The Gentlemen Ransomware
The Gentlemen Ransomware is a ransomware-as-a-service (RaaS) operation first clearly observed in active campaigns beginning in August 2025 (with development indicators as early as July 2025) and described as unusually mature and operationally disciplined for a new entrant. It operates a double-extortion model: data is exfiltrated prior to encryption and victims are threatened with publication on a dark web leak site if payment is not made.
Technically, the ransomware is primarily written in Go and has variants targeting Windows, Linux, and VMware ESXi (with RaaS advertising also claiming support for Windows, Linux, NAS, BSD, and a dedicated ESXi locker). Execution requires a password parameter as a control mechanism. A September 2025 dark web post advertising “The Gentlemen’s RaaS” described an affiliate program (90% payout to affiliates), centralized operator control of infrastructure (including the leak site), TOX-based communications, and hybrid cryptography using XChaCha20 with Curve25519. Advertised/observed features include password-protected builds, partial/full encryption modes, background execution, automated network discovery, and an ESXi variant optimized for virtualized environments with multithreaded encryption and controlled VM handling.
Observed attack chain elements include initial access via exploitation of internet-exposed services or compromised administrative credentials (including exposed firewall/VPN management interfaces such as FortiGate), reconnaissance using tools like Advanced IP Scanner and Active Directory queries, UAC bypass using PowerRun.exe to execute with SYSTEM privileges, defense evasion via BYOVD using signed drivers and custom tooling (e.g., All.exe with ThrottleBlood.sys) to terminate AV/EDR, lateral movement using PsExec over SMB admin shares, and deployment via domain resources such as NETLOGON shares. Encrypted files are reported to be appended with the .7mtzhh extension and ransom notes named README-GENTLEMEN.txt are dropped.
Targeting is described as global, primarily impacting medium to large organizations across at least 17 countries, with manufacturing and technology among the most affected industries (also including healthcare and financial services). The content also references multiple victim claims/observations (including organizations in Japan and Indonesia) and notes continued victim additions into late 2025 and January 2026.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Operators scanned for and exploited internet-facing vulnerabilities including the FortiOS authentication-bypass flaw CVE-2024-55591, alongside older Active Directory weaknesses like ZeroLogon and PetitPotam.
Operators scanned for and exploited internet-facing vulnerabilities including the FortiOS authentication-bypass flaw CVE-2024-55591, alongside older Active Directory weaknesses like ZeroLogon and PetitPotam.
Operators scanned for and exploited internet-facing vulnerabilities including the FortiOS authentication-bypass flaw CVE-2024-55591, alongside older Active Directory weaknesses like ZeroLogon and PetitPotam.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
1 technique
Execution
Persistence
3 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
Stealth
3 techniques
Stealth
Defense Impairment
2 techniques
Defense Impairment
Lateral Movement
1 technique
Lateral Movement
Exfiltration
1 technique
Exfiltration
Impact
6 techniques
Impact
When enabled with the --spread argument, it turns the malware from a single-host encryptor into a self-propagating worm... If the --wipe argument is provided, The Gentlemen ransomware performs an additional post-encryption routine...
The ransomware subsequently propagated broadly throughout the domain, dropping ransom notes and modifying desktop backgrounds on impacted systems.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware associated with a RaaS operation using dual-extortion (data theft and encryption) and described as employing advanced evasion/persistence techniques and scalable deployment across industries and geographies.
RaaS ransomware group (emerged mid-2025 per content) using dual/double-extortion tactics (data theft plus encryption), with advanced evasion/persistence and scalable cross-platform deployment; targets multiple industries globally.
Cross-platform double-extortion ransomware operated as a RaaS. Exfiltrates data, encrypts systems, and threatens publication on a leak site. Supports Windows/Linux/ESXi (and advertised NAS/BSD), uses password-protected execution, and appends the .7mtzhh extension while dropping README-GENTLEMEN.txt ransom notes.
Ransomware-as-a-service (RaaS) group malware using dual-extortion tactics (data theft plus encryption) and described as employing advanced evasion and persistence techniques with targeted attacks across multiple industries and regions.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.