Full Report
Microsoft Threat Intelligence tracks the operators behind the ransomware as Storm-2697, a financially motivated threat actor that manages the RaaS platform known as “The Gentlemen” while affiliates carry out attacks. Emerging around mid-2025, The Gentlemen initially started as a closed ransomware group then began offering its RaaS to affiliates in September 2025. More recently, The Gentlemen operators established an official partnership with BreachForums, a popular cybercriminal marketplace, to recruit affiliates including penetration testers and initial access brokers. Given that The Gentlemen is already a widely adopted RaaS platform, this partnership may lead to increased activity as the program becomes accessible to a broader pool of threat actors. The operators behind the ransomware use double extortion tactics, encrypting data while also exfiltrating sensitive information to pressure victims through the threat of public release if the ransom is not paid. The ransomware is written in Go and obfuscated with Garble to target the Windows environment. Microsoft has observed The Gentlemen ransomware impacting organizations across education, transportation, healthcare, and financial industries in North America, South America, Europe, Africa, and Asia. In this blog, we present a detailed analysis of the Gentlemen ransomware encryptor, including its execution flow, defense evasion behaviors, encryption design, and lateral movement techniques. This research is intended to provide defenders, incident responders, and the broader security community with a better understanding of how the threat operates, from initial argument parsing and defense evasion, through its file encryption internals, to the full lateral movement that enables it to propagate across the network. We also provide mitigation guidance, Microsoft Defender detections, hunting queries, and indicators of compromise (IOCs) to help organizations defend against this threat and similar ransomware activity.
Analysis Summary
# Tool/Technique: The Gentlemen Ransomware
## Overview
The Gentlemen is a Ransomware-as-a-Service (RaaS) platform written in Go, specifically designed for targeting Windows environments. It is characterized by its "double extortion" model—integrating high-speed file encryption with sensitive data exfiltration—and a robust self-propagation mechanism that allows it to spread laterally across a network automatically.
## Technical Details
- **Type:** Malware Family (RaaS)
- **Platform:** Windows
- **Capabilities:** File encryption (XChaCha20), defense evasion (obfuscation), self-propagation (lateral movement), data exfiltration (double extortion).
- **First Seen:** Mid-2025 (Initially closed group); transitioned to RaaS in September 2025.
## MITRE ATT&CK Mapping
- **[TA0008 - Lateral Movement]**
- [T1570 - Lateral Tool Transfer]
- [T1021.002 - Remote Services: SMB/Windows Admin Shares]
- **[TA0005 - Defense Evasion]**
- [T1027.002 - Obfuscation: Software Packing/Obfuscation] (via Garble)
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- **[TA0040 - Impact]**
- [T1486 - Data Encrypted for Impact]
- [T1491 - Defacement] (Wallpaper modification)
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
## Functionality
### Core Capabilities
- **Robust Encryption:** Uses per-file ephemeral Curve25519 keys paired with the XChaCha20 stream cipher.
- **Go-Based / Obfuscated:** Built using the Go programming language and obfuscated with **Garble** to complicate reverse engineering and bypass static detections.
- **Double Extortion:** Exfiltrates sensitive data to a leak site before encryption to apply maximum pressure for ransom payment.
### Advanced Features
- **Self-Propagation:** Includes built-in routines to automatically spread across the network using simultaneous lateral movement methods (e.g., leveraging SMB and administrative shares).
- **Automated Defense Evasion:** Implements specific behaviors to identify and terminate security software or common administrative tools that might interfere with encryption.
- **Affiliate Infrastructure:** Managed via a RaaS platform with a strategic recruitment partnership with BreachForums.
## Indicators of Compromise
- **File Hashes (SHA-256):**
- `22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67` (Encryptor)
- `078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b` (PsExec binary used for movement)
- `fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68` (Wallpaper Bitmap)
- **File Names:** `Gentlemen_Wallpaper.bmp`
- **Behavioral Indicators:**
- Rapid file Duy (Rename/Overwrite) operations across network shares.
- Execution of PsExec for remote command invocation.
- Large-scale outbound data transfers prior to high CPU file-system activity.
## Associated Threat Actors
- **Storm-2697:** The primary operators and developers of the RaaS platform.
- **Affiliates:** Various penetration testers and initial access brokers (IABs) recruited via platforms like BreachForums.
## Detection Methods
- **Signature-based:** Microsoft Defender detections for "Gentlemen" ransomware components.
- **Behavioral:** Monitoring for mass file renaming, the use of `Garble`-specific Go artifacts in memory, and unauthorized use of administrative tools (PsExec) at scale.
- **ASIM Hunting:** Using normalized file event queries to track the SHA-256 hashes listed above across endpoint and cloud logs.
## Mitigation Strategies
- **Network Segmentation:** Limit lateral movement by segmenting critical assets and restricting SMB traffic between workstations.
- **Credential Hardening:** Enforce MFA and restrict the use of local administrator accounts for lateral tasks; use LAPS.
- **Data Backup:** Maintain offline, immutable backups to counteract the encryption impact.
- **Endpoint Protection:** Ensure EDR tools are configured to block common ransomware behaviors (e.g., shadow copy deletion, automated encryption).
## Related Tools/Techniques
- **PsExec:** Used for lateral movement and remote execution.
- **Garble:** The primary obfuscator used to hide the Go source code.
- **Curve25519/XChaCha20:** Cryptographic primitives commonly seen in modern, high-performance encryptors.