The Gentlemen Ransomware: Self-Propagating Go Threat

Introduction

Microsoft has released a detailed breakdown of The Gentlemen ransomware, a ransomware-as-a-service (RaaS) operation tracked as Storm-2697. The key concern for security teams is not just its encryption strength, but its ability to self-propagate across environments using multiple lateral movement methods, raising the risk of widespread business disruption.

What’s new

Microsoft’s analysis highlights several notable capabilities:

• Go-based ransomware encryptor obfuscated with Garble and targeting Windows environments
• Strong encryption design using per-file ephemeral Curve25519 keys with XChaCha20
• Multiple execution modes controlled by command-line arguments, including local-only, share-only, and full-environment encryption
• Self-propagation support via the --spread option, allowing movement with supplied credentials or the current session token
• Privilege escalation through scheduled tasks to relaunch as SYSTEM for encrypting local drives
• Double extortion tactics, combining file encryption with data exfiltration and threats of public release

Microsoft also notes that The Gentlemen has expanded since emerging in mid-2025, moving from a closed group to a broader affiliate model. Its partnership with BreachForums could increase adoption and attack volume.

Why this matters for defenders

This threat is especially dangerous because it is designed to hit both local volumes and network shares in parallel. The malware can run in a --full mode that splits activity into separate processes for SYSTEM-level local encryption and user-context network share encryption.

For IT and security administrators, that means a single foothold can potentially lead to:

• Faster lateral spread across the network
• Broader encryption coverage
• Greater operational downtime
• Higher extortion pressure due to stolen data

Microsoft reports observed impact across sectors including education, healthcare, transportation, and finance in multiple regions.

Recommended next steps

Organizations should review Microsoft’s published guidance and use the provided detections, hunting queries, and IOCs to strengthen defenses.

Recommended actions include:

• Validate ransomware protections in Microsoft Defender and related security tooling
• Monitor for suspicious scheduled task creation, especially tasks used to relaunch processes as SYSTEM
• Review lateral movement activity involving remote shares, reused credentials, and unusual token use
• Hunt for command-line patterns associated with The Gentlemen execution flags
• Strengthen least-privilege controls and limit administrative access where possible
• Test backup and recovery processes to reduce operational impact if encryption occurs

Bottom line

The Gentlemen stands out because it blends modern encryption, operator-controlled execution, and aggressive self-propagation into a single ransomware platform. Security teams should treat Microsoft’s findings as a practical guide for detection, containment, and ransomware readiness planning.