Gentlemen Ransomware Exploits 21 Remote Execution Techniques
Key Takeaways The Gentlemen ransomware, written in Go, employs a sophisticated self-spreading worm engine to compromise entire networks from a single infected device. It utilizes 21 distinct remote...
Key Takeaways
- The Gentlemen ransomware, written in Go, employs a sophisticated self-spreading worm engine to compromise entire networks from a single infected device.
- It utilizes 21 distinct remote execution techniques, including PsExec and PowerShell, to ensure lateral movement and payload delivery across an organization’s infrastructure.
- The ransomware actively disables security defenses, wipes forensic logs, and deletes Volume Shadow Copies to hinder recovery efforts.
- A hybrid encryption scheme (Curve25519 and XChaCha20) is used, generating unique keys for each file, making decryption without the attacker’s private key virtually impossible.
- The threat actors behind The Gentlemen are recruiting affiliates, including penetration testers and initial access brokers, indicating a likely expansion of their operations and targeting.
A formidable new ransomware variant, dubbed “The Gentlemen,” has emerged as a significant threat in the cybersecurity landscape this year. This malware distinguishes itself with a potent combination of robust encryption and a self-propagating worm capability, allowing it to rapidly compromise an entire corporate network from an initial point of infection.
Table Of Content
Developed in the Go programming language and obfuscated using the Garble tool, The Gentlemen ransomware was first observed in mid-2025. It has since evolved into a full-fledged Ransomware-as-a-Service (RaaS) operation, expanding its reach and impact across various sectors globally.
Unlike typical ransomware that merely encrypts files on the compromised host, The Gentlemen actively seeks out and infects other machines within the same network. This worm-like behavior transforms a single infected workstation or server into a springboard for a widespread attack, significantly amplifying its destructive potential.
Analysts and researchers from Picus Security said in a report shared with Cyber Security News (CSN) that they have thoroughly investigated this malware, providing a comprehensive breakdown of its operational sequence. Their findings highlight a methodical attack chain, commencing with password validation and privilege escalation, progressing through defense evasion and encryption, and culminating in network-wide propagation.
The ransomware has already impacted diverse organizations across North America, South America, Europe, Africa, and Asia, affecting sectors such as education, transportation, healthcare, and finance. The group responsible for The Gentlemen has also been observed collaborating with the BreachForums community to recruit affiliates, including experienced penetration testers and initial access brokers. This recruitment strategy suggests a concerted effort to broaden their attack capabilities and target base. Coupled with double extortion tactics—where stolen data is leveraged alongside encryption—The Gentlemen poses a severe and multifaceted risk to organizations of all sizes and industries.
The Gentlemen Ransomware Uses 21 Remote Execution Techniques
The self-propagation mechanism of The Gentlemen ransomware is activated by a command-line flag, –spread, a feature that sets it apart from more conventional single-host ransomware strains. Once initiated, the infected machine transforms into a distribution hub. It achieves this by copying its executable binary into a designated folder and then publishing it via a hidden network share configured for anonymous access.
Subsequently, the malware deploys PsExec, a legitimate system tool, either from a local copy or by downloading it. It then initiates a network scan to identify accessible machines, encompassing workstations, servers, and domain controllers. Every discovered system becomes a potential target for further infection.
Before delivering the ransomware payload to a target, The Gentlemen executes a preliminary script designed to weaken the remote machine’s security posture. This script disables security monitoring, deactivates firewall protection, and even re-enables an outdated and insecure version of the Server Message Block (SMB) file-sharing protocol. Only after these defensive measures are compromised does the ransomware attempt to execute its encryption payload.
To ensure successful payload delivery, the ransomware employs an impressive array of 21 distinct remote execution methods per target. These techniques include remote file copying, leveraging PsExec, creating scheduled tasks, manipulating Windows services, and various PowerShell-based approaches. The modular nature of these methods means that only one successful execution path is required for the infection to spread further across the network.
Encryption and Defense Evasion Tactics
Prior to initiating any file encryption, The Gentlemen ransomware meticulously works to neutralize defensive mechanisms. It disables Microsoft Defender, systematically wipes forensic logs, and deletes Volume Shadow Copies twice using separate commands to ensure thorough removal. Furthermore, it clears command history and eliminates backup and recovery tools, significantly complicating system restoration efforts without succumbing to the ransom demand.
For its encryption process, the malware utilizes a sophisticated hybrid cryptographic approach. It combines Curve25519 elliptic curve cryptography with the XChaCha20 stream cipher. This method generates a unique encryption key for every individual file it targets, rendering decryption without the attacker’s specific private key virtually impossible. Each encrypted file is also renamed with a distinctive .umc16h extension, further indicating compromise. The ransomware also leaves a ransom note, typically named README-GENTLEMEN.txt, on affected systems.
During its propagation, the malware binary is often staged in the C:Temp directory, and it utilizes a hidden SMB share, <self>share$, for anonymous access during its lateral movement.
What You Should Do
- Prioritize validating your organization’s defenses against the specific attack chain employed by The Gentlemen ransomware, rather than relying solely on generic ransomware protections.
- Implement and regularly test security controls through real-world attack simulations to identify and remediate vulnerabilities.
- Maintain robust, isolated, and regularly tested offline backups of critical data to ensure recovery capabilities without paying a ransom.
- Enhance monitoring capabilities to detect specific commands, file system changes (e.g.,
.umc16hfile extensions,README-GENTLEMEN.txtransom notes), and network behaviors associated with this ransomware, particularly the use of PsExec and anonymous SMB shares (<self>share$). - Strengthen endpoint detection and response (EDR) solutions to identify and block attempts to disable security software, clear logs, or delete Volume Shadow Copies.
- Review and harden network configurations, specifically by disabling or restricting outdated and insecure protocols like older SMB versions, and ensure strict access controls on network shares.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.