A new ransomware strain, dubbed Gentlemen ransomware, has emerged as a significant threat, rapidly breaching corporate networks globally since its identification in August 2025. This sophisticated cybercriminal operation employs a double extortion model, exfiltrating sensitive data before encrypting it, thereby amplifying its leverage even when victims possess backups. Developed in the Go programming language, Gentlemen ransomware benefits from cross-platform compatibility and robust performance, facilitating its wide-reaching impact across diverse enterprise environments.
The group behind this malicious software has demonstrated advanced tactics, including the manipulation of Group Policy Objects (GPO) and the utilization of Bring Your Own Vulnerable Driver (BYOVD) techniques. These methods enable them to effectively bypass security defenses and propagate laterally throughout victim networks. Reports indicate that Gentlemen ransomware has already compromised organizations in at least 17 countries, affecting critical sectors such as healthcare, manufacturing, and insurance. According to ASEC analysts, the group’s sophisticated propagation procedures have positioned it as one of the most active emerging ransomware operations in 2025, specifically targeting medium to large organizations with a focus on evading standard security monitoring.
Gentlemen Ransomware: Execution and Encryption Protocols
Upon initial execution, the Gentlemen ransomware module initiates a stringent command-line argument parsing routine to govern its operations. A critical security bypass is its requirement for a specific –password argument; the ransomware will immediately terminate if this valid credential is not provided. This seemingly simple yet highly effective anti-analysis measure aims to thwart security researchers attempting to execute the payload within sandbox environments for examination.
Operators can dictate the ransomware’s behavior through various command-line modes. For instance, the –silent argument can be used to prevent file renaming, while the –full argument targets both local and network shares for encryption. Before commencing the encryption process, the malware systematically disables Windows Defender and terminates crucial backup and database services, including Veeam, MSSQL, and MongoDB. This action aims to prevent files from being locked by other running processes and to impede any potential recovery efforts by the victim. The extensive command options available for the Gentlemen executable highlight the group’s meticulous planning.
The encryption phase of the Gentlemen ransomware employs advanced cryptographic standards. It utilizes X25519 for key exchange and XChaCha20 for file encryption, generating unique encryption keys for each individual file. The threat actor’s public key is decoded directly in the malware’s memory to establish shared secrets for encrypting the data. For larger files, the ransomware selectively encrypts segments based on predefined percentages, such as 9% for –fast mode or 1% for –ultrafast, as a strategy to optimize encryption speed while still rendering the data irretrievable.
Following the completion of encryption across affected directories, the ransomware drops a ransom note titled README-GENTLEMEN.txt. This note typically contains instructions for the victim on how to contact the attackers and initiate the negotiation process for data decryption. The rapid spread and evolving tactics of Gentlemen ransomware underscore the persistent and escalating threat posed by sophisticated ransomware gangs to global cybersecurity.
The rapid expansion of Gentlemen ransomware across North America, South America, and the Middle East emphasizes the critical importance of continuous threat monitoring and proactive security measures for organizations worldwide. As cybercriminals continue to develop more advanced and evasive techniques, businesses must remain vigilant and invest in robust cybersecurity defenses to mitigate the risk of such significant data breaches and operational disruptions.