A detailed report from Cybereason Threat Intelligence has shed light on a new and highly sophisticated ransomware group called "The Gentlemen." Emerging in mid-2025, this group has quickly established itself as one of the most dangerous threats in the cybersecurity landscape, having targeted 48 victims within a mere three-month period.
"The Gentlemen group employs a dual-extortion strategy, not only encrypting sensitive files but also exfiltrating critical business data and threatening to publish it on dark web leak sites unless a ransom is paid," noted the team at Cybereason. This aggressive tactic has been reinforced by the urgent launch of their leak site shortly after their debut, showcasing the group's intent and operational efficiency.
"The Gentlemen group employs a dual-extortion strategy, not only encrypting sensitive files but also exfiltrating critical business data and threatening to publish it on dark web leak sites unless a ransom is paid,"
Interestingly, The Gentlemen did not create their ransomware from scratch. Instead, they traversed through existing ransomware ecosystems, experimenting with affiliate models to glean insights on distribution and negotiation tactics. Cybereason confirmed, "Before creating their own Ransomware-as-a-Service (RaaS) platform, 'The Gentlemen' experimented with various affiliate models used by other prominent ransomware groups."
Reports suggest that one individual on the dark web, known as Hastalamuerte (LARVA-368), was attempting to gain access to the Qilin ransomware locker panel, indicating that members of The Gentlemen were exploring multiple RaaS platforms prior to their launch.
The analysis by Cybereason highlights the rapid development of The Gentlemen's capabilities. The latest updates showcase significant enhancements, focusing on automation, stealth, and improved performance across various operating systems, including Windows and Linux. Key updates include persistent and automated features, which enable the ransomware to execute silently and restart automatically after a system reboot.
The encryption process has also been optimized. Notably, their method allows encryption of a flexible range of file content—from 1% to 9%—which improves the speed of attacks and assists in low-profile intrusions. Moreover, the ransomware targets both removable and mapped drives while maintaining original file timestamps.
With regard to propagation, The Gentlemen has introduced dual-mode operations. "The Gentlemen ransomware combines advanced encryption techniques with dynamic propagation options... continuously updated to adapt to new defense strategies," explained the report from Cybereason. Their advancements include improved techniques for encrypting local disks and network shares and employing tools like WMI, SCHTASKS, SC, and PowerShell Remoting.
Particularly noteworthy is the ransomware's capabilities with ESXi servers, which are now equipped with stealthy locking routines and optimized for concurrent encryption across multiple hosts. This positions The Gentlemen alongside established ransomware families such as LockBit or BlackCat in the sophistication of their RaaS platform.
Another critical aspect of The Gentlemen is its operational restrictions. The ransomware does not target victims located in Russia and the Commonwealth of Independent States (CIS), following a common trend seen in Eastern-European cybercrime groups. Additionally, the group offers strong affiliate support, providing negotiation assistance, customizable builds, and access to specialized tools intended for trusted affiliates.
The strong encryption algorithm employed, XChaCha20, aligns with modern cryptographic standards, further solidifying the group's reputation. The Windows variant of their ransomware, compiled in Go, showcases an extensive list of command-line arguments and operational flags, indicating a high level of sophistication.
Furthermore, the ransomware executes various PowerShell commands that aid in lateral movement, evasion, and anti-forensics. One command allows the malware to disable real-time monitoring from Windows Defender, while others give full control permissions to unauthorized users and delete vital logs that could aid in forensic investigations.
As this landscape continues to evolve, organizations must remain vigilant against the threats posed by advanced ransomware groups like The Gentlemen. With their pace of victimization, technical advancements, and dual-extortion tactics, the urgency for robust cybersecurity measures cannot be overstated. The emergence of such sophisticated ransomware highlights the ongoing challenges in the realm of cybersecurity and the critical need for businesses to bolster their defenses against evolving threats.