Storm-2697

Storm-2697 is a financially motivated threat actor tracked by Microsoft Threat Intelligence as the operator behind the ransomware-as-a-service platform The Gentlemen. The group emerged around mid-2025 as a tightly closed ransomware network and later transitioned into a public RaaS ecosystem, offering access to affiliates by September 2025. Microsoft reported that the operators established an official partnership with BreachForums to recruit affiliates, including penetration testers and initial access brokers. Storm-2697/The Gentlemen uses a double-extortion model, encrypting victim systems while exfiltrating data and threatening public release of stolen corporate information. Microsoft observed victims across healthcare, transportation, education, and financial sectors, with activity spanning North America, South America, Europe, Africa, and Asia. The Gentlemen ransomware is written in Go and obfuscated with Garble. It uses a hybrid cryptographic scheme based on Curve25519 and XChaCha20, appends the .umc16h extension to encrypted files, and drops ransom notes named README-GENTLEMEN.txt. The malware disables Microsoft Defender protections, adds exclusions for its binary and the C:\ volume, deletes Volume Shadow Copies, clears event logs, deletes forensic artifacts including PowerShell history, and terminates or disables processes and services associated with virtualization, databases, backup software, EDR tools, SAP, Exchange, Office applications, browsers, remote access tools, and accounting software. It also establishes persistence via scheduled tasks named UpdateSystem and UpdateUser and Run registry values GupdateS and GupdateU. The ransomware supports multiple execution modes, including local, network-share, and SYSTEM-level encryption. When launched with spreading enabled, it gains worm-like propagation capabilities by staging itself over SMB, creating hidden shares, enumerating remote hosts and shares, weakening defenses on remote systems, and attempting numerous remote execution methods including PsExec, WMIC, scheduled tasks, services, PowerShell remoting, and PowerShell WMI. It can also overwrite free disk space using wipefile.tmp and self-delete after execution. Known alias in the provided content: The Gentlemen.