
The Picus report focuses on a Windows-targeting encryptor, but other researchers have reported broader Gentlemen tooling aimed at Linux and VMware ESXi environments. The group has been observed in attacks on organizations in sectors including education, transportation, healthcare, and financial services across North America, South America, Europe, Africa, and Asia.
Its self-propagation capability is the most significant feature for enterprise defenders. When enabled, the malware can enumerate reachable systems, stage its binary through an SMB share, and attempt up to 21 remote execution operations against each target.
Those methods include PsExec, WMIC, scheduled tasks, Windows services, PowerShell remoting, and WMI process creation. The redundancy is intended to improve the chances that at least one method will succeed, allowing the malware to continue spreading through the network.
