Full Report
Microsoft Threat Intelligence detailed a growing RaaS (ransomware-as-a-service) operation known as The Gentlemen, tracked by Microsoft as Storm-2697,... The post The Gentlemen ransomware combines advanced encryption with self-propagation, targeting critical sectors appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: The Gentlemen (Storm-2697)
## Attribution & Identity
- **Name:** The Gentlemen
- **Microsoft Tracking Identifier:** Storm-2697
- **Associations:** Established an official partnership with **BreachForums** to recruit affiliates, including penetration testers and initial access brokers (IABs).
- **Format:** Operates as a Ransomware-as-a-Service (RaaS) platform.
## Activity Summary
- **Emergence:** Mid-2025 as a closed ransomware group.
- **Evolution:** Transitioned to a RaaS model in September 2025.
- **Recent Campaigns:** Widespread campaigns throughout late 2025 and 2026 utilizing a Go-based encryptor with aggressive self-propagation capabilities to compromise entire enterprise networks.
## Tactics, Techniques & Procedures
- **Encryption:** Uses per-file ephemeral key encryption built on **Curve25519** and the **XChaCha20** stream cipher.
- **Self-Propagation:** Includes a specialized module for simultaneous, distinct lateral movement methods to spread across connected systems automatically.
- **Extortion:** Employs **Double Extortion** (data encryption combined with data exfiltration and the threat of public release).
- **Obfuscation:** The malware is written in **Go** and obfuscated using **Garble** to evade detection in Windows environments.
- **Execution:** Processes extensive command-line arguments to control encryption scope, speed, persistence, and cleanup.
- **MITRE ATT&CK IDs (Inferred from TTPs):**
- **T1570:** Lateral Tool Transfer
- **T1486:** Data Encrypted for Impact
- **T1021:** Remote Services (Lateral Movement)
- **T1020:** Automated Exfiltration
- **T1059:** Command and Scripting Interpreter
## Targeting
- **Sectors:** Education, Transportation, Healthcare, Financial, and Manufacturing.
- **Geography:** Global footprint including North America, South America, Europe, Africa, and Asia.
- **Victims:** Explicit focus on critical infrastructure and large-scale enterprise networks.
## Tools & Infrastructure
- **Malware Families:** The Gentlemen Ransomware (Go-based).
- **Communication:** Partnership with `BreachForums` for recruitment; uses a dedicated leak site for extortion (implied by double extortion tactics).
- **Infrastructure:** Microsoft tracks the actor as Storm-2697. (Specific defanged IPs/domains were not listed in the provided article text).
## Implications
The evolution of The Gentlemen into a RaaS model, combined with its partnership with BreachForums, suggests a significant scaling of operations. The "self-propagating" nature of the encryptor reduces the time required for a total network takeover, moving faster than traditional human-operated ransomware and placing extreme pressure on Incident Response (IR) teams.
## Mitigations
- **Network Segmentation:** Implement strict micro-segmentation to neutralize the malware’s self-propagation and lateral movement modules.
- **Endpoint Protection:** Deploy EDR/XDR solutions capable of detecting Go-based binaries and Garble obfuscation patterns.
- **Credential Hygiene:** Enforce MFA and restrict administrative shares (SMB) to prevent automated lateral movement tools.
- **Offline Backups:** Maintain immutable, off-site backups to recover from per-file ephemeral key encryption where decryption without the attacker's key is mathematically infeasible.
- **Vulnerability Management:** Prioritize patching of initial access vectors used by brokers associated with BreachForums.