A sophisticated new ransomware threat named “The Gentlemen” has emerged, quickly establishing itself as a significant player in the cybercrime landscape. Appearing around July 2025, the group demonstrated rapid growth, publishing details of 48 victims on their dark web leak site within a two-month span from September to October 2025. Operating as a Ransomware-as-a-Service (RaaS) platform, The Gentlemen facilitates attacks by affiliates while retaining control over the core infrastructure and negotiation processes. This emerging threat underscores the evolving nature of ransomware operations and the need for enhanced cybersecurity defenses.
The Gentlemen employs a dual-extortion strategy, a tactic that combines encrypting victim data with exfiltrating sensitive information. This dual approach aims to maximize pressure on organizations by not only disabling systems through encryption but also threatening the public release of stolen data unless ransom demands are met. Prior to launching their dedicated RaaS platform, the operators were observed experimenting with affiliate models utilized by other prominent ransomware groups. This period of experimentation appears to have been instrumental in refining their methodologies and developing a more robust and advanced operation.
‘The Gentlemen’ Ransomware Targets Cross-Platform Systems with Advanced Encryption
Cybereason security researchers have identified that ‘The Gentlemen’ ransomware is not limited to a single operating system. The malware is designed to target Windows, Linux, and ESXi platforms, utilizing specialized encryption tools for each. This cross-platform capability expands the potential victim pool significantly. The ransomware employs the XChaCha20 and Curve25519 encryption algorithms, known for their strength and making data recovery without the correct decryption key exceptionally difficult, even for skilled cybersecurity professionals.
Recent enhancements to the malware include automatic self-restart and run-on-boot functionalities. These features bolster the ransomware’s persistence on compromised systems, making it more challenging for victims to eradicate the threat once it has been established. This persistence mechanism ensures that ‘The Gentlemen’ ransomware can attempt to re-establish its presence even after initial removal attempts, adding another layer of complexity to incident response.
Network Propagation and Lateral Movement Capabilities
‘The Gentlemen’ ransomware exhibits advanced capabilities for spreading across networks and moving laterally within compromised environments. The malware utilizes Windows Management Instrumentation (WMI) and PowerShell remoting techniques to propagate. For its encryption routine to commence, the malware requires a specific password argument upon execution. This suggests a level of structured deployment and control over initial stages of the attack.
The ransomware supports multiple operational modes. It can perform system-level encryption when operating under SYSTEM privileges, allowing for deep access into the operating system. Additionally, it can encrypt network shares by accessing them through mapped drives and UNC paths. This broad access capability allows ‘The Gentlemen’ to impact a wide range of resources within an organization’s network infrastructure.
To hinder detection and facilitate its spread, the ransomware actively disables Windows Defender. This is achieved by executing PowerShell commands designed to turn off real-time protection. Furthermore, it adds specific directories and processes to exclusion lists within Windows Defender, aiming to prevent the antivirus software from flagging its malicious activities.
The malware also takes steps to enable easier lateral movement. It modifies network settings to facilitate network discovery and adjusts firewall rules. These actions are crucial for enabling the ransomware to move freely across corporate networks without immediate detection, reaching more systems and data.
‘The Gentlemen’ ransomware specifically targets critical services and processes commonly found in business environments. This includes database engines such as MSSQL and MySQL, backup utilities like Veeam, and virtualization services such as VMware. By compromising these core components, the attackers can cause significant disruption and increase the likelihood of ransom payment.
To further complicate forensic investigations and hinder incident response, the ransomware employs sophisticated anti-forensics techniques. It systematically deletes various logs, including Windows event logs, RDP connection logs, Windows Defender support files, and Prefetch data. This deliberate obfuscation of evidence makes it significantly more challenging for security teams to reconstruct the attack timeline, identify the initial point of compromise, and understand the full scope of the breach.
The emergence of ‘The Gentlemen’ ransomware highlights the persistent and evolving threat posed by sophisticated cybercriminal operations. Organizations should prioritize robust security measures, including regular patching, multi-factor authentication, employee cybersecurity awareness training, and comprehensive data backup and recovery strategies, to mitigate the risks associated with such advanced threats. The continued development and deployment of RaaS platforms by groups like ‘The Gentlemen’ indicate that the cybersecurity landscape will remain challenging, requiring constant vigilance and adaptation from defense strategies.