A sophisticated new ransomware strain called The Gentlemen is alarming security researchers and defenders worldwide. Built in the Go programming language, obfuscated with the Garble toolchain, and operated as a Ransomware-as-a-Service (RaaS) platform, it combines aggressive per-file encryption with self-propagating worm capabilities that can silently spread across entire enterprise networks without human intervention. Microsoft Threat Intelligence tracks the operators as Storm-2697.
Background and RaaS Model
The Gentlemen first emerged around mid-2025 as a closed operation, then opened its doors to affiliates in September 2025. More recently, its operators forged a formal partnership with BreachForums — a prominent cybercriminal marketplace — actively recruiting penetration testers and initial access brokers to carry out attacks on their behalf.
The operators employ classic double extortion tactics: they encrypt victim data and simultaneously exfiltrate sensitive files, threatening to publish the stolen data publicly unless the ransom is paid. Organizations in education, healthcare, transportation, and finance across North America, South America, Europe, Africa, and Asia have already been impacted.
The SYSTEM Scheduled Task Privilege Escalation
One of the most technically notable behaviors in The Gentlemen is how it acquires the highest possible system privileges before encrypting local drives. When the ransomware receives a specific command-line instruction, it:
- Deletes any existing scheduled task named
gentlemen_system - Registers and immediately triggers a fresh scheduled task under the SYSTEM account — the highest privilege level on a Windows machine
- Sets an internal environment variable
LOCKER_BACKGROUND=1to signal it is operating as a background encryption process with full privileges
This design allows the ransomware to reach and encrypt files that would otherwise be protected or inaccessible to standard user-level accounts, including system files and locked documents. The entire privilege escalation is handled cleanly and leaves minimal forensic traces.
Self-Propagation: Network-Wide Worm Capabilities
The Gentlemen does not stop at a single machine. When its spreading feature is activated, it transforms into a self-propagating worm that deploys itself to every system it can reach on the local network. It stages its own binary in a shared folder, copies it across administrative network shares (ADMIN$, C$), and attempts remote execution using eight different methods simultaneously:
- PsExec
- Windows Management Instrumentation (WMI)
- Scheduled tasks (both user and SYSTEM contexts)
- Windows services
- PowerShell remoting
The malware attempts 21 separate remote execution operations per target host. This redundancy is central to its strategy — even if most methods are blocked, a single successful execution on one new host restarts the entire propagation cycle. This design makes containment extremely challenging for incident response teams.
Defense Evasion and Anti-Forensics
Before encryption begins, The Gentlemen systematically neutralizes defenses:
- Disables antivirus and endpoint protection software
- Deletes volume shadow copies and backup catalogs to prevent recovery
- Clears Windows event logs to hinder forensic investigation
- Wipes forensic traces that would help incident responders reconstruct the attack timeline
The ransomware binary requires a build-specific password to execute, and operators can control nearly every aspect of behavior through command-line arguments — including encryption speed, network spreading behavior, and persistence mechanisms. This level of operational control makes it unusually flexible and customizable for criminal use at scale.
Recommended Defenses
Microsoft and Rapid7 recommend the following mitigations to reduce exposure:
- Enable Controlled Folder Access in Windows Defender to block unauthorized encryption of protected directories.
- Turn on cloud-delivered antivirus protection for the most up-to-date malware signatures.
- Block PsExec and WMI-based process creations through Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint.
- Restrict administrative network shares (
ADMIN$,C$) where operationally feasible. - Monitor scheduled task creation events (Event ID 4698) and alert on tasks named
gentlemen_systemor any task running under the SYSTEM account that was recently created. - Implement network segmentation to limit lateral movement and prevent worm propagation across the entire network.
- Maintain offline, air-gapped backups that cannot be reached by ransomware traversing network shares.
Why The Gentlemen Is Especially Dangerous
Most ransomware requires manual operator involvement to spread laterally. The Gentlemen’s automated worm propagation via eight simultaneous methods, combined with SYSTEM-level privilege escalation and aggressive anti-forensic measures, represents a significant evolution in ransomware design. Its BreachForums partnership is also notable: by actively recruiting initial access brokers, the operators are building an industrial-scale attack pipeline that could dramatically expand the number of victims in the coming months. Security teams should proactively hunt for indicators of this malware in their environments rather than waiting for an alert.