Security

The Gentlemen Ransomware: Self-Propagating Go Threat

3 min read

Summary

Microsoft Threat Intelligence has published a deep technical analysis of The Gentlemen ransomware, a Go-based ransomware-as-a-service threat that combines strong file encryption with aggressive self-propagation. The research matters for defenders because the malware can rapidly spread across local systems and network shares, increasing the blast radius of a single compromise.

Need help with Security?Talk to an Expert

Introduction

Microsoft has released a detailed breakdown of The Gentlemen ransomware, a ransomware-as-a-service (RaaS) operation tracked as Storm-2697. The key concern for security teams is not just its encryption strength, but its ability to self-propagate across environments using multiple lateral movement methods, raising the risk of widespread business disruption.

What’s new

Microsoft’s analysis highlights several notable capabilities:

  • Go-based ransomware encryptor obfuscated with Garble and targeting Windows environments
  • Strong encryption design using per-file ephemeral Curve25519 keys with XChaCha20
  • Multiple execution modes controlled by command-line arguments, including local-only, share-only, and full-environment encryption
  • Self-propagation support via the --spread option, allowing movement with supplied credentials or the current session token
  • Privilege escalation through scheduled tasks to relaunch as SYSTEM for encrypting local drives
  • Double extortion tactics, combining file encryption with data exfiltration and threats of public release

Microsoft also notes that The Gentlemen has expanded since emerging in mid-2025, moving from a closed group to a broader affiliate model. Its partnership with BreachForums could increase adoption and attack volume.

Why this matters for defenders

This threat is especially dangerous because it is designed to hit both local volumes and network shares in parallel. The malware can run in a --full mode that splits activity into separate processes for SYSTEM-level local encryption and user-context network share encryption.

For IT and security administrators, that means a single foothold can potentially lead to:

  • Faster lateral spread across the network
  • Broader encryption coverage
  • Greater operational downtime
  • Higher extortion pressure due to stolen data

Microsoft reports observed impact across sectors including education, healthcare, transportation, and finance in multiple regions.

Organizations should review Microsoft’s published guidance and use the provided detections, hunting queries, and IOCs to strengthen defenses.

Recommended actions include:

  • Validate ransomware protections in Microsoft Defender and related security tooling
  • Monitor for suspicious scheduled task creation, especially tasks used to relaunch processes as SYSTEM
  • Review lateral movement activity involving remote shares, reused credentials, and unusual token use
  • Hunt for command-line patterns associated with The Gentlemen execution flags
  • Strengthen least-privilege controls and limit administrative access where possible
  • Test backup and recovery processes to reduce operational impact if encryption occurs

Bottom line

The Gentlemen stands out because it blends modern encryption, operator-controlled execution, and aggressive self-propagation into a single ransomware platform. Security teams should treat Microsoft’s findings as a practical guide for detection, containment, and ransomware readiness planning.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

The Gentlemen ransomwareMicrosoft Defenderransomwarethreat intelligenceStorm-2697

Related Posts

Security

Salesforce OAuth Abuse: Microsoft Guidance on ShinyHunters

Microsoft detailed how threat activity associated with ShinyHunters abused trusted OAuth relationships in Salesforce to gain persistent access, exfiltrate CRM data, and evade traditional sign-in detections. The company also announced improved Salesforce telemetry and near-real-time detection in Defender for Cloud Apps, giving security teams better visibility into connected apps, OAuth scopes, and suspicious SaaS activity.

Security

Microsoft Entra ID Passkeys Default Rollout Dates

Microsoft will make passkeys the default authentication experience in Entra ID starting September 1, 2026, automatically prompting users currently using SMS or voice MFA to register a passkey. The change matters because Microsoft-provided SMS and voice authentication will be retired on February 1, 2027, pushing organizations toward phishing-resistant authentication and requiring admins to plan migrations now.

Security

Microsoft Secure Future Initiative July 2026 Update

Microsoft’s July 2026 Secure Future Initiative progress report highlights major security gains across identity, cloud resource isolation, vulnerability remediation, and AI-driven defense. The update matters to IT and security teams because it pairs measurable hardening progress with practical guidance on phishing-resistant MFA, secure defaults, composite attack paths, and post-quantum readiness.

Security

GigaWiper Malware: Microsoft Details Destructive Backdoor

Microsoft Threat Intelligence has published a deep analysis of GigaWiper, a Golang-based backdoor that combines command-and-control features with multiple destructive payloads, including disk wiping, fake ransomware, and system sabotage. The research matters because it shows attackers consolidating several malware families into a single modular implant, increasing flexibility while reducing deployment footprint.

Security

Microsoft SFI AI Hardens Cloud Security at Scale

Microsoft detailed an internal multi-agent AI system built under its Secure Future Initiative (SFI) to proactively evaluate and harden live cloud services. The approach speeds up deep security analysis from weeks to hours by correlating code, identity, network, configuration, and runtime signals to uncover composite risks that single-tool reviews can miss.

Security

Cloud Security Posture Management Trends for 2026

Frost & Sullivan’s 2025 Frost Radar shows cloud security posture management is shifting from periodic compliance checks to continuous, risk-based governance within CNAPP platforms. For IT and security teams, the key takeaway is clear: prioritize tools that unify posture, identity, workload, and data signals to reduce risk faster across multicloud environments.