Encryption speed has improved by 9–15 percent, while the malware now supports flexible encryption modes (standard, fast, superfast, ultrafast) and distributes across networks using WMI, PowerShell remoting, and service control mechanisms.
The encryption architecture utilizes robust XChaCha20 and Curve25519 algorithms, ensuring strong file locking capabilities.
Notably, the ransomware targets both removable drives and network-shared drives while preserving original file modification dates a technique designed to evade time-based detection strategies.
For Linux systems, the variant implements privilege escalation capabilities, automatic boot-level persistence, and secure disk-wiping mechanisms that complicate recovery efforts.
Multi-Platform Threat Landscape
The Gentlemen’s ESXi locker represents a particularly concerning development, explicitly optimized for encrypting multiple VMware instances across clustered hosts, including vSAN storage environments.
This hypervisor-focused variant demonstrates a sophisticated understanding of virtualized infrastructure vulnerabilities and indicates the group’s capacity to target enterprise data centers with precision.
Technical analysis of recovered samples reveals Golang-written executables containing hardcoded ransom notes and extensive command-line options requiring password authentication.
The malware implements comprehensive anti-forensics routines, deleting RDP logs, Windows Defender telemetry, and PowerShell history files to obstruct post-incident investigations. The file we analyzed is a 64bit Windows executable, written in Golang,
Additionally, the ransomware turns off Windows Defender real-time protection through PowerShell commands and modifies firewall rules to facilitate network discovery and lateral movement.
RaaS Business Model and Threat Scale
Operating as a full-fledged RaaS platform, The Gentlemen offers customizable build options, continuous affiliate support, and infrastructure management.
The operation prohibits activity against Russian and Commonwealth of Independent States targets a pattern common among Eastern European-based ransomware groups.
Affiliates receive specialized tools including EDR-killer utilities and multi-chain systems for trusted operators, alongside negotiation support and flexible ransom demand structures.
The combination of sophisticated technical capabilities, rapid operational scaling, dual-extortion tactics, and professional RaaS infrastructure positions The Gentlemen as a credible, persistent threat requiring immediate organizational attention.
Security teams should prioritize implementation of robust backup strategies, network segmentation, EDR solutions, and incident response planning to mitigate exposure to this emerging threat actor.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.