{
	"id": "b0d047e9-e937-4d5c-a0c4-7c3cb209a2a7",
	"created_at": "2026-04-06T00:13:45.074152Z",
	"updated_at": "2026-04-10T03:26:51.884677Z",
	"deleted_at": null,
	"sha1_hash": "fa3d54d8bed727a60a8a85b3ec2385f73d96cc28",
	"title": "License to Encrypt: “The Gentlemen” Make Their Move",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1974577,
	"plain_text": "License to Encrypt: “The Gentlemen” Make Their Move\r\nBy Cybereason Security Services Team\r\nArchived: 2026-04-05 12:55:44 UTC\r\nCybereason Threat Intelligence Team recently conducted an analysis of \"The Gentlemen\" ransomware group,\r\nwhich emerged around July 2025 as a ransomware threat actor group with relatively advanced methodologies. The\r\nGentlemen group employs a dual-extortion strategy, not only encrypting sensitive files but also exfiltrating critical\r\nbusiness data and threatening to publish it on dark web leak sites unless a ransom is paid. The group has\r\ndemonstrated a unique approach by combining established ransomware techniques with newer strategies, making\r\nthem quick to adapt to new attack vectors, allowing them to remain a persistent to evolving threat to organizations\r\nworldwide.\r\nKEY points \r\nEmergence of “The Gentlemen”: “The Gentlemen” ransomware group emerged around July 2025, and according\r\nto their data leak site activity, began the publication of 48 victims in September and October 2025.\r\nThey employ advanced dual-extortion tactics, encrypting data while also exfiltrating sensitive business\r\ninformation, threatening to release it unless a ransom is paid.\r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 1 of 16\n\n“The Gentlemen” DLS is Online\r\nDevelopment of RaaS and Affiliate Models: According to a statement from PRODAFT, before creating their own\r\nRansomware-as-a-Service (RaaS) platform, “The Gentlemen” experimented with various affiliate models used by\r\nother prominent ransomware groups. This experience allowed them to refine their methods and eventually create\r\ntheir own RaaS operation.\r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 2 of 16\n\nHastalamuerte (LARVA-368) was seeking access to the Qilin ransomware locker panel. They mention being new\r\nto the operations and express interest in exploring other ransomware software options on the market. This\r\nsuggests that the user may have been considering or testing various RaaS platforms before eventually developing\r\ntheir own.\r\nLatest Ransomware Update: The most recent update from The Gentlemen introduces advanced capabilities for\r\nautomatic self-restart and run-on-boot functionality, enhancing their persistence on compromised systems. The\r\nransomware also now supports flexible encryption speeds and distribution methods using WMI, PowerShell\r\nremoting, and other tools to propagate across networks. Additionally, it targets both local disks and network-shared drives, emphasizing the group's evolving approach to maintaining control and increasing the impact of\r\ntheir attacks.\r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 3 of 16\n\nThe ransomware changelogs from the darknet forum\r\nThe group has released significant updates to its Win/Linux/ESXi locker variants, introducing improved\r\nautomation, persistence, and encryption performance.\r\nPersistence \u0026 Automation:\r\nImplements automatic self-restart at run-on-boot, leveraging schtasks and registry entries.\r\nSupports silent mode (-silent) for stealth execution.\r\nEncryption Enhancements:\r\nEncrypts both removable and mapped drives, while preserving original file modification dates.\r\nImproved propagation techniques using WMI, SCHTASKS, SC (Service Control), and PowerShell Remoting.\r\nNotable performance boost: encryption speed increased by 9–15%.\r\nExecution Modes:\r\nCan operate under SYSTEM privileges for full local disk access.\r\nSupports dual operation: local + network encryption from the same session.\r\nTarget Scope:\r\nAimed at both physical and virtual Windows environments.\r\nSupport expanded for broader OS coverage.\r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 4 of 16\n\nPersistence \u0026 Privilege Escalation:\r\nNow features automatic restart at boot on Linux via system-level autostart.\r\nCapable of privilege escalation from user to root depending on configuration.\r\nSilent Mode \u0026 Encryption:\r\nIncludes -silent execution mode for Linux systems.\r\nEnhancements in file handling and timestamp preservation.\r\nUses a “wipe-after” mechanism to securely remove free disk space after encryption, complicating recovery.\r\nCore-Locker Integration:\r\nModular architecture allows seamless execution post-encryption for cleanup tasks.\r\nVMware/ESXi Focus:\r\nOptimized for encrypting multiple ESXi instances across clustered hosts, including vSAN storage.\r\nImproved concurrency to handle simultaneous operations across hypervisors.\r\nThe Gentlemen Ransomware-as-a-Service\r\nOn various cybercrime forums, “The Gentlemen” ransomware is promoted as an advanced Ransomware-as-a-Service (RaaS) solution, designed to offer highly configurable features tailored for a variety of attack scenarios.\r\nThis RaaS program appeals to affiliates with its strong technical capabilities, providing them with versatile tools\r\nfor large-scale deployments and efficient operations.\r\nThe Gentlemen ransomware combines advanced encryption techniques with dynamic propagation options,\r\nallowing operators to target and infect a broad range of systems, including Windows, Linux, and ESXi platforms.\r\nThe service is continuously updated to adapt to new defense strategies, maintaining its relevance and effectiveness\r\nin a fast-evolving threat landscape.\r\nKey capabilities include its powerful encryption mechanisms, specialized ESXi lockers, and persistent access\r\nfeatures, including self-restart and run-on-boot functionality. Additionally, the group’s dual-extortion tactics—\r\nencrypting files while exfiltrating sensitive data for later release—are central to its operational strategy.\r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 5 of 16\n\n“The Gentlemen” accounts on dark web forums and X.\r\nRaaS Capabilities:\r\nReliable Encryption: Uses XChaCha20 and Curve25519 for robust file encryption, ensuring secure data locking.\r\nConfigurable Attack Methods: The ransomware offers flexible encryption methods, allowing operators to adjust\r\nspeed and thoroughness, optimizing attack outcomes.\r\nESXi Locker: A specialized locker designed for ESXi environments, providing asynchronous encryption and\r\nstealthy operations to avoid detection.\r\nDual-Extortion Tactics: Encrypts critical data while exfiltrating it for ransom demands. The group has published\r\n47 victims on their dark web leak site within just two months of operation.\r\nPersistence and Propagation: Employs self-restart and run-on-boot features to ensure continued access to\r\ncompromised systems. The ransomware also spreads via WMI and PowerShell remoting, exploiting network-shared drives and credentials to expand its reach.\r\nRaaS Model: Operates as a Ransomware-as-a-Service, allowing affiliates to deploy payloads while maintaining\r\ncontrol over the infrastructure. The service includes customizable build options for affiliates and continuous\r\nsupport.\r\nBelow is detailed information on how The Gentlemen ransomware is offered as a Ransomware-as-a-Service\r\n(RaaS) and its key features.\r\nBriefly about the available functionality:\r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 6 of 16\n\nReliable Encryption: Uses XChaCha20 and Curve25519 for strong file encryption.\r\nConfigurable Encryption Modes: Operators can adjust encryption methods for speed and depth, ensuring\r\noptimal performance.\r\nSelf-Persistence: Ensures continued control over infected systems using self-restart and run-on-boot\r\noptions.\r\nTargeted Encryption: Capable of encrypting specific directories or entire systems, including ESXi\r\nservers.\r\nDual-Extortion: Exfiltrates sensitive data alongside encryption, threatening to release it unless the ransom\r\nis paid.\r\nNetwork Propagation: Uses WMI and PowerShell remoting to spread across local networks and gain\r\naccess to additional systems.\r\nFlexible Settings: Offers a customizable build with both pre-configured and custom settings for affiliates\r\nto adapt their attack strategy.\r\nSupport for Affiliates: The RaaS platform includes full support for negotiations and flexible control over\r\nransom demands.\r\nGeographic Restrictions: Work is prohibited in Russia and CIS countries. \r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 7 of 16\n\nData Collection: Affiliates must upload encrypted data to a public cloud or approved resource, which will\r\nbe displayed on the group’s blog.\r\nSecurity Features: The program offers tools such as EDR-killer and the multi-chain system only to trusted\r\naffiliates. \r\n“The Gentlemen” ESXI locker version\r\nA\r\nforum user claimed that the locker used by “The Gentlemen” ransomware is written using 'vibecoding'\r\ntechniques, while “The Gentlemen” seem to approve this statement.\r\nTechnical Analysis\r\nIn this section, we performed an analysis of the ransomware executable file and observed the technique\r\nsimilarities with other ransomware groups that existed before.\r\nThe file hash is as follows:\r\n3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235\r\nThe Gentlemen (Windows, Go variant)\r\nThe file we analyzed is a 64bit Windows executable, written in Golang:\r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 8 of 16\n\n“Detect it Easy” analysis information\r\nWhen launched, the ransomware executable provides an extensive help message, showing various options and\r\nflags available:\r\nWindows Variant Command Line Options\r\nThe malware requires a “--password” argument to run the encryption routine. We assume that the argument is\r\npassed to the executable by a dropper or other kind of loader at the first step of infection.\r\nThe listed ransomware executable options are as follows:\r\nUsage: %s --password PASS [--path DIR1,DIR2,] [--T MIN] [--silent] [--full] [--system] [--shares] [--fast] [--\r\nsuperfast] [--ultrafast] \r\nMain flags:\r\n --password PASS Access password (required)\r\n --path DIRS Comma-separated list of target directories/disks (optional)\r\n --T MIN Delay before start, in minutes (optional)\r\n --silent Silent mode: do NOT rename files after encryption (optional) .\r\nMode flags:\r\n --system (encrypt local drives as SYSTEM), --shares (map shares / UNC), --full (two-phase: system + shares).\r\nSpeed flags:\r\n --fast (9% crypt), --superfast (3% crypt), --ultrafast (1% crypt). \r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 9 of 16\n\nExample invocations:\r\n Example 1: --password QWERTY --path \"C:\\,D:\\,\\\\nas\\share\" --T 15 --silent\r\n Example 2: --password QWERTY --system --fast\r\n Example 3: --password QWERTY --shares --T 10\r\n Example 4: --password QWERTY --full --ultrafast .\r\nA quick static analysis shows that the executable contains plaintext ransom note hardcoded:\r\nThe Gentlemen Ransom Note\r\nWhile performing the static analysis, we found a hardcoded string “ ! \u003c...\u003e Ransom Protection(DON’T DELETE)”\r\nin the sample:\r\nDecompiled code segment from the Gentlemen ransomware sample showing the embedded string “ ! \u003c...\u003e\r\nRansom Protection(DON’T DELETE)”\r\nAfter researching, Cybereason Threat Intelligence Team identified a forum post by a user “Hastalamuerte”  that\r\ndiscussed the same marker present in “The Gentlemen” sample, while describing its relation to anti-ransomware\r\nfunctionality. \r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 10 of 16\n\nA\r\nforum post shared by a user operating under the alias “hastalamuerte” discusses the string “ ! \u003c...\u003e Ransom\r\nProtection(DON’T DELETE)” as an example of anti ransomware protection and bypass solutions.\r\n“The Gentlemen” PowerShell Operation\r\nIn this section we analyze the PowerShell commands executed by the ransomware.\r\nThe sample includes a PowerShell command designed to execute remotely via Invoke-Command:\r\nInvoke-Command -ComputerName %s -ScriptBlock { Set-MpPreference -DisableRealtimeMonitoring $true; Add\r\nThe command disables Windows Defender’s real-time protection and adds both directory (C:\\) and process to the\r\nexclusions, a common tactic used by ransomware to evade detection before encryption.\r\nCybereason detection of malicious\r\nPowerShell command execution\r\nOther commands executed by the ransomware include:\r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 11 of 16\n\nWrite-Host \" ♤ The Gentlemen \" -BackgroundColor DarkGray -ForegroundColor White -NoNewline\r\nThis command prints the string “♤ The Gentlemen” to the console with custom colors, serving as a visual\r\nidentifier or branding element for the ransomware during execution.\r\nGet-NetFirewallRule -DisplayGroup \"Network Discovery\" | Enable-NetFirewallRule\r\nThis command enables Windows Firewall rules in the “Network Discovery” group, effectively opening discovery\r\nand file-sharing related ports.\r\nAppData/Roaming/Microsoft/Windows/PowerShell/PSReadline/ConsoleHost_history.txt\r\nThis path points to the PowerShell PSReadLine history file (ConsoleHost_history.txt), which can contain a record\r\nof executed PowerShell commands and is a valuable forensic artifact for reconstructing attacker activity.\r\ndel /f /q %SystemRoot%\\System32\\LogFiles\\RDP*\\*.*\r\ndel /f /q C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*\r\ndel /f /q C:\\Windows\\Prefetch\\*.*\r\nThese commands are explicit anti-forensics actions that erase evidence of interactive access, endpoint protection\r\ntelemetry, and application execution history, making post-incident investigation and timeline reconstruction far\r\nmore difficult. \r\nCybereason detection of log removal\r\nping localhost -n 3 \u003e nul \u0026 del\r\nMalware removes itself from the system after execution.\r\n$p = [WMICLASS]\"\\\\\\\\%s\\root\\cimv2:Win32_Process\"; $p.Create(\"%s\")\r\nThis PowerShell snippet uses the WMI Win32_Process class to remotely create a process on \\\\\u003chost\u003e\\root\\cimv2,\r\nenabling adversaries to execute commands on other machines for lateral movement or distributed execution.\r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 12 of 16\n\n$volumes=@();$volumes+=Get-WmiObject -Class\r\nWin32_Volume|Where-Object{$_.Name -like '*:\\*'}|Select-Object\r\n-ExpandProperty\r\nName;try{$volumes+=Get-ClusterShare\r\ndVolume|ForEach-Object{$_.SharedVolumeInfo.FriendlyVolumeName}}catch{};$volumes\r\nThis PowerShell snippet enumerates local drive volumes (Win32_Volume) and attempts to include Cluster Shared\r\nVolumes (Get-ClusterSharedVolume), collecting their names into $volumes, a routine used to discover all\r\npotential targets (local, clustered, and network-mounted volumes) before performing broad encryption or selective\r\nexclusion.\r\nicacls \u003cpath\u003e /grant *S-1-1-0:(OI)(CI)F\r\nThe ICACLS command in Windows is used to modify file and directory permissions. This command grants full\r\ncontrol to the Everyone group (represented by the S-1-1-0 security identifier) for the specified folder and all its\r\ncontents, including subfolders and files. The (OI) and (CI) flags ensure that the permissions apply to both files\r\n(Object Inherit) and subdirectories (Container Inherit).\r\nTargeted Processes and Services\r\nThe Gentlemen ransomware contains a built-in kill list designed to stop critical services and processes before\r\nencryption. These include database engines, backup utilities, remote-access tools, and virtualization services\r\ncomponents that could otherwise block file access or enable recovery.\r\nProcesses and services referenced:\r\nsqlservr, MSSQL, MSSQL$SQLEXPRESS, SQLAGENT, SQLWriter, Ssms, postgres, postmaster, psql,\r\npostgresql, MySQL, mysqld, veeam, GxVss, vsnapvss, xfssvccon, qbdbMgrN, TeamViewer, MSExchange, vmms,\r\nand other processes and services.\r\nRegistry Keys Usage\r\nThe sample embeds multiple Windows registry references that point to both persistence and system-configuration\r\nmanipulation. Notably, it contains HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run and\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run (common autorun locations used for persistence),\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa (security/authentication-related settings), and\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters (server/SMB share configuration). It\r\nalso references SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones, which may be read for\r\nlocalization/timestamp handling. Taken together, these registry touches indicate the malware programs for\r\npersistence, security policy interaction, and network-share behaviour modification in support of large-scale\r\nencryption.\r\nConclusion\r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 13 of 16\n\nCybereason’s analysis shows that “The Gentlemen” is a highly adaptive, fast-moving ransomware operation that\r\nblends mature ransomware techniques with RaaS features, dual‑extortion, cross‑platform (Windows/Linux/ESXi)\r\nlockers, automated persistence, flexible propagation, and affiliate support, allowing it to scale attacks and evade\r\nbasic defenses quickly. Its rapid victim publication, powerful encryption (XChaCha20/Curve25519), EDR‑evasion\r\ntactics and tooling for lateral movement make it a credible and persistent risk to organizations.\r\nRecommendations:\r\nFollow and hunt “The Gentlemen” Locker affiliate activity in order to identify pre-ransomware behaviors\r\nPromote cybersecurity best practices such as multifactor authentication and patch management.\r\nRegularly backup files and create a backup process and policy: Restoring your files from a backup is the\r\nfastest way to regain access to your data\r\nKeep systems fully patched: Make sure your systems are patched in order to mitigate vulnerabilities\r\nIf nefarious activity is detected, immediately involve Incident Response services to execute a thorough\r\ninvestigation and containment process in order to fully eliminate the threat actor from the infected network\r\nFor Cybereason customers on the Cybereason Defense Platform:\r\nEnable Anti-Malware and set the Anti-Malware \u003e Signatures mode to Prevent, Quarantine, or\r\nDisinfect\r\nEnable Anti-Ransomware (PRP), set Anti-Ransomware to Quarantine mode and enable shadow\r\ncopy protection. \r\nEnable Application Control\r\nEnable Variant Payload Prevention with prevent mode on Cybereason Behavioral execution\r\nprevention.\r\nIOC\r\nIOC\r\ntype\r\nDescription\r\n3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235 SHA256\r\nWindows\r\nRansomware\r\nSample\r\n51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2 SHA256\r\nWindows\r\nRansomware\r\nSample\r\nTactic ATT\u0026CK Technique (ID)\r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 14 of 16\n\nTA0002: Execution\r\nT1059.001 – Command and Scripting Interpreter: PowerShell\r\nT1569.002 – System Services: Service Execution\r\nTA0003-Persistence T1547.001 – Registry Run Keys / Startup Folder\r\nTA0005-Defense\r\nEvasion\r\nT1070.004 – Indicator Removal on Host: File Deletion\r\nT1070.001 – Indicator Removal on Host: Clear Windows Event Logs\r\nT1562.001 – Impair Defenses: Disable or Modify Security Tools\r\nT1562 – Impair Defenses\r\nT1222 – File and Directory Permissions Modification\r\nT1218 – System Binary Proxy Execution (use of trusted Windows utilities such as\r\nvssadmin, wevtutil, and taskkill)\r\nTA0007: Discovery\r\nT1083 – File and Directory Discovery\r\nT1135 – Network Share Discovery\r\nT1018 – Remote System Discovery\r\nTA0008: Lateral\r\nMovement\r\nT1047 – Windows Management Instrumentation (WMI)\r\nT1021.002 – Remote Services: SMB/Windows Admin Shares\r\nTA0040: Impact\r\nT1486 – Data Encrypted for Impact\r\n T1489 – Service Stop\r\n T1490 – Inhibit System Recovery\r\nAbout The Researcher \r\nMark Tsipershtein, Security Researcher\r\nMark Tsipershtein, a security researcher at the Cybereason Security Research Team, focuses on\r\nresearch, analysis automation and infrastructure. Mark has more than 20 years of experience in SQA, automation,\r\nand security research.\r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 15 of 16\n\nSource: https://www.cybereason.com/blog/the-gentlemen-ransomware\r\nhttps://www.cybereason.com/blog/the-gentlemen-ransomware\r\nPage 16 of 16\n\n--system (encrypt Speed flags: local drives as SYSTEM), --shares (map shares / UNC), --full (two-phase: system + shares).\n--fast (9% crypt), --superfast (3% crypt),--ultrafast (1% crypt).\n   Page 9 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.cybereason.com/blog/the-gentlemen-ransomware"
	],
	"report_names": [
		"the-gentlemen-ransomware"
	],
	"threat_actors": [
		{
			"id": "d513772b-a5ef-4e28-9e9d-d1c2bcd32737",
			"created_at": "2026-03-08T02:00:03.462729Z",
			"updated_at": "2026-04-10T02:00:03.97828Z",
			"deleted_at": null,
			"main_name": "The Gentlemen",
			"aliases": [],
			"source_name": "MISPGALAXY:The Gentlemen",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434425,
	"ts_updated_at": 1775791611,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa3d54d8bed727a60a8a85b3ec2385f73d96cc28.pdf",
		"text": "https://archive.orkl.eu/fa3d54d8bed727a60a8a85b3ec2385f73d96cc28.txt",
		"img": "https://archive.orkl.eu/fa3d54d8bed727a60a8a85b3ec2385f73d96cc28.jpg"
	}
}