Security Alerts 8 min read

Gentlemen Ransomware Emerges as a Threat to Corporate Networks

Impact: HIGH User Risk: CRITICAL

The Gentlemen ransomware group has rapidly emerged as one of 2025’s most aggressive cybercrime operations since its debut in July 2025. Operating a sophisticated dual-extortion model, the group has already compromised at least 48 victims across 17 countries, targeting critical industries including manufacturing, healthcare, construction, and insurance. The group employs advanced tactics such as Bring Your Own Vulnerable Driver (BYOVD), Group Policy Object manipulation, and cross-platform encryption capabilities spanning Windows, Linux, and ESXi environments. For example, the ransomware uses XChaCha20 and Curve25519 encryption algorithms, making decryption virtually impossible without the threat actors’ private keys. Organizations face a sophisticated threat that combines automated persistence mechanisms, flexible propagation methods via WMI and PowerShell remoting, and enhanced encryption speeds that have improved by 9-15% in recent variants.

Index

Origins and Evolution of The Gentlemen
Technical Capabilities and Attack Methods
Ransomware-as-a-Service Operations
Global Impact and Target Industries
Defense Evasion and Persistence Techniques
Protection Strategies for Organizations

Origins and Evolution of The Gentlemen

The Gentlemen ransomware group first appeared in July 2025, quickly establishing itself as a formidable threat actor through systematic and highly adaptive attacks. According to research from Cybereason, the group didn’t rush into building their ransomware empire but instead studied the market extensively before developing their own platform.

Early underground forum activity reveals that operators behind The Gentlemen experimented with multiple affiliate ecosystems before creating their tailored solution. Security researchers discovered that users associated with the group attempted to gain access to the Qilin ransomware locker panel and explored various RaaS platforms on dark web marketplaces. This reconnaissance period allowed them to borrow proven techniques from established operations while refining them into a more efficient and scalable model.

By September and October 2025, the group had published 48 victims on their data leak site, demonstrating their rapid operational scaling. Their development velocity is particularly concerning, with continuous updates introducing enhanced automation, persistence capabilities, and cross-platform reach that rivals ransomware families that have existed for years.

Technical Capabilities and Attack Methods

The Gentlemen ransomware demonstrates sophisticated technical capabilities that make it particularly dangerous to corporate networks. Developed primarily in the Go programming language, the ransomware incorporates multiple layers of protection and operational flexibility.

Encryption Architecture

The ransomware employs modern cryptographic standards including:

XChaCha20 stream cipher for file encryption
Curve25519 for key exchange operations
X25519 Elliptic Curve Diffie-Hellman (ECDH) for generating shared secrets
HChaCha20 for deriving encryption subkeys

According to analysis from Trend Micro, this encryption structure ensures that decryption keys are never exposed in exfiltrated data, making recovery impossible without the threat actors’ private keys.

Execution Requirements and Parameters

The ransomware requires a password parameter (–password) to execute, preventing analysis in unintended environments. This password-protection mechanism ensures the malware only operates in environments specifically targeted by the threat actors. Additional command-line parameters provide operators with granular control over encryption operations, including target selection (–system for local drives, –shares for network resources), timing delays (–T), stealth operations (–silent mode), and adjustable encryption speeds ranging from 1% to 9% of file content.

File Encryption Strategy

The Gentlemen employs an intelligent encryption approach based on file size. Files smaller than 1 MB are completely encrypted, while larger files undergo selective encryption of specific segments. This strategy significantly improves encryption speed while maintaining data inaccessibility, shrinking the window for defensive response.

Each file receives unique encryption keys and nonces generated through the X25519 operation, with the resulting values stored in Base64-encoded format within the encrypted files. The temporary keys used during encryption are deliberately not stored, ensuring that only holders of the threat actors’ private keys can reconstruct the shared secrets necessary for decryption.

Ransomware-as-a-Service Operations

The Gentlemen operates a fully functional Ransomware-as-a-Service (RaaS) platform that rivals established cybercrime operations. The group promotes their service on various cybercrime forums, offering highly configurable features tailored for diverse attack scenarios.

Platform Capabilities

The RaaS platform provides affiliates with:

Customizable build options with pre-configured and custom settings
Specialized ESXi lockers for virtualied environments
Multi-platform support across Windows, Linux, and ESXi systems
Dual-extortion tactics with integrated data exfiltration
Automated persistence through self-restart and run-on-boot functionality
Network propagation capabilities using WMI, PowerShell remoting, SCHTASKS, and Service Control

Affiliate Structure

Research from AhnLab ASEC indicates that the group operates under a traditional affiliate model with specific operational restrictions. Work is prohibited in Russia and CIS countries, following common patterns seen in Eastern European cybercrime operations. Affiliates must upload encrypted data to approved cloud resources or public storage, which is then displayed on the group’s blog as leverage during extortion negotiations.

The platform includes specialized tools such as EDR-killer utilities and multi-chain systems, though these advanced capabilities are reserved exclusively for trusted affiliates. This tiered access model helps the group maintain operational security while scaling their attacks through partner networks.

Continuous Development

The group maintains an active development cycle with regular updates posted to dark web forums. Recent changelog entries reveal improvements including 9-15% encryption speed increases, enhanced privilege escalation from user to root on Linux systems, cluster-aware operations for ESXi environments, and timestamp preservation techniques to complicate forensic investigations.

Global Impact and Target Industries

The Gentlemen has demonstrated a concerning ability to rapidly scale attacks across geographic regions and industry sectors. Industrial Cyber reports that the group has impacted at least 17 countries within just months of emergence.

Geographic Distribution

Confirmed attacks have occurred across multiple regions including Asia-Pacific (with heavy concentration in Thailand), North America (particularly the United States), South America, and the Middle East. This geographic diversity indicates the group is not limiting operations to specific regions but instead targeting opportunities globally.

Industry Targeting

The ransomware has hit organizations across multiple critical sectors:

Manufacturing: The hardest-hit industry, facing production disruptions and intellectual property theft
Healthcare: Attacks on medical facilities raise serious public safety concerns
Construction: Companies losing access to project data and operational systems
Insurance: Firms facing exposure of sensitive policyholder information

The targeting of healthcare infrastructure is particularly concerning, as these attacks can directly impact patient care and potentially endanger lives. The group has shown no hesitation in encrypting systems at hospitals and medical facilities, demonstrating their prioritization of financial gain over ethical considerations.

Victim Profile

Security researchers indicate that The Gentlemen primarily targets medium to large organizations rather than individual users or small businesses. The sophistication of their attack methods, including targeted security tool bypasses and domain-wide deployment via Group Policy Objects, suggests the group invests significant reconnaissance effort into each victim environment.

Defense Evasion and Persistence Techniques

The Gentlemen employs multiple sophisticated techniques to evade detection and maintain persistent access to compromised networks. These methods demonstrate the group’s deep understanding of enterprise security architectures.

Bring Your Own Vulnerable Driver (BYOVD)

One of the group’s signature techniques involves abusing legitimate signed drivers to perform kernel-level manipulation. Security analysis has identified the use of ThrottleStop.sys, a legitimate driver that can be exploited to terminate security software processes that would normally be protected from termination. The malware loads this vulnerable driver and uses it to kill protected processes, effectively disabling endpoint security solutions before encryption begins.

PowerShell-Based Defense Disabling

The ransomware executes multiple PowerShell commands to systematically disable Windows security features:

Disabling Windows Defender real-time monitoring
Adding the C: drive to Defender exclusion paths
Adding the ransomware process itself to exclusion lists
Enabling network discovery firewall rules
Weakening authentication protocols through registry modifications

According to Trend Micro’s analysis, these PowerShell commands can be executed remotely via Invoke-Command, allowing the attackers to disable security controls across multiple systems simultaneously.

Anti-Forensics Measures

The ransomware implements aggressive anti-forensics techniques to obstruct incident investigations:

Deleting RDP log files that could reveal attacker connections
Removing Windows Defender support files and telemetry data
Clearing Prefetch files that track application execution
Wiping Windows Event Logs (Security, Application, and System)
Deleting shadow copies to prevent file recovery

Service and Process Termination

The malware contains extensive “kill lists” targeting backup services (Veeam), database engines (MSSQL, PostgreSQL, MySQL, Oracle, MongoDB), virtualization components (VMware, Hyper-V), and remote access tools (TeamViewer, AnyDesk). By terminating these processes before encryption, the ransomware ensures maximum file accessibility and impact.

Persistence Mechanisms

The Gentlemen establishes multiple persistence mechanisms including registry Run key modifications, scheduled task creation, service installation, and automated restart-on-boot functionality across Windows, Linux, and ESXi platforms.

Protection Strategies for Organizations

Defending against The Gentlemen ransomware requires a comprehensive, layered security approach that addresses multiple attack vectors and stages.

Access Control and Authentication

Organizations should immediately implement the following access controls:

Deploy multi-factor authentication (MFA) on all administrative accounts and remote access systems
Eliminate direct RDP exposure to the internet
Implement time-based access controls for privileged accounts with automatic de-escalation
Restrict domain controller share access with strict permission auditing
Monitor for mass Active Directory queries and bulk group membership changes

Companies like Microsoft and Duo Security offer robust MFA solutions that can significantly reduce the risk of credential-based attacks.

Endpoint Protection Hardening

According to security researchers, endpoint protection must be hardened against the group’s documented process termination techniques:

Enable Tamper Protection with anti-exploit capabilities
Password-protect security agent uninstallation
Activate Agent Self-Protection alongside Predictive Machine Learning
Block execution from temporary directories and user download folders
Implement application control to restrict unauthorized remote access tools
Enable driver signature verification and alert on vulnerable driver loading attempts

Network Security Measures

Network segmentation and monitoring are critical for detecting and containing lateral movement:

Implement network segmentation between IT management tools and production systems
Deploy virtual patching for vulnerabilities in VPN concentrators and firewalls
Monitor for anomalous administrative activity and WMI-based lateral movement
Implement deception technologies on critical file shares
Alert on unauthorized NETLOGON share modifications
Track WebDAV connections to internal resources

Backup and Recovery

Maintaining secure, offline backups remains the most reliable defense against ransomware:

Create offline, immutable backups stored separately from production networks
Regularly test restoration procedures to ensure rapid recovery capability
Implement shadow copy protection to prevent deletion by ransomware
Maintain backup systems that cannot be accessed through compromised administrative credentials

Behavioral Detection

Security teams should deploy behavioral detection capabilities that can identify ransomware activity patterns:

Monitor for mass file modification operations
Detect service stop commands targeting security processes
Alert on privilege escalation attempts and credential dumping activities
Track execution of reconnaissance tools like Nmap and Advanced IP Scanner
Identify suspicious PowerShell execution with encoding or defense evasion characteristics

Patch Management

Keep all systems fully patched, prioritizing vulnerabilities in internet-facing infrastructure, particularly VPN concentrators, firewalls, and remote access gateways that The Gentlemen have been observed targeting.