The Gentlemen Ransomware-as-a-Service (RaaS) is an emerging threat operation that debuted in mid-2025, offering a sophisticated multi-platform locker written in Go and C. The group targets Windows, Linux, and ESXi environments, utilizing a double-extortion model where stolen data is advertised on a Tor leak site while negotiations are handled via the Tox P2P messaging protocol. Recent incident response cases show that the group's affiliates are highly capable, integrating mature post-exploitation tools like Cobalt Strike and SystemBC to maintain control and facilitate lateral movement across victim networks.
Technically, the Gentlemen ransomware stands out for its aggressive lateral movement and mass-deployment capabilities. It can be distributed environment-wide via Group Policy Objects (GPOs) or through multi-channel execution scripts using PsExec, WMI, and scheduled tasks. To hinder recovery and analysis, the malware actively suppresses defensive measures by disabling Windows Defender and firewalls, while employing partial encryption modes (fast, superfast, ultrafast) using the XChaCha20 stream cipher to maximize the speed of the impact phase.
Top comments (0)