Executive Summary
The Gentlemen ransomware has rapidly established itself as a formidable threat in the global cyber landscape, with at least 478 confirmed victims spanning 66 countries and over 20 industry sectors as of June 2026. This ransomware, operated as a Ransomware-as-a-Service (RaaS), is distinguished by its advanced worm-like propagation, robust encryption mechanisms, and aggressive double extortion tactics. The malware’s ability to autonomously spread laterally across networks within minutes, combined with its anti-forensic and defense evasion capabilities, makes it a critical risk to organizations of all sizes. This advisory provides a comprehensive technical analysis of the Gentlemen ransomware, its tactics, techniques, and procedures (TTPs), exploitation in the wild, victimology, and actionable mitigation strategies.
Threat Actor Profile
The Gentlemen ransomware group is a splinter operation originating from the Qilin RaaS collective, now tracked by Microsoft as Storm-2697. The group operates a highly organized affiliate model, recruiting skilled cybercriminals to deploy the ransomware in exchange for a share of the ransom proceeds. The core operators maintain strict operational security, including a ban on targeting Russia and the Commonwealth of Independent States, and have demonstrated rapid adaptation to law enforcement pressure and internal leaks by overhauling their communication infrastructure and hardening their operations. The group is financially motivated, leveraging a large inventory of compromised credentials and devices, particularly focusing on Fortinet FortiGate appliances and VPN endpoints. Their targeting is global, with a notable emphasis on Southeast Asia and Latin America, and a relatively lower proportion of victims in the United States.
Technical Analysis of Malware/TTPs
The Gentlemen ransomware is written in Go and obfuscated using Garble, enhancing its resistance to reverse engineering. It is distributed as a single binary capable of targeting Windows, Linux, VMware ESXi, NAS, and BSD platforms. The malware requires a hardcoded password for execution, reducing the risk of accidental detonation by researchers.
Initial Access
Affiliates gain initial access through multiple vectors, including exploitation of public-facing applications (notably CVE-2024-55591 in FortiOS/FortiProxy), phishing campaigns, brute-forced or purchased credentials (often sourced from BreachForums and other underground markets), and exposed RDP or VPN endpoints. The group maintains persistent access to thousands of compromised FortiGate devices and VPN credentials, enabling rapid deployment at scale.
Execution and Defense Evasion
Upon execution, the ransomware disables Microsoft Defender, adds exclusions, deletes shadow copies, and removes event logs and forensic artifacts such as prefetch data, RDP logs, and PowerShell history. It terminates processes and services associated with virtualization, databases, backup solutions, endpoint detection and response (EDR), SAP, and Microsoft Office applications to maximize impact and hinder recovery efforts.
Encryption
The encryption routine employs per-file ephemeral Curve25519 keys with the XChaCha20 stream cipher, ensuring strong cryptographic security. Files smaller than 1MB are fully encrypted, while larger files are encrypted in three distributed chunks to optimize speed and evade detection. Encrypted files are appended with a unique six-character extension (e.g., .umc16h), and a ransom note (README-GENTLEMEN.txt) is dropped in each directory.
Worm-Like Propagation
The ransomware’s worm-like propagation is enabled via the --spread argument, leveraging either harvested credentials or the current session token. Propagation techniques include creating hidden SMB shares for payload distribution, deploying PsExec (either embedded or downloaded from Sysinternals), utilizing WMI and PowerShell Remoting for remote process creation, and establishing scheduled tasks and services in both user and SYSTEM contexts. On remote hosts, the malware disables Defender, modifies firewall settings, enables SMB1, and loosens LSA restrictions to facilitate further spread.
Persistence and Data Destruction
Persistence is achieved through scheduled tasks (UpdateSystem and UpdateUser) and registry modifications (HKLM\...\Run\GupdateS and HKCU\...\Run\GupdateU). An optional --wipe argument enables the malware to overwrite free disk space with random data, effectively destroying recoverable data and increasing pressure on victims to pay the ransom.
Exploitation in the Wild
The Gentlemen ransomware has been observed in active campaigns targeting organizations in sectors such as IT services, construction, manufacturing, financial services, healthcare, government, energy, and critical infrastructure. The most targeted countries include Thailand, the United States, France, and Brazil, with victims reported in 66 countries. Notably, only 7% of victims are US-based, reflecting the group’s strategic focus on regions with perceived weaker cyber defenses.
Documented incidents reveal that entire networks can be encrypted within minutes due to the ransomware’s worm-like capabilities. Affiliates are responsible for the majority of infections, leveraging a vast stockpile of compromised FortiGate devices and credentials. The group actively tracks and exploits new vulnerabilities, such as CVE-2025-32433 and CVE-2025-33073, to maintain its operational edge. Public leaks and extortion tactics are common, with stolen data published on dedicated leak sites if ransoms are not paid.
Victimology and Targeting
The Gentlemen ransomware indiscriminately targets organizations across a broad spectrum of industries, including but not limited to education, transportation, healthcare, finance, IT, manufacturing, government, and energy. The group’s affiliate-driven model enables rapid expansion and diversification of targets. Victims range from small businesses to large enterprises, with a significant concentration in Southeast Asia and Latin America. The group enforces a strict ban on targeting Russian and CIS entities, likely to avoid local law enforcement scrutiny.
Mitigation and Countermeasures
Organizations are strongly advised to implement the following mitigation strategies to reduce exposure to Gentlemen ransomware:
Patch all FortiOS and FortiProxy appliances immediately, prioritizing remediation of CVE-2024-55591 and auditing for indicators of prior exploitation. Harden Active Directory environments by implementing tiered administration, restricting write access to NETLOGON and SYSVOL, monitoring for unauthorized GPO modifications, and alerting on new domain admin account creation. Enforce phishing-resistant multi-factor authentication (MFA) across all remote access points, and regularly audit and rotate credentials, especially for FortiGate VPN and remote management tools. Maintain immutable, offline backups and routinely test restoration procedures to ensure resilience against ransomware attacks. Establish baseline security requirements for critical vendors and continuously monitor for breaches in third-party tools and supply chain partners. Deploy advanced anti-ransomware solutions capable of detecting behavioral patterns such as network scanning, credential harvesting, and lateral movement via PsExec, AnyDesk, and PowerShell Remoting. Monitor for the following indicators of compromise: file extensions such as .umc16h and other unique six-character variants, the presence of README-GENTLEMEN.txt ransom notes, and known malicious SHA-256 hashes (e.g., 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 for the encryptor). Leverage Microsoft Defender and Trend Micro detections, including Ransom:Win64/Gentlemen and Ransom.Win64.GENTLEMAN.THHAIBE, and configure alerts for suspicious activity such as backup deletion and wallpaper changes.
References
Microsoft Security Blog: The Gentlemen ransomware: Dissecting a self-propagating Go encryptor, Halcyon: Threat Assessment – The Gentlemen Ransomware Group, Trend Micro: Unmasking The Gentlemen Ransomware, LevelBlue: A Closer Look at The Gentlemen's Alleged Leak, Huntress: The Gentlemen Ransomware Defense Evasion TTPs, Group-IB - Hasta la vista, Hastalamuerte: An Overview of The Gentlemen's TTPs (April 2026), Check Point Research - DFIR Report: The Gentlemen & SystemBC (May 2026), Cybereason - License to Encrypt: The Gentlemen Make Their Move (2026), SOCRadar - Dark Web Profile: The Gentlemen Ransomware (February 2026), Fortinet FortiGuard - The Gentlemen Ransomware Threat Actor Profile (March 2026), Blackpoint Cyber - The Gentlemen Ransomware Threat Profile (November 2025), KPMG - CTIP: Gentlemen Ransomware (November 2025), Dark Reading - The Gentlemen Rapidly Rises to Ransomware Prominence (April 2026), Ransomware.live - The Gentlemen Group Tracking Data.
About Rescana
Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber risks across their extended supply chain. Our platform leverages real-time threat intelligence, automated risk scoring, and continuous monitoring to provide actionable insights and enhance your organization’s cyber resilience. For further information or incident response support, we are happy to answer questions at ops@rescana.com.
