The Gentlemen ransomware: Dissecting a self-propagating Go encryptor

Summary

Microsoft Threat Intelligence disclosed The Gentlemen, a Go-based ransomware-as-a-service (RaaS) operated by Storm-2697 that combines per-file Curve25519/XChaCha20 encryption with aggressive lateral movement techniques to rapidly compromise entire networks. The threat emerged mid-2025, expanded to affiliate model in September 2025, and recently partnered with BreachForums to recruit operators, already impacting education, healthcare, transportation, and financial sectors globally. The malware uses double extortion tactics, Garble obfuscation, and multiple command-line arguments to control encryption scope, speed, and network propagation behavior.

Full text

Share Link copied to clipboard! Tags Elevation of privilegeExtortionHuman-operated ransomwareLateral movementRansomwareRansomware as a serviceStormWindows Content types Research Products and services Microsoft DefenderMicrosoft Defender for Cloud AppsMicrosoft Defender for Endpoint Topics Threat intelligence Ransomware that combines robust encryption with rapid lateral movement significantly increases the risk and impact of an attack. The Gentlemen ransomware is a ransomware-as-a-service (RaaS) threat that is distinguished by its ability to pair its strong per-file encryption with an aggressive self-propagation capability designed to enable broad network compromise. In addition to using per-file ephemeral Curve25519 keys with XChaCha20 stream cipher, The Gentlemen ransomware attempts to spread across an environment using series of simultaneous, distinct lateral movement methods, increasing the likelihood of widespread impact once initial access is achieved. Understand the threat Protect against ransomware and extortion activity › Microsoft Threat Intelligence tracks the operators behind the ransomware as Storm-2697, a financially motivated threat actor that manages the RaaS platform known as “The Gentlemen” while affiliates carry out attacks. Emerging around mid-2025, The Gentlemen initially started as a closed ransomware group then began offering its RaaS to affiliates in September 2025. More recently, The Gentlemen operators established an official partnership with BreachForums, a popular cybercriminal marketplace, to recruit affiliates including penetration testers and initial access brokers. Given that The Gentlemen is already a widely adopted RaaS platform, this partnership may lead to increased activity as the program becomes accessible to a broader pool of threat actors. The operators behind the ransomware use double extortion tactics, encrypting data while also exfiltrating sensitive information to pressure victims through the threat of public release if the ransom is not paid. The ransomware is written in Go and obfuscated with Garble to target the Windows environment. Microsoft has observed The Gentlemen ransomware impacting organizations across education, transportation, healthcare, and financial industries in North America, South America, Europe, Africa, and Asia. In this blog, we present a detailed analysis of the Gentlemen ransomware encryptor, including its execution flow, defense evasion behaviors, encryption design, and lateral movement techniques. This research is intended to provide defenders, incident responders, and the broader security community with a better understanding of how the threat operates, from initial argument parsing and defense evasion, through its file encryption internals, to the full lateral movement that enables it to propagate across the network. We also provide mitigation guidance, Microsoft Defender detections, hunting queries, and indicators of compromise (IOCs) to help organizations defend against this threat and similar ransomware activity. Pre-encryption Command-line argument processing The ransomware operator can control The Gentlemen encryptor through command-line arguments. A password is required for execution, and optional arguments allow the operator to specify encryption scope, speed, lateral movement, and post-encryption behaviors. The binary accepts the following arguments: Command-line argumentDescription--password <password>Required access password (build-specific)--path <list of paths>Comma-separated list of target directories or file paths--T <minutes>Delay in minutes before file encryption begins--silentSilent mode. Disable renaming files, changing timestamps after encryption, and setting the desktop wallpaper--systemEncrypt files as SYSTEM, targeting only local drives--sharesEncrypt only mapped network drives and available Universal Naming Convention (UNC) shares--fullTwo-phase encryption by relaunching itself as two separate processes, one with --system for local drives and one with --shares for network shares--spread <domain/user:password>Enable self-propagation. Accept credentials for lateral movement. If no credential is provided, the current session token is used for lateral movement.--ultrafastEncrypt 0.3% per chunk (~0.9% total for large files)--superfastEncrypt 1% per chunk (~3% total for large files)--fast Encrypt 3% per chunk (~9% total for large files)--keepDisable self-delete after file encryption completes--wipeWipe free disk space after encryption The --full command-line argument appears to be the intended mode of operation for comprehensive file encryption on the infected device. When this argument is provided, the malware spawns two child processes of itself: one appended with the argument --system to encrypt local volumes under a SYSTEM-privileged scheduled task, and one appended with the argument --shares to encrypt network shares. This separation ensures that the malware can reach both local drives (which might require SYSTEM privileges) and mapped network shares (which are only visible in the user’s session). Figure 1. Encryption mode command-line arguments The speed arguments (--fast, --superfast, --ultrafast) are mutually exclusive and control how much of each large file is encrypted. When no speed flag is specified, the default per-chunk percentage is 9%. These flags only affect files that are larger than 1 MB, and small files are fully encrypted regardless of the speed setting. Usage prompt When the encryptor is executed with no command-line argument, the malware prints a branded usage banner to the console. It first executes the following PowerShell commands to render a console header: This is followed by a detailed usage prompt provided by the malware author that documents all available flags with descriptions and examples: Figure 2. The Gentlemen ransomware’s usage prompt It is worth noting that the file size percentages listed in the usage prompt refer to the total file encryption amount. Internally, the malware encrypts three separate chunks, and the per-chunk percentage used in the code is: fast=3%, superfast=1%, ultrafast=0.3%, default=9%. Password check Before executing its primary functionality, the malware validates the --password argument against a hardcoded value embedded within the binary. For the sample analyzed in this blog, the expected password is “9VoAvR7G”. If the provided password does not match, the malware outputs bad args and terminates execution. This password check is a simple operator authentication mechanism, with each build containing a unique embedded password. Its purpose is to restrict execution to authorized operators and reduce the risk of accidental or unauthorized detonation if the binary is recovered or intercepted. However, because this validation relies on a static comparison, it can be easily identified and bypassed through static analysis techniques. System encryption: Privilege escalation When the --system argument is provided (either directly or via the --full argument), the malware creates a scheduled task to re-execute itself as SYSTEM. If a delay value is also specified through the --T argument, the scheduled execution time is adjusted accordingly. To relaunch itself as SYSTEM, it issues the following sequence of commands: The malware can only perform this task if it’s executed from an account with administrator privilege. It first deletes any existing task named gentlemen_system to avoid conflicts, creates a new one-time task that runs its binary under the SYSTEM account, and finally triggers that task. This sequence ensures a clean state by first removing any existing task with the same name (gentlemen_system), creating a new scheduled task that executes the ransomware binary with SYSTEM-level privileges before finally triggering its immediate execution. When running within this scheduled task context, the malware sets the environment variable LOCKER_BACKGROUND=1. This variable functions as an internal execution flag,

Indicators of Compromise

• malware — The Gentlemen

Entities