The Gentlemen Ransomware Uses 21 Remote Execution Techniques to Encrypt Entire Networks

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A new ransomware strain called The Gentlemen has emerged as one of the more aggressive threats tracked this year, combining strong encryption with a self-spreading worm engine that can take down an entire corporate network from a single infected machine.

Written in the Go programming language and disguised using a tool called Garble, the malware first appeared in the wild around mid-2025 and has since evolved into a full ransomware-as-a-service operation.

What makes this ransomware stand out is not just how it locks files, but how far it can travel once inside a network. Instead of just encrypting the machine it lands on, it actively hunts for other computers on the same network and tries to infect them too.

This self-propagation feature turns a single infected laptop or server into a launching pad for a much larger attack.

Analysts and researchers from Picus Security said in a report shared with Cyber Security News (CSN) that they have been closely tracking this malware and recently published a detailed breakdown of how it operates from start to finish.

Their research shows the ransomware follows a very deliberate sequence, starting with password validation and privilege escalation, then moving into defense evasion, encryption, and finally network-wide spreading.

The impact so far has been felt across education, transportation, healthcare, and financial organizations spanning North America, South America, Europe, Africa, and Asia.

The group behind it has also partnered with the BreachForums community to recruit affiliates, including penetration testers and initial access brokers, a move likely to widen the pool of attackers using this tool.

Combined with double extortion tactics, where stolen data is used as leverage alongside encryption, the threat represents a serious risk for organizations of nearly any size or sector.

The Gentlemen Ransomware Uses 21 Remote Execution Techniques

The self-propagation feature is triggered by a command line flag called –spread, and it is what separates this ransomware from more conventional single-host encryptors.

Once activated, the infected machine turns itself into a distribution hub by copying its own binary into a folder and publishing it over a hidden network share configured for anonymous access.

From there, the malware pulls in a legitimate system tool called PsExec, either from a local copy or by downloading it, and starts scanning the network for reachable machines, including regular workstations, servers, and domain controllers.

Every discovered machine becomes a target for infection. insecure version of the file sharing protocol.

Only after clearing this path does it attempt to actually run the ransomware payload.

Since each method works independently, the attackers only need one of them to succeed on a given machine to keep the infection spreading further.

Encryption And Defense Evasion Tactics

Before touching a single file, the ransomware works to disable Microsoft Defender, wipe forensic logs, and delete Volume Shadow Copies twice over using two separate commands for reliability.

It also clears command history and deletes backup and recovery tools to make restoring systems without paying much harder.

For the actual encryption, the malware uses a hybrid approach pairing Curve25519 elliptic curve cryptography with the XChaCha20 stream cipher, generating a unique key for every single file it touches.

This design makes decrypting files without the attacker’s private key practically impossible, and it renames every encrypted file with a distinct extension.

Organizations should focus on validating their defenses against this specific attack chain rather than relying on generic ransomware protections.

Testing security controls against real attack simulations, keeping offline backups, and closely monitoring for the specific commands and network behaviors described above are practical steps that can meaningfully reduce the risk this ransomware poses.

Type Indicator Description
File Extension .umc16h Extension appended to files after encryption 
File Name README-GENTLEMEN.txt Ransom note dropped on infected systems 
File Path C:Temp Location used to stage the malware binary during propagation 
Network Share <self>share$ Hidden SMB share used for anonymous access during spreading 
Tool PsExec Legitimate tool abused for remote execution during lateral movement 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.