A new and sophisticated ransomware threat, dubbed “The Gentlemen,” has emerged, demonstrating advanced attack capabilities and a well-structured operational model. First observed around July 2025, the group quickly established a significant presence, publishing 48 identified victims on their dark web leak site between September and October 2025. This burgeoning ransomware operation is notable for its Ransomware-as-a-Service (RaaS) approach, allowing affiliates to deploy attacks while the core operators manage the critical infrastructure and negotiation processes.
The Gentlemen ransomware group employs a potent dual-extortion strategy, combining the classic tactic of encrypting victim data with data theft and exfiltration. This dual approach significantly amplifies pressure on targeted organizations, as they face both the immediate operational paralysis of encrypted systems and the long-term risk of sensitive information being leaked publicly on the dark web. The group’s alleged initial experimental phase with affiliate models from other prominent ransomware entities appears to have informed their development of this more refined and dangerous operation, according to security researchers.
“The Gentlemen” Ransomware’s Technical Sophistication and Cross-Platform Targeting
Security researchers, including those at Cybereason, have identified that “The Gentlemen” ransomware is engineered to target a broad spectrum of platforms. Specialized encryption tools have been developed for Windows, Linux, and the widely used ESXi virtualization environment. This cross-platform capability allows the group to maximize its potential victim pool and impact across diverse IT infrastructures.
The malware utilizes strong encryption algorithms, specifically XChaCha20 and Curve25519, to secure victim files. These algorithms are known for their computational complexity, making data recovery without the specific decryption key an extremely arduous, and often impossible, task. Recent enhancements to the ransomware include features for automatic self-restart and run-on-boot functionality. These capabilities are crucial for ensuring persistence on compromised systems, making it more challenging for defenders to remove the malware once an infection has occurred.
Network Propagation and Lateral Movement Capabilities
“The Gentlemen” ransomware exhibits advanced capabilities for spreading across networks and gaining further access. The malware leverages Windows Management Instrumentation (WMI) and PowerShell remoting techniques to move laterally within victim environments. For its encryption routine to commence, the malware requires a specific password argument to be provided as input.
The ransomware supports multiple operational modes designed for broad impact. This includes system-level encryption performed under elevated SYSTEM privileges, as well as encryption of network shares accessed through mapped drives and UNC paths. To hinder defensive measures, the malware actively disables Windows Defender. It achieves this by executing PowerShell commands to turn off real-time protection and by adding specific directories and processes to exclusion lists, effectively blinding one of the primary security tools.
Furthermore, the ransomware enhances its internal reconnaissance and movement capabilities by enabling network discovery and manipulating firewall rules. This strategic approach facilitates easier and faster lateral movement across corporate networks, allowing the attackers to reach critical assets and sensitive data repositories. The malware is programmed to target key services and processes, including database engines such as MSSQL and MySQL, backup utilities like Veeam, and critical virtualization services such as VMware, further disrupting business operations.
In an effort to evade detection and complicate forensic investigations, “The Gentlemen” ransomware employs anti-forensics techniques. It systematically deletes various logs, including Windows event logs, RDP connection logs, Windows Defender support files, and Prefetch data. This meticulous deletion of evidence significantly impedes incident response efforts and makes timeline reconstruction a formidable challenge for security teams attempting to understand the full scope and progression of an attack.
The emergence of “The Gentlemen” ransomware underscores the evolving sophistication of cybercriminal operations. Organizations should prioritize robust cybersecurity measures, including regular security awareness training, up-to-date endpoint detection and response (EDR) solutions, and comprehensive data backup strategies. Continuous monitoring of network activity and prompt patching of vulnerabilities remain critical defenses against such advanced threats.