Gentlemen (Malware Family)

Gentlemen

According to Cybereason, "The Gentlemen" ransomware is a cross-platform ransomware family with lockers for Windows, Linux, and ESXi, with the analyzed Windows locker implemented as a 64-bit Golang executable. It is operated as a Ransomware-as-a-Service, supports configurable encryption levels using XChaCha20 and Curve25519, and implements dual-extortion by both encrypting and exfiltrating data. The malware emphasizes persistence and automation (self-restart, run-on-boot, registry and autostart usage), broad system interaction via tools like task schedulers, WMI, and remote PowerShell, and extensive discovery of local, network, and clustered storage to maximize impact. It also includes security evasion and anti-forensics behavior such as disabling security tools, deleting logs and traces, manipulating permissions, and terminating database, backup, remote-access, and virtualization-related services before encryption.

References

2026-02-12 ⋅ SOCRadar ⋅ SOCRadar
Dark Web Profile: The Gentlemen Ransomware
Gentlemen The Gentlemen

2025-11-18 ⋅ Cybereason ⋅ Mark Tsipershtein
License to Encrypt: “The Gentlemen” Make Their Move
Gentlemen The Gentlemen

2025-09-09 ⋅ Trend Micro ⋅ Don Ovid Ladores, Jacob Santos, Junestherry Dela Cruz, Maristel Policarpio
Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed
Gentlemen The Gentlemen

There is no Yara-Signature yet.

Gentlemen Propose Change

References

Gentlemen