{“lastseen”:”2026-05-28T16:28:40″,”description”:”In this article\\n\\n 1. Pre-encryption\\n 2. File encryption\\n 3. Post-encryption\\n 4. Defending against The Gentlemen ransomware\\n 5. Microsoft Defender detections and hunting guidance\\n 6. Indicators of compromise\\n\\n\\n\\nRansomware that combines robust encryption with rapid lateral movement significantly increases the risk and impact of an attack. The Gentlemen ransomware is a ransomware-as-a-service (RaaS) threat that is distinguished by its ability to pair its strong per-file encryption with an aggressive self-propagation capability designed to enable broad network compromise. In addition to using per-file ephemeral Curve25519 keys with XChaCha20 stream cipher, The Gentlemen ransomware attempts to spread across an environment using series of simultaneous, distinct lateral movement methods, increasing the likelihood of widespread impact once initial access is achieved.\\n\\n## Understand the threat \\n\\nProtect against ransomware and extortion activity \u203a\\n\\nMicrosoft Threat Intelligence tracks the operators behind the ransomware as Storm-2697, a financially motivated threat actor that manages the RaaS platform known as \u201cThe Gentlemen\u201d while affiliates carry out attacks. Emerging around mid-2025, The Gentlemen initially started as a closed ransomware group then began offering its RaaS to affiliates in September 2025. More recently, The Gentlemen operators established an official partnership with BreachForums, a popular cybercriminal marketplace, to recruit affiliates including penetration testers and initial access brokers. Given that The Gentlemen is already a widely adopted RaaS platform, this partnership may lead to increased activity as the program becomes accessible to a broader pool of threat actors.\\n\\nThe operators behind the ransomware use double extortion tactics, encrypting data while also exfiltrating sensitive information to pressure victims through the threat of public release if the ransom is not paid. The ransomware is written in Go and obfuscated with Garble to target the Windows environment. Microsoft has observed The Gentlemen ransomware impacting organizations across education, transportation, healthcare, and financial industries in North America, South America, Europe, Africa, and Asia.\\n\\nIn this blog, we present a detailed analysis of the Gentlemen ransomware encryptor, including its execution flow, defense evasion behaviors, encryption design, and lateral movement techniques. This research is intended to provide defenders, incident responders, and the broader security community with a better understanding of how the threat operates, from initial argument parsing and defense evasion, through its file encryption internals, to the full lateral movement that enables it to propagate across the network. We also provide mitigation guidance, Microsoft Defender detections, hunting queries, and indicators of compromise (IOCs) to help organizations defend against this threat and similar ransomware activity.\\n\\n## Pre-encryption\\n\\n### Command-line argument processing\\n\\nThe ransomware operator can control The Gentlemen encryptor through command-line arguments. A password is required for execution, and optional arguments allow the operator to specify encryption scope, speed, lateral movement, and post-encryption behaviors.\\n\\nThe binary accepts the following arguments:\\n\\n**Command-line argument**| **Description** \\n—|— \\n _`–`password \\u003cpassword\\u003e_| Required access password (build-specific) \\n_`–`path \\u003clist of paths\\u003e_| Comma-separated list of target directories or file paths \\n _`–`T \\u003cminutes\\u003e_| Delay in minutes before file encryption begins \\n _`–`silent_| Silent mode. Disable renaming files, changing timestamps after encryption, and setting the desktop wallpaper \\n _`–`system_| Encrypt files as SYSTEM, targeting only local drives \\n _`–`shares_| Encrypt only mapped network drives and available Universal Naming Convention (UNC) shares \\n _`–`full_| Two-phase encryption by relaunching itself as two separate processes, one with _`–`system_ for local drives and one with _`–`shares_ for network shares \\n _`–`spread \\u003cdomain\/user:password\\u003e_| Enable self-propagation. Accept credentials for lateral movement. If no credential is provided, the current session token is used for lateral movement. \\n_`–`ultrafast_| Encrypt 0.3% per chunk (~0.9% total for large files) \\n_`–`superfast_| Encrypt 1% per chunk (~3% total for large files) \\n_`–`fast _| Encrypt 3% per chunk (~9% total for large files) \\n_`–`keep_| Disable self-delete after file encryption completes \\n _`–`wipe_| Wipe free disk space after encryption \\n \\nThe _`–`full_ command-line argument appears to be the intended mode of operation for comprehensive file encryption on the infected device. When this argument is provided, the malware spawns two child processes of itself: one appended with the argument _`–`system_ to encrypt local volumes under a SYSTEM-privileged scheduled task, and one appended with the argument _`–`shares_ to encrypt network shares. This separation ensures that the malware can reach both local drives (which might require SYSTEM privileges) and mapped network shares (which are only visible in the user’s session).\\n\\n_Figure 1. Encryption mode command-line arguments_\\n\\nThe speed arguments (_`–`fast_, _`–`superfast_, _`–`ultrafast_) are mutually exclusive and control how much of each large file is encrypted. When no speed flag is specified, the default per-chunk percentage is 9%. These flags only affect files that are larger than 1 MB, and small files are fully encrypted regardless of the speed setting.\\n\\n### Usage prompt\\n\\nWhen the encryptor is executed with no command-line argument, the malware prints a branded usage banner to the console.\\n\\nIt first executes the following PowerShell commands to render a console header:\\n\\n\\n\\nThis is followed by a detailed usage prompt provided by the malware author that documents all available flags with descriptions and examples:\\n\\n_Figure 2. The Gentlemen ransomware ‘s usage prompt_\\n\\nIt is worth noting that the file size percentages listed in the usage prompt refer to the total file encryption amount. Internally, the malware encrypts three separate chunks, and the per-chunk percentage used in the code is: fast=3%, superfast=1%, ultrafast=0.3%, default=9%.\\n\\n### Password check\\n\\nBefore executing its primary functionality, the malware validates the _`–`password_ argument against a hardcoded value embedded within the binary. For the sample analyzed in this blog, the expected password is \u201c9VoAvR7G\u201d. If the provided password does not match, the malware outputs _bad args_ and terminates execution.\\n\\nThis password check is a simple operator authentication mechanism, with each build containing a unique embedded password. Its purpose is to restrict execution to authorized operators and reduce the risk of accidental or unauthorized detonation if the binary is recovered or intercepted. However, because this validation relies on a static comparison, it can be easily identified and bypassed through static analysis techniques.\\n\\n### System encryption: Privilege escalation\\n\\nWhen the _`–`system_ argument is provided (either directly or via the _`–`full_ argument), the malware creates a scheduled task to re-execute itself as SYSTEM. If a delay value is also specified through the _`–`T_ argument, the scheduled execution time is adjusted accordingly.\\n\\nTo relaunch itself as SYSTEM, it issues the following sequence of commands:\\n\\n\\n\\nThe malware can only perform this task if it\u2019s executed from an account with administrator privilege. It first deletes any existing task named _gentlemen_system_ to avoid conflicts, creates a new one-time task that runs its binary under the SYSTEM account, and finally triggers that task.\\n\\nThis sequence ensures a clean state by first removing any existing task with the same name (_gentlemen_system_), creating a new scheduled task that executes the ransomware binary with SYSTEM-level privileges before finally triggering its immediate execution.\\n\\nWhen running within this scheduled task context, the malware sets the environment variable _LOCKER_BACKGROUND=1_. This variable functions as an internal execution flag, indicating that the process is operating as a background encryption worker with elevated privileges, rather than as the original operator-invoked instance.\\n\\n### Defense evasion\\n\\nBefore starting file encryption, the malware executes a sequence of commands to disable defensive controls and remove potential forensic artifacts.\\n\\n#### Disable Microsoft Defender\\n\\n\\n\\nThe PowerShell commands disable Microsoft Defender real-time monitoring to remove active protection on the infected device. The malware then adds its own executable to the Defender exclusion list to avoid detection. Finally, it excludes the entire _C:\\\\_ volume from scanning, reducing the likelihood of subsequent detection during file encryption.\\n\\n#### Delete shadow copies and event logs\\n\\n\\n\\nTo further impede recovery efforts, the malware deletes all Volume Shadow Copies using both _vssadmin_ and _wmic_(Windows Management Instrumentation command-line utility). It then clears the System, Application, and Security event logs using _wevtutil_ to remove key audit trails.\\n\\n#### Delete forensics artifacts\\n\\n\\n\\nThese commands remove a variety of forensic artifacts, including prefetch files that track program execution, Defender diagnostic and support logs, and Remote Desktop Protocol (RDP) logs.\\n\\nAdditionally, the malware manually deletes PowerShell command history across all user profiles by removing the following file:\\n\\n\\n\\nThis action eliminates evidence of previously executed PowerShell commands, further reducing the visibility of execution history and threat actor activity.\\n\\n### Process and service termination\\n\\n#### Process termination\\n\\nThe malware stops a list of running processes using the command:\\n\\n\\n\\nThe table below summarizes the different categories and processes being targeted:\\n\\n**Category**| **Targeted processes** \\n—|— \\nVirtualization| _vmms, vmwp, vmcompute, Docker Desktop_ \\nDatabases| _sqlservr, sqlbrowser, SQLAGENT, sqlwriter, dbeng50, dbsnmp, mysqld, postgres, postmaster, psql, oracle, sqlceip, DBeaver, Ssms, pgAdmin3, pgAdmin4_ \\nBackup and recovery software| _VeeamNFSSvc, VeeamTransportSvc, VeeamDeploymentSvc, Veeam.EndPoint.Service, Iperius, IperiusService, vsnapvss, cbVSCService11, CagService, CVMountd, cvd, cvfwd, CVODS, xfssvccon, bedbh_ \\nEndpoint detection and response (EDR)| _vxmon, benetns, bengien, beserver, pvlsvr, avagent, avscc, EnterpriseClient, cbService, cbInterface, raw_agent_svc_ \\nSAP| _SAP, saphostexec, saposco, sapstartsrv_ \\nOffice applications| _excel, winword, wordpad, powerpnt, visio, infopath, msaccess, mspub, onenote_ \\nEmail clients| _outlook, thunderbird, tbirdconfig, thebat_ \\nWeb and application servers| _w3wp, isqlplussvc_ \\nBrowser applications| _firefox, steam, notepad_ \\nRemote access management| _TeamViewer_Service, TeamViewer, tv_w32, tv_x64, mydesktopservice, mydesktopqos, mvdesktopservice_ \\nAccounting applications| _QBIDPService, QBDBMgrN, QBCFMonitorService_ \\nOther utilities| _encsvc, agntsvc, synctime, ocautoupds, ocomm, ocssd, DellSystemDetect_ \\n \\n#### Service termination\\n\\nIn addition to terminating processes, the malware disables and stops a list of Windows services using the commands:\\n\\n\\n\\nThe table below summarizes the different categories and services being targeted:\\n\\n**Category**| **Targeted services** \\n—|— \\nVirtualization| _vmms, docker_ \\nDatabases| _MSSQLSERVER, MSSQL*, MSSQL$SQLEXPRESS, SQLSERVERAGENT, SQLAgent$SQLEXPRESS, sql, (.)sql(.), MySQL, MariaDB, postgresql, OracleServiceORCL_ \\nBackup, storage, and recovery software| _veeam, backup, vss, VeeamNFSSvc, VeeamTransportSvc, VeeamDeploymentService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, BackupExecDiveciMediaService, AcronisAgent, YooBackup, AcrSch2Svc, VSNAPVSS, GxBlr, GxVss, GxClMgrS, GxCVD, GxClMgr, GXMMM, GxVsshWProv, GxFWD, PDVFSService_ \\nEDR| _Sophos, DefWatch, SavRoam, RTVscan, ccSetMgr, ccEvtMgr, CAARCUpdateSvc, stc_raw_agent, MVarmor, MVarmor64, mepocs, memtas, zhudongfangyu_ \\nSAP| _SAP, SAPService, SAP$, SAPD$, SAPHostControl, SAPHostExec_ \\nMicrosoft Exchange| _msexchange, MSExchange, MSExchange$, WSBExchange_ \\nAccounting applications| _QBIDPService, QBDBMgrN, QBCFMonitorService_ \\nOther utilities| _svc$, YooIT_ \\n \\nTerminating these processes and services serves two primary objectives:\\n\\n * **File access and encryption reliability** : Many targeted processes\/services, such as databases, Office applications, and backup agents, maintain active file locks. By forcibly terminating these processes, the ransomware ensures that locked files become accessible for encryption.\\n * **Defense and recovery disruption** : By stopping backup services, endpoint protection agents, and remote access tools, the malware reduces the likelihood of real-time detection and data restoration from backups.\\n\\n\\n\\nCollectively, these behaviors maximize encryption coverage while hindering the environment\u2019s ability to detect, respond to, or recover from the attack.\\n\\n### Persistence\\n\\nThe encryptor can establish persistence for itself through two mechanisms: scheduled tasks and registry keys.\\n\\n_Figure 3. The Gentlemen ransomware ‘s persistence mechanism_\\n\\n#### Scheduled tasks persistence\\n\\nFor establishing persistence with scheduled tasks, the malware executes the following sequence of commands:\\n\\n\\n\\nThese commands first remove any pre-existing tasks with the same names, then create two persistence mechanisms that execute automatically at system startup. The _UpdateSystem_ task launches the payload in the SYSTEM security context, while the _UpdateUser_ task launches it in the currently signed-in user\u2019s context. This design increases the likelihood that the ransomware will run after reboot regardless of privilege level or sign-in state.\\n\\n#### Registry keys persistence\\n\\nFor establishing persistence with the registry, the malware executes the following sequence of commands:\\n\\n\\n\\nThe _GupdateS_ value under _HKEY_LOCAL_MACHINE_ (_HKLM_**)** provides device-wide persistence that allows the malware to run at startup for all users, while the _GupdateU_ value under _HKEY_CURRENT_USER_ (_HKCU_**)** provides user-scoped persistence within the current profile. By writing to both registry hives, the malware establishes redundant autorun paths across both system-level and user-level execution contexts.\\n\\nTogether, the scheduled tasks and Run key modifications create layered persistence, ensuring that the encryptor is re-executed after a reboot in both privileged and user-context scenarios.\\n\\n### Network share traversal\\n\\nWhen the command-line argument _`–`shares_ is provided, the malware initiates network share discovery and enumeration. It begins by probing all drive letters _A_ through _Z_ to identify mapped network drives using the following commands:\\n\\n\\n\\nThis sequence discovers any drives that are already mapped in the current user’s session, which are then added to the encryption target list.\\n\\nTo further enhance visibility into the network environment, the malware enables multiple Windows network discovery services and their associated firewall rules using the following commands:\\n\\n\\n\\nThe services enabled as part of this process include:\\n\\n * **Function Discovery Resource Publication (_fdrespub_):** Publishes the host\u2019s resources to the network, allowing other systems to detect it.\\n * **Function Discovery Provider Host (_fdPHost_):** Hosts provider components responsible for discovering network resources.\\n * **Simple Service Discovery Protocol (SSDP) Discovery (_SSDPSRV_):** Enables discovery of Universal Plug and Play (UPnP) devices.\\n * **UPnP Device Host (_upnphost_):** Supports the hosting and management of UPnP devices.\\n\\n\\n\\nFinally, the malware reinforces this configuration by enabling the _Network Discovery_ firewall rule group. This redundancy ensures that firewall restrictions do not limit its network visibility, further maximizing the number of reachable targets for encryption and propagation.\\n\\n### Volume and directory traversal\\n\\nTo enumerate all available volumes on the system, the malware executes the following PowerShell command sequence:\\n\\n\\n\\nThis command queries Windows Management Instrumentation (WMI) for all mounted volumes with drive letter paths and attempts to enumerate Cluster Shared Volumes (CSVs).\\n\\nAdditionally, the malware performs a secondary enumeration routine by iterating through drive letters _A_ through _Z_ while verifying their existence on disk. This brute-force method ensures broader coverage by identifying volumes that might not be retrieved through WMI queries to maximize visibility into all potential encryption targets.\\n\\n#### Directory exclusion list\\n\\nTo maintain system stability and avoid disrupting critical operating system components, the malware excludes a predefined set of directories from traversal and encryption. These directories include core Windows system paths, application directories, and locations commonly associated with security and system management:\\n\\n\\n\\n#### Extension exclusion list\\n\\nThe ransomware also excludes a set of file extensions associated with system-critical binaries, configuration files, and executable content:\\n\\n\\n\\nBy avoiding executable files, libraries, scripts, and other system-relevant formats, the malware preserves the integrity of the operating environment. This selective encryption model is a common ransomware design pattern, ensuring that the system remains operational enough for the victim to receive instructions and facilitate ransom payment.\\n\\n#### File name exclusion list\\n\\nThe specific file names below are also excluded:\\n\\n\\n\\nThe inclusion of _README-GENTLEMEN.txt_ , the ransomware\u2019s ransom note, prevents it from being encrypted during execution. This ensures that the ransom instructions remain accessible to the victim, which is critical for the operator\u2019s monetization workflow.\\n\\n### Ransom note\\n\\nDuring directory traversal, the malware drops a ransom note named _README-GENTLEMEN.txt_ in each scanned directory to provide victim-facing instructions.\\n\\nThe note contains identifiers assigned to the victim, communication channels, and guidance on how to initiate contact with the operators.\\n\\n_Figure 4. Ransom note content_\\n\\n## File encryption\\n\\n### File ownership\\n\\nBefore encrypting a file, the ransomware modifies the file ownership and access control settings to ensure it has unrestricted write access to the target. This is achieved through the following sequence of commands:\\n\\n\\n\\nThe _takeown_ command recursively transfers ownership of the specified file or directory to the executing user, overriding existing ownership constraints. The _icacls_ command then grants full control permissions to the _Everyone_ security identifier (SID S-1-1-0), applying inheritance flags to propagate these permissions to all child objects. Finally, the _attrib_ command removes the read-only attributes.\\n\\n### Cryptographic scheme\\n\\nThe Gentlemen ransomware implements a hybrid cryptographic design that combines Curve25519 elliptic-curve cryptography with the XChaCha20 stream cipher to achieve efficient and secure per-file encryption.\\n\\nFor each file, the malware performs the following sequence of operations:\\n\\n 1. Generates a unique ephemeral Curve25519 key pair, consisting of a randomly generated private key and its corresponding public key\\n 2. Computes the Elliptic-curve Diffie\u2013Hellman (ECDH) shared secret between the ephemeral private key and the operator\u2019s embedded public key\\n 3. Uses the resulting shared secret as the XChaCha20 key, and derives the nonce from the first 24 bytes of the ephemeral public key\\n 4. Encrypts the file contents using XChaCha20 with this key and nonce combination\\n 5. Appends the Base64-encoded ephemeral public key to the file footer to enable subsequent key reconstruction during decryption\\n\\n_Figure 5. The Gentlemen ransomware ‘s file encryption mechanism_\\n\\nIn this sample, the operator\u2019s public key is hard-coded within the binary as a Base64-encoded value:\\n\\n\\n\\nThis design ensures that each file is encrypted with a distinct key and nonce derived from a per-file ephemeral key exchange, eliminating any possibility of key or nonce reuse across files.\\n\\nDuring decryption, the decryptor can use the operator\u2019s Curve25519 private key together with the stored ephemeral public key to reconstruct the ECDH shared secret and recover the XChaCha20 key. The nonce is deterministically reconstructed by extracting the first 24 bytes of the recovered ephemeral public key, making separate nonce storage unnecessary.\\n\\nOverall, this approach provides strong cryptographic isolation between encrypted files while maintaining operational simplicity and efficiency for the threat actor during both encryption and decryption.\\n\\n### Size-based encryption\\n\\nThe malware uses different encryption strategies based on file size:\\n\\n**File size**| **Encryption behavior** \\n—|— \\n\u2264 1 MB (0x100000 bytes)| The entire file content is encrypted \\n\\u003e 1 MB (0x100000 bytes)| Three chunks are encrypted at distributed offsets \\n \\nSmall files that are less than 1MB in size are fully encrypted. This ensures that documents, configuration files, and other small but critical data are completely corrupted. For larger files such as databases, virtual disk images, archives, full encryption would be time-consuming. Instead, the malware encrypts three data chunks distributed across the file, which is sufficient to corrupt the file structure while dramatically reducing encryption time.\\n\\nAfter encryption, each affected file is renamed with the appended extension _.umc16h_. This extension serves as a quick indicator of files already encrypted by the ransomware.\\n\\n### Large file chunking logic\\n\\nFor files larger than 1 MB, the malware performs partial encryption by dividing the file into three non-contiguous chunks distributed across its contents:\\n\\n\\n\\nThe first chunk begins at the start of the file, the second is positioned near the midpoint, and the third is located toward the end. This distribution ensures that even limited encryption is sufficient to corrupt the file structure while minimizing processing time.\\n\\nEach chunk is encrypted in 64 KB (0x10000) blocks using XChaCha20. To maintain cryptographic separation between chunks, the malware modifies the nonce on a per-chunk basis. Specifically, the last byte of the 24-byte XChaCha20 nonce is XOR-ed with the chunk index (0, 1, or 2), and a new cipher instance is initialized for each chunk using the modified nonce. As a result, chunk 0 uses the original nonce, while subsequent chunks use deterministically altered variants.\\n\\nAlthough all chunks for a given file share the same derived encryption key, this nonce mutation ensures that each chunk is processed under a unique keystream, preventing keystream reuse across different regions of the file.\\n\\nThe encryption percentage for each file is determined by the provided speed command-line arguments:\\n\\n**Argument**| **Per-chunk percent**| **Total encrypted percent (3 chunks)** \\n—|—|— \\n(default)| 9%| ~27% \\n_`–`fast_| 3%| ~9% \\n_`–`superfast_| 1%| ~3% \\n_`–`ultrafast_| 0.3%| ~0.9% \\n \\n### File footer\\n\\nAfter encrypting each file, the malware appends a structured footer containing metadata required for identification and decryption. The footer format differs slightly depending on whether the file was fully or partially encrypted.\\n\\n**Small file encryption (files \u2264 1 MB):**\\n\\n _Figure 6. Small file footer example_\\n\\n**Large file encryption (files \\u003e 1 MB):**\\n\\n _Figure 7. Large file footer example_\\n\\nThe footer serves three primary functions:\\n\\n 1. **Key and nonce reconstruction:** The Base64-encoded ephemeral public key, located after _`–`eph`–`_, allows the decryptor to recompute both the XChaCha20 key (using ECDH shared secret) and the nonce (first 24 bytes of the ephemeral public key).\\n 2. **Identification:** The _GENTLEMEN_ marker, located after _`–`marker`–`_, serves as a unique identifier, allowing encryptors\/decryptors to quickly determine that the file has been encrypted by The Gentlemen ransomware.\\n 3. **Decryption mode:** The optional speed flag marker (only present on large files) tells the decryptor which chunking percentage was used.\\n\\n\\n\\nNotably, the speed marker is only present for large-file encryption. Files that are \u2264 1 MB do not include a speed marker, and its absence signals that the file was fully encrypted. This implicit encoding in the footer allows the decryptor to distinguish between full and partial encryption modes without requiring additional metadata fields.\\n\\n## Post-encryption\\n\\n### Wallpaper setup\\n\\nIf the _`–`silent_ argument is not provided, the malware drops the following bitmap image file to _%TEMP%\\\\gentlemen.bmp_ and sets it as the system\u2019s desktop wallpaper.\\n\\n_Figure 8. The Gentlemen ransomware\u2019s wallpaper_\\n\\nThis behavior serves as an immediate visual indicator of compromise, signaling to the victim that encryption has completed.\\n\\n### Self-propagation\\n\\nThe self-propagation module is the more distinctive component of The Gentlemen ransomware. When enabled with the _`–`spread_ argument, it turns the malware from a single-host encryptor into a self-propagating worm that attempts to deploy its encryptor to every reachable system on the network.\\n\\nThe _`–`spread_ argument accepts either explicit credentials in _domain\/user:password_ format for authenticated lateral movement, or an empty string to reuse the current session\u2019s authentication token.\\n\\n#### Placeholder legend\\n\\nThe executed commands in this section use the following placeholders:\\n\\n**Placeholder**| **Meaning** \\n—|— \\n _\\u003c self\\u003e_| Host name of the infected device running the malware \\n _\\u003c target\\u003e_| Remote host discovered during network enumeration \\n _\\u003c malware_path\\u003e_| Full local path to the malware executable \\n _\\u003c payload_name\\u003e_| The malware file name \\n _\\u003c ps_blob\\u003e_| PowerShell defense evasion command executed on the remote target \\n _\\u003c user\\u003e_| Username parsed from the provided credentials \\n _\\u003c pass\\u003e_| Password parsed from the provided credentials \\n _\\u003c time\\u003e_| Current time plus two minutes, formatted as HH:MM \\n \\n#### Phase 1: Local staging setup\\n\\nThe malware prepares the infected host to act as a distribution point for its binary by executing the following command sequence:\\n\\n\\n\\nThe commands copy the malware executable into _C:\\\\Temp_ , creates a hidden Server Message Block (SMB) share named _share$_ pointing to that directory, and modifies registry settings to allow anonymous access. With this setup, other systems on the network can retrieve the payload from _\\\\\\\\\\\\ \\u003cself\\u003e\\\\share$_, even when valid credentials are not available.\\n\\n#### Phase 2: PsExec drop\\n\\nThe malware binary carries an embedded copy of PsExec and drops it to _C:\\\\Temp\\\\psexec.exe_ on the infected device.\\n\\nIf the embedded PsExec payload cannot be extracted successfully, the malware falls back to downloading PsExec directly from Microsoft\u2019s Sysinternals Live service using the following PowerShell command:\\n\\n\\n\\n#### Phase 3: Network enumeration\\n\\nAfter dropping PsExec, the malware attempts to enumerate and discover remote systems on the network, including workstations, servers, and domain controllers. Each discovered host becomes a candidate target for propagation.\\n\\n#### Phase 4: PowerShell defense evasion blob\\n\\nBefore attempting to run the payload on a remote system, the malware executes the following PowerShell command on the remote target to weaken local defenses and make payload execution more reliable:\\n\\n\\n\\nThis command disables Microsoft Defender real-time monitoring, adds broad Defender exclusions, turns off Windows Firewall across all profiles, shares local drives, grants permissive New Technology File System (NTFS) access, enables SMB1, and loosens anonymous-access restrictions through Local Security Authority (LSA) registry settings. Together, these changes make the remote system significantly more exposed and ready for the payload deployment step.\\n\\n#### Phase 5: Payload deployment\\n\\nFor each discovered remote host, the malware attempts a series of independent lateral movement techniques to execute its payload. Notably, these techniques are executed without dependency on prior success, and each method is attempted regardless of whether earlier attempts fail. This execution model of The Gentlemen\u2019s propagation logic can significantly increase the likelihood that at least one execution path succeeds even in secured environments.\\n\\n**5.1: Remote file copy**\\n\\nThe malware first stages its payload on the remote system by copying the encryptor binary over the administrative _C$_ share:\\n\\n\\n\\nThis operation ensures a local copy of the payload is available on the target host, allowing subsequent execution methods to reference a path that does not depend on network shares.\\n\\n**5.2: PsExec-based execution**\\n\\nIf PsExec is successfully dropped or downloaded, the malware leverages it to perform a multi-stage execution sequence on the remote host.\\n\\nFirst, the malware executes the PowerShell defense evasion payload to weaken host protections:\\n\\n\\n\\nAfter a delay to allow defenses to be disabled, the malware executes the payload from the locally staged path _C:\\\\Temp_ under SYSTEM privileges:\\n\\n\\n\\nAfter another sleep period, the malware executes the final command to run the payload with the _-__h_ flag for elevated token and _-__c -f_ to copy and force execution:\\n\\n\\n\\n**5.3: WMIC process creation**\\n\\nThe malware uses WMI via _wmic.exe_ to create remote processes:\\n\\n\\n\\nThe first command executes the defense evasion blob, the second runs the payload from the infected host’s SMB share, and the third runs the pre-staged copy from the target’s local _C:\\\\Temp_ directory.\\n\\n**5.4: Scheduled tasks (user)**\\n\\nThe malware creates three scheduled tasks under the target user\u2019s context, each running two minutes after the time when they are created:\\n\\n\\n\\nThe scheduled task _DefU_ is set to run the defense evasion blob, _UpdateGU_ executes the payload from the infected host\u2019s SMB share, and _UpdateGU2_ runs the pre-staged copy from the target’s local _C:\\\\Temp_ directory.\\n\\n**5.5: Scheduled tasks (system)**\\n\\nThe same three tasks are repeated, running under the SYSTEM account:\\n\\n\\n\\nBy attempting both user-context and SYSTEM-context task creation, the ransomware can improve its chance of propagation across environments with different permission boundaries.\\n\\n**5.6: Service-based execution**\\n\\nThe malware executes the following command sequence to create three Windows services on the target host:\\n\\n\\n\\nSimilar to the scheduled tasks, the service _DefSvc_ is set to run the defense evasion blob, _UpdateSvc_ executes the payload from the infected host\u2019s SMB share, and _UpdateSvc2_ runs the pre-staged copy from the target’s local _C:\\\\Temp_ directory. These services run as SYSTEM by default, which provides another high-privilege execution path for the ransomware payload on the remote system.\\n\\n**5.7: Payload deployment: PowerShell remoting**\\n\\nUsing PowerShell remoting, the malware executes commands directly on the target using _Invoke-Command_ :\\n\\n\\n\\nThis method leverages Windows Remote Management (WinRM), providing an alternative execution channel when PsExec or WMIC are unavailable or blocked.\\n\\n**5.8: PowerShell WMI execution**\\n\\nFinally, the malware uses the PowerShell WMI class interface directly to create remote processes with the following command sequence.\\n\\n\\n\\nThis provides functionality equivalent to _wmic.exe_ , but through a different execution path. As a result, it might succeed in environments where the WMIC binary is restricted but WMI access remains available.\\n\\n#### Self-propagation summary\\n\\nAcross all techniques, the malware attempts 21 remote execution operations per target host, spanning multiple APIs, privilege levels, and execution contexts. Each method attempts to launch the payload from:\\n\\n * **The infected host\u2019s SMB share:** _\\\\\\\\\\\\ \\u003cself\\u003e\\\\share$\\\\\\u003cpayload_name\\u003e_\\n * **The target host\u2019s locally staged path:** _C:\\\\Temp\\\\ \\u003cpayload_name\\u003e_\\n\\n\\n\\nThis redundancy is central to The Gentlemen\u2019s propagation strategy. In secured environments where most lateral movement techniques are mitigated, a single successful execution on a single additional host is sufficient to continue the propagation.\\n\\n### Free space wipe\\n\\nIf the _`–`wipe_ argument is provided, The Gentlemen ransomware performs an additional post-encryption routine to eliminate recoverable artifacts from disk.\\n\\nThe malware first enumerates all available volume paths on the system. For each volume, it creates a temporary file named _wipefile.tmp_ at the root directory and determines the amount of available free space. It then writes random data to this file in 64 MB blocks until the volume is completely filled. Once the disk space has been exhausted, the temporary file is deleted.\\n\\nThis process effectively overwrites all unallocated disk space with random data, preventing forensic tools from recovering remnants of previously deleted files. This includes cached or temporary versions of original unencrypted data that might still reside on disk. When combined with earlier actions such as Volume Shadow Copy deletion, this behavior reduces the likelihood of data recovery without access to the threat actor\u2019s decryption key.\\n\\n### Self-delete\\n\\nIf the _`–`keep_ flag is not provided, the malware attempts to remove its executable from disk after completing encryption.\\n\\nSince a running process cannot directly delete its own binary, the ransomware generates and executes a temporary batch script at _\\u003c malware_path\\u003e.bat_with the following contents:\\n\\n\\n\\nThe batch script introduces a short delay by sending three Internet Control Message Protocol (ICMP) echo requests to the local host, pausing execution long enough for the main malware process to terminate. After this delay, the script deletes the original ransomware executable before removing itself. This mechanism helps reduce on-disk artifacts and hinders post-incident forensic analysis by eliminating the ransomware binary from the compromised system.\\n\\n## Defending against The Gentlemen ransomware\\n\\nMicrosoft recommends the following mitigations to reduce the impact of this threat.\\n\\n * Read the human-operated ransomware threat overview for advice on developing a holistic security posture to prevent ransomware, including credential hygiene and hardening recommendations. \\n * Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving threat actor tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants. \\n * Turn on tamper protection features to prevent threat actors from stopping security services. In addition to tamper protection, you can also enable and configure Microsoft Defender Antivirus always-on protection in Group Policy. \\n * Enable controlled folder access. Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Apps that aren’t included in the trusted apps list are prevented from making any changes to files inside protected folders. \\n * Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. \\n * Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume. \\n * Configure automatic attack disruption in Microsoft Defender XDR. Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization’s assets, and provide more time for security teams to remediate the attack fully. \\n * Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent several of the infection vectors of this threat. These rules, which can be configured by any user, offer significant hardening against targeted attacks. In observed attacks, Microsoft customers who had the following rules turned on could mitigate the attack in the initial stages and prevent hands-on-keyboard activity: \\n * Block executable files from running unless they meet a prevalence, age, or trusted list criterion \\n * Block process creations originating from PSExec and WMI commands if you’re managing your devices with Intune or another MDM solution. This rule is incompatible with management through Microsoft Endpoint Configuration Manager. \\n * Use advanced protection against ransomware\\n\\n\\n\\n## Microsoft Defender detections and hunting guidance\\n\\nMicrosoft Defender customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.\\n\\n### Microsoft Defender Antivirus\\n\\nMicrosoft Defender Antivirus detects threat components as the following malware:\\n\\n * Ransom:Win64\/Gentlemen\\n\\n\\n\\n### Microsoft Defender for Endpoint\\n\\nThe following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\\n\\n * Ransomware-linked threat actor detected\\n * Ransomware behavior detected in the file system\\n * Possible ransomware activity\\n * File backups were deleted\\n * Potential human-operated malicious activity\\n * Possible data exfiltration\\n * Suspicious wallpaper change\\n\\n\\n\\nThe following alerts might indicate threat activity associated with The Gentlemen ransomware if Defender for Endpoint is set to block mode.\\n\\n * ‘Gentlemen’ ransomware was detected\\n * ‘Gentlemen’ ransomware was prevented\\n\\n\\n\\n### Microsoft Defender for Cloud Apps\\n\\nThe following alert might indicate threat activity associated with this threat. This alert, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\\n\\n * Ransomware activity\\n\\n\\n\\n### Microsoft Security Copilot\\n\\nMicrosoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.\\n\\nCustomers can also deploy AI agents, including the following Microsoft Security Copilot agents, to perform security tasks efficiently:\\n\\n * Threat Intelligence Briefing agent\\n * Phishing Triage agent\\n * Threat Hunting agent\\n * Dynamic Threat Detection agent\\n\\n\\n\\nSecurity Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.\\n\\n### Threat intelligence reports\\n\\nMicrosoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.\\n\\n**Microsoft Defender XDR threat analytics**\\n\\n * Tool profile: Gentlemen ransomware\\n * Threat overview profile: Human-operated ransomware\\n\\n\\n\\nMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.\\n\\n### Hunting queries\\n\\n#### Microsoft Defender XDR\\n\\nMicrosoft Defender XDR customers can run the following advanced hunting queries to find related activity in their networks:\\n\\n**Known The Gentlemen ransomware files**\\n\\nSearch for the file hashes associated with The Gentlemen ransomware activity identified in this report. \\n \\n \\n let fileHashes = dynamic([\\”22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67\\”]);\\n union\\n (\\n DeviceFileEvents\\n | where SHA256 in (fileHashes)\\n | project Timestamp, DeviceId, DeviceName, FileName, InitiatingProcessFileName, FileHash = SHA256, SourceTable = \\”DeviceFileEvents\\”\\n ),\\n (\\n DeviceEvents\\n | where SHA256 in (fileHashes)\\n | project Timestamp, DeviceId, DeviceName, FileName, InitiatingProcessFileName, FileHash = \\n SHA256, SourceTable = \\”DeviceEvents\\”\\n ),\\n (\\n DeviceImageLoadEvents\\n | where SHA256 in (fileHashes)\\n | project Timestamp, DeviceId, DeviceName, FileName, InitiatingProcessFileName, FileHash = SHA256, SourceTable = \\”DeviceImageLoadEvents\\”\\n ),\\n (\\n DeviceProcessEvents\\n | where SHA256 in (fileHashes)\\n | project Timestamp, DeviceId, DeviceName, FileName, InitiatingProcessFileName, FileHash = SHA256, SourceTable = \\”DeviceProcessEvents\\”\\n )\\n | order by Timestamp desc\\n \\n\\n#### Microsoft Sentinel\\n\\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\\n\\n**Detect web sessions IP and file hash indicators of compromise using Advanced Security Information Model (ASIM)**\\n\\nThe following query checks IP addresses, domains, and file hash IOCs across data sources supported by ASIM web session parser:\\n \\n \\n \/\/IP list – _Im_WebSession\\n let lookback = 30d;\\n let ioc_ip_addr = dynamic([]);\\n let ioc_sha_hashes =dynamic([\\”22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67\\”]);\\n _Im_WebSession(starttime=todatetime(ago(lookback)), endtime=now())\\n | where DstIpAddr in (ioc_ip_addr) or FileSHA256 in (ioc_sha_hashes)\\n | summarize imWS_mintime=min(TimeGenerated), imWS_maxtime=max(TimeGenerated),\\n EventCount=count() by SrcIpAddr, DstIpAddr, Url, Dvc, EventProduct, EventVendor\\n \\n\\n**Detect files hashes indicators of compromise using ASIM**\\n\\nThe following query checks IP addresses and file hash IOCs across data sources supported by ASIM file event parser:\\n \\n \\n \/\/ file hash list – imFileEvent\\n let ioc_sha_hashes = dynamic([\\”22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67\\”]);\\n imFileEvent\\n | where SrcFileSHA256 in (ioc_sha_hashes) or\\n TargetFileSHA256 in (ioc_sha_hashes)\\n | extend AccountName = tostring(split(User, @”)[1]), \\n AccountNTDomain = tostring(split(User, @”)[0])\\n | extend AlgorithmType = \\”SHA256\\”\\n \\n\\n## Indicators of compromise\\n\\n**Indicator**| **Type**| **Description** \\n—|—|— \\n22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67| SHA-256| Gentlemen ransomware encryptor \\n078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b| SHA-256| PsExec binary \\nfe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68| SHA-256| Gentlemen wallpaper Bitmap file \\n \\n### Acknowledgements\\n\\n * License to Encrypt: The \\”Gentlemen\\” Make Their Move. Cybereason (accessed 2026-02-06)\\n * Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed. TrendMicro (accessed 2026-02-06)\\n\\n\\n\\n### Learn more\\n\\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.\\n\\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.\\n\\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.\\n\\nThe post The Gentlemen ransomware: Dissecting a self-propagating Go encryptor appeared first on Microsoft Security Blog.”,”published”:”2026-05-28T15:00:00″,”modified”:”2026-05-28T15:00:00″,”type”:”mssecure”,”title”:”The Gentlemen ransomware: Dissecting a self-propagating Go encryptor”,”source”:””,”references”:””,”id”:”MSSECURE:B2A71A1D1F7692CEF70F81FB96F2D422″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/28\/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-28T16:28:40″,”description”:”In this article\\n\\n 1. Pre-encryption\\n 2. File encryption\\n 3. Post-encryption\\n 4. Defending against The Gentlemen ransomware\\n 5. Microsoft Defender detections and hunting guidance\\n 6. Indicators…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-57768","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n