Gentlemen

Gentlemen is a ransomware family and ransomware-as-a-service operation first observed around mid-2025 to August 2025. It is associated by Microsoft with the financially motivated threat actor Storm-2697. The operation uses double extortion, exfiltrating data before encrypting systems and threatening public release of stolen data. Reporting describes aggressive affiliate recruitment on underground forums, including BreachForums, and rapid growth across multiple continents.

The malware is primarily Go-based and supports cross-platform encryption of Windows, Linux, NAS, and BSD systems; a C-based variant targets ESXi hypervisors. It has been reported targeting medium and large enterprises across at least 17 countries and sectors including healthcare, manufacturing, insurance, transportation, education, and energy/critical infrastructure. Documented victim reporting includes Romania's state-owned power producer Complexul Energetic Oltenia, where a December 2025 attack disrupted ERP, email, website, document management, and other business IT systems.

Observed tradecraft includes use of compromised credentials and targeting of Internet-exposed services for initial access; some reporting also links intrusions to compromised Fortinet edge-device credentials. Operators and affiliates have used reconnaissance, credential validation, Mimikatz, Cobalt Strike, RPC-based remote execution, Group Policy modification/abuse, domain admin privileges, and living-off-the-land techniques. Data exfiltration prior to encryption has been conducted with tools such as WinSCP. The group has also been reported using BYOVD techniques to disable defenses, and one affiliate investigation identified attempted use of SystemBC for covert payload delivery and SOCKS5 tunneling.

On execution, Gentlemen has been observed disabling Microsoft Defender protections via PowerShell, adding exclusions for its binary and even the local C:\ volume, terminating security tools, EDR agents, backup software, database services, virtualization-related processes, and email-management software, deleting Volume Shadow Copies, clearing Security and System event logs with wevtutil, and deleting PowerShell history. The ESXi variant shuts down virtual machines before encrypting their disks. Some analyses note the malware requires a password argument to run, acting as an anti-analysis control, and supports command-line options such as --silent, --full, --fast, --ultrafast, and --spread.

Encryption is consistently described as using X25519/Curve25519-based key exchange with XChaCha20 for file encryption, generating per-file ephemeral/shared secrets. Small files are fully encrypted, while larger files are only partially encrypted in chunks to improve speed; operators can tune this behavior with command-line arguments. Reported encrypted-file extensions include .umc16h and .7mtzhh in different reporting. The malware drops ransom notes named README-GENTLEMEN.txt, and reporting states the note threatens data leakage and may offer decryption of sample files.

When launched with the --spread option, the ransomware can self-propagate in a worm-like manner by copying itself to temporary locations, creating hidden shares, and attempting multiple remote execution methods against discovered hosts, including PsExec, WMIC, and remote PowerShell. Post-encryption anti-forensic behavior includes overwriting free disk space using wipefile.tmp and deleting its own binary via a batch file.

Additional reporting states the group had listed hundreds of non-paying victims on its leak site by April 2026 and rapidly patched its malware after a free decryptor was released. Publicly reported indicators and artifacts include README-GENTLEMEN.txt ransom notes, encrypted-file extensions .umc16h and .7mtzhh, and sample hashes adf675ffc1acb357f2d9f1a94e016f52 and de1a114a2c5552387a1bbb61501bf129.