Gentlemen

Gentlemen is a ransomware family and ransomware-as-a-service operation first observed around mid-2025 to August 2025. It is described as a rapidly growing, financially motivated double-extortion threat that exfiltrates data before encrypting victim systems and threatens public release of stolen information. Reporting links the operation to Microsoft-tracked actor Storm-2697, and multiple sources describe affiliate recruitment on underground forums and partnerships used to expand the ecosystem.

The malware is primarily Go-based and supports cross-platform encryption of Windows, Linux, NAS, and BSD systems, with a separate C-based ESXi locker also described. Available operator documentation shows variants for Windows, Linux, ESXi, legacy Windows (XP+), and Linux LVM/block-device encryption. The locker supports command-line options for targeting local disks, folders, UNC paths, mapped shares, network shares, and block devices; delayed execution; silent mode; self-deletion/retention; free-space wiping; printer-based ransom note deployment; and partial-encryption speed modes such as --fast, --superfast, and --ultrafast. Windows-specific functionality includes SYSTEM-mode execution, lateral movement via supplied domain credentials, and domain-wide deployment through Group Policy. When launched with --spread, reporting says the malware can propagate in a worm-like manner using hidden shares and remote execution methods including PsExec, WMIC, and remote PowerShell.

Gentlemen uses a hybrid cryptographic design based on X25519/Curve25519 and XChaCha20. Sources state it generates per-file ephemeral keys, fully encrypts small files, and partially encrypts larger files in chunks to improve speed. Reported encrypted-file extensions include .umc16h and .7mtzhh. The ransomware requires a --password argument to execute, which is described as an anti-analysis measure. It drops ransom notes named README-GENTLEMEN.txt, and some reporting states it can change the desktop background and offer free decryption of sample files.

Before encryption, Gentlemen is reported to disable Microsoft Defender protections, add exclusions, terminate security, backup, database, virtualization, and email-related processes, delete Volume Shadow Copies, clear Security and System event logs, and remove PowerShell history. Anti-forensic behavior also includes overwriting free disk space using wipefile.tmp and deleting its own binary after execution. Additional reporting describes use of BYOVD techniques to disable defenses.

Observed intrusion tradecraft includes use of compromised credentials and targeting of Internet-exposed services for initial access. Other reporting states intrusions have involved Group Policy modification, encrypted exfiltration with WinSCP, reconnaissance of backups, NAS, Exchange, storage arrays, and virtualization infrastructure, and efforts to obtain domain admin privileges and disable EDR. Leaked internal-chat reporting also mentions use of compromised Fortinet edge-device credentials, OpenConnect, ZeroPulse, living-off-the-land techniques, and an 'EDR Killer' tool. In one investigated intrusion, attackers operated from a Domain Controller with Domain Admin privileges, used Mimikatz, RPC-based deployment of Cobalt Strike, and Group Policy propagation. Check Point also observed a Gentlemen affiliate attempting to deploy SystemBC for covert payload delivery.

Victimology in the provided content indicates targeting of medium and large enterprises across at least 17 countries and sectors including healthcare, manufacturing, insurance, transportation, education, construction, and energy/critical infrastructure. Reported incidents include the December 2025 attack on Romania's state-owned power producer Complexul Energetic Oltenia, which disrupted ERP, email, website, and other business IT systems. The content also states the group had claimed hundreds of victims by 2026 and had become one of the most active emerging ransomware threats of 2025.