Microsoft Details 'The Gentlemen' Ransomware, a Sophisticated RaaS with Automated Lateral Movement

Executive Summary

Microsoft Threat Intelligence has published details on a formidable new Ransomware-as-a-Service (RaaS) operation called The Gentlemen. The operators, tracked as Storm-2697, have engineered a potent, Go-based ransomware payload that combines strong encryption with a dangerous self-propagation capability. This allows the malware to spread automatically and rapidly across a compromised network, significantly reducing the time from initial access to widespread impact. The group follows a double-extortion model, exfiltrating data before encryption, and is actively recruiting affiliates via criminal forums like BreachForums. The Gentlemen has already been observed in attacks against critical sectors worldwide, representing a significant and evolving threat.

Threat Overview

The Gentlemen is a financially motivated cybercrime operation that began as a private group in mid-2025 and transitioned to a RaaS platform in September 2025. The operators, Storm-2697, manage the ransomware's development and infrastructure while affiliates carry out the attacks.

The group's primary weapon is a ransomware written in the Go programming language, chosen for its cross-platform capabilities and the difficulty it presents for reverse engineering. The malware is further protected using the Garble obfuscator.

Key characteristics of the threat include:

• Double Extortion: Attackers first exfiltrate sensitive data (T1048 - Exfiltration Over Alternative Protocol) and then encrypt files on the victim's network (T1486 - Data Encrypted for Impact). The threat of a public data leak is used as additional leverage for payment.
• Aggressive Recruitment: The group has partnered with the notorious BreachForums marketplace to recruit skilled affiliates, including initial access brokers and penetration testers.
• Global Targeting: Attacks have been confirmed against organizations in North America, South America, Europe, Africa, and Asia, with a focus on high-value sectors like education, transportation, healthcare, and finance.

Technical Analysis

The most distinctive feature of The Gentlemen ransomware is its automated lateral movement and self-propagation module. Once executed on a single machine, it attempts to spread to other systems on the network without manual attacker intervention.

Attack Chain:

1. Initial Access: Affiliates use various methods to gain a foothold, such as exploiting vulnerabilities, phishing, or purchasing access from brokers.
2. Defense Evasion: Before propagation, the malware executes a series of commands to cripple the target's defenses. This includes terminating processes associated with security software and backup solutions (T1562.001 - Disable or Modify Tools) and clearing system and security event logs to hide its tracks (T1070.001 - Clear Windows Event Logs).
3. Self-Propagation: The malware uses a multi-pronged approach for lateral movement, potentially including:
   • Exploiting network service vulnerabilities (e.g., SMB).
   • Using stolen or harvested credentials to access network shares (T1021.002 - SMB/Windows Admin Shares).
   • Deploying itself via tools like PsExec or WMI (T1047 - Windows Management Instrumentation).
4. Encryption: The payload uses a strong and efficient cryptographic scheme. For each file, it generates an ephemeral Curve25519 key pair and uses the XChaCha20 stream cipher for encryption. This per-file keying makes decryption without the master private key computationally infeasible.

The self-propagation capability is a game-changer. It transforms a localized infection into a full-blown network crisis in minutes, overwhelming traditional incident response efforts that rely on manual containment.

Impact Assessment

The combination of automated spreading and double extortion makes The Gentlemen a high-impact threat. The speed of propagation can lead to rapid and widespread business disruption, as critical systems across the network are encrypted simultaneously. The operational downtime can be catastrophic for industries like healthcare and transportation.

The data exfiltration component adds the risk of severe regulatory fines (e.g., under GDPR or HIPAA), reputational damage, and loss of intellectual property. The targeting of multiple critical sectors suggests a strategic approach to maximizing financial returns by hitting organizations that are more likely to pay to restore operations and prevent data leaks.

IOCs — Directly from Articles

No specific technical Indicators of Compromise (IOCs) were provided in the summarized articles.

Cyber Observables — Hunting Hints

Security teams should hunt for TTPs associated with rapid lateral movement and defense evasion:

Detection & Response

• Behavioral Detection: Deploy EDR solutions capable of detecting ransomware-like behavior, such as rapid file modification, volume shadow copy deletion, and attempts to kill security processes. This aligns with D3FEND's Process Analysis (D3-PA).
• Lateral Movement Detection: Utilize tools that monitor for anomalous east-west traffic. Create alerts for multiple failed logins from a single source to multiple destinations, or the use of administrative tools like PsExec from non-administrator workstations.
• Honeypots and Deception: Place decoy systems and credentials on the network. Any interaction with these decoys is a high-fidelity indicator of an intruder and can provide early warning of lateral movement. This is a form of D3FEND's Decoy Object (D3-DO).

Mitigation

• Network Segmentation: Implement a robust network segmentation strategy to contain the spread of self-propagating malware. Restrict communication between workstations and between server VLANs to only what is strictly necessary. This is a key application of D3FEND's Network Isolation (D3-NI).
• Immutable Backups: Maintain offline and immutable backups of critical data. Follow the 3-2-1 backup rule (3 copies, 2 different media, 1 offsite). Regularly test restoration procedures.
• Application Control: Use application allow-listing to prevent the execution of unauthorized executables, including Go-based malware, from user-writable directories like %APPDATA%. This is an example of D3FEND's Executable Allowlisting (D3-EAL).
• Privileged Access Management (PAM): Strictly control and monitor the use of privileged accounts. Implement just-in-time (JIT) access for administrative tasks to reduce the window of opportunity for credential theft.