Threats Tagged 'the gentlemen'

The Gentlemen is a ransomware-as-a-service operation tracked as Storm-2697, distinguished by combining robust per-file encryption using Curve25519 with XChaCha20 stream cipher alongside aggressive self-propagation capabilities designed for broad network compromise. Emerging in mid-2025 and transitioning to RaaS by September 2025, the operation recently partnered with BreachForums to recruit affiliates including penetration testers and initial access brokers. Written in Go and obfuscated with Garble, the ransomware employs double extortion tactics, encrypting data while exfiltrating sensitive information. It utilizes 21 distinct lateral movement techniques per target host, including PsExec, WMI, scheduled tasks, services, and PowerShell remoting. The malware disables defenses, deletes shadow copies and forensic artifacts, and can optionally wipe free disk space to prevent recovery, impacting organizations globally across education, transportation, healthcare, and finance sectors.

The Gentlemen is an active ransomware and extortion operation that emerged publicly in the second half of 2025, rapidly escalating into a high-volume threat actor. The group appears to be a continuation or reorganization of prior ransomware affiliate activity, with reported connections to the Qilin ecosystem and the Russian-speaking actor 'hastalamuerte.' This growth likely reflects existing ransomware experience, affiliate relationships, and access to established resources. Underground sources indicate attempts to sell data allegedly connected to The Gentlemen ransomware activity, though the available information lacks sufficient victim-specific or technical details to confirm authenticity. The operation utilizes SystemBC for command and control communications and deploys ransomware variants targeting both Windows and Linux systems.

The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...

'The Gentlemen' ransomware group, active since July 2025, operates a Ransomware-as-a-Service (RaaS) platform that employs advanced dual-extortion tactics by encrypting data and exfiltrating sensitive information to coerce ransom payments. Their ransomware targets Windows, Linux, and ESXi platforms, encrypting both local and network-shared drives using strong cryptographic algorithms XChaCha20 and Curve25519. Recent updates include automatic self-restart, run-on-boot persistence, configurable encryption speeds, and attack methods, enhancing their operational resilience and adaptability. The group has publicly disclosed 47 victims within two months, indicating rapid propagation and impact. The malware leverages multiple MITRE ATT&CK techniques such as persistence (T1547. 001), data encryption (T1486), and network share discovery (T1135). No known exploits or CVEs are associated yet, but the threat is significant due to its multi-platform support and dual-extortion approach. European organizations with mixed OS environments and ESXi virtualization are at particular risk. Mitigation requires tailored detection of persistence mechanisms, network segmentation, and robust incident response plans. Countries with high adoption of VMware ESXi and diverse enterprise IT infrastructures, such as Germany, France, and the UK, are likely most affected.

MediumMalwareGermanyFranceNetherlands+4#linux#raas#encryption