A new ransomware threat named “The Gentlemen” has emerged in the cybersecurity landscape, demonstrating advanced attack capabilities and a well-structured operational model.
First appearing around July 2025, this group quickly established itself as a serious threat, publishing 48 victims on their dark web leak site between September and October 2025.
The ransomware operates as a Ransomware-as-a-Service platform, allowing affiliates to deploy attacks while the core operators maintain control over the infrastructure and negotiation processes.
The Gentlemen employs a dual-extortion strategy that combines file encryption with data theft. This approach not only locks victims out of their systems but also creates additional pressure by threatening to release stolen information on dark web leak sites unless ransom demands are met.
‘The Gentlemen’ DLS is Online (Source – Cybereason)
Before launching their own RaaS platform, the operators experimented with various affiliate models from other prominent ransomware groups, which helped them refine their methods and develop a more sophisticated operation.
Cybereason security researchers identified that the ransomware targets Windows, Linux, and ESXi platforms with specialized encryption tools.
The malware uses XChaCha20 and Curve25519 encryption algorithms to secure files, making recovery without the decryption key extremely difficult.
Recent updates introduced automatic self-restart and run-on-boot functionality, enhancing persistence on compromised systems.
Network Propagation and Lateral Movement Capabilities
The ransomware spreads across networks using Windows Management Instrumentation and PowerShell remoting techniques. When executed, the malware requires a password argument to begin its encryption routine.
It supports multiple operational modes, including system-level encryption under SYSTEM privileges and network share encryption through mapped drives and UNC paths.
The malware disables Windows Defender by executing PowerShell commands that turn off real-time protection and add directories and processes to exclusion lists.
‘The Gentlemen’ ransomware is written using ‘vibecoding’ techniques (Source – Cybereason)
It also enables network discovery and firewall rules, facilitating easier lateral movement across corporate networks.
The ransomware targets critical services and processes, including database engines like MSSQL and MySQL, backup utilities such as Veeam, and virtualization services like VMware.
To evade detection and complicate forensic investigations, the malware deletes Windows event logs, RDP connection logs, Windows Defender support files, and Prefetch data.
This anti-forensics approach significantly hinders incident response efforts and makes timeline reconstruction more challenging for security teams investigating the attack.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post ‘The Gentlemen’ Ransomware Group with Dual-Extortion Strategy Encrypts and Exfiltrates Data appeared first on Cyber Security News.
