
You've probably assumed that a single infected laptop is a contained problem your IT team can isolate before it spreads. What many security teams don't realize is that one ransomware family now automates its way across an entire Windows network using 21 different remote execution methods, with almost no human operator needed after the initial foothold. In this guide, you'll learn how The Gentlemen ransomware propagates, what it does before it encrypts a single file, and how to detect it early.
Key Takeaways
▸
The Gentlemen is a Go-based ransomware-as-a-service (RaaS) operation first observed in mid-2025 that has since claimed hundreds of victims worldwide.
▸
The malware includes a self-propagation engine, triggered by a --spread argument, that attempts 21 distinct remote execution and lateral movement techniques across a compromised network.
▸
Before encrypting anything, the ransomware disables Microsoft Defender, deletes shadow copies, clears event logs, and shuts down backup software to maximize damage and slow recovery.
▸
Files are encrypted using a Curve25519 and XChaCha20 hybrid scheme and renamed with the .umc16h extension, alongside a ransom note named README-GENTLEMEN.txt.
▸
The group has demonstrated the ability to abuse Active Directory Group Policy to detonate ransomware simultaneously across every machine in a domain.
▸
Lateral movement tools observed include PsExec, PowerShell Remoting, WMI, WinRM, scheduled tasks, RDP, SSH, and living-off-the-land binaries already trusted by most enterprise environments.
▸
Organizations across healthcare, education, manufacturing, government, and critical infrastructure have been affected, reflecting broad, opportunistic targeting rather than a single-industry focus.
What Is The Gentlemen Ransomware?
The Gentlemen is a ransomware-as-a-service (RaaS) family written in the Go programming language that combines strong encryption with a worm-like propagation engine capable of spreading across an entire enterprise network from one compromised endpoint. The malware was first observed in mid-2025 and has since evolved into a full RaaS platform, meaning its developers lease access to affiliates who carry out attacks in exchange for a cut of ransom payments. Researchers at Picus Security and Microsoft have both published detailed technical breakdowns of its behavior.
Read More:
Top comments (0)