What is Gentlemen ransomware?
Gentlemen is a ransomware operation that emerged in mid-2025 and has rapidly established itself as one of the most active and operationally mature threat groups of the year. Operating as a Ransomware-as-a-Service (RaaS) platform, the group follows a double-extortion model: sensitive data is exfiltrated from victim networks before file encryption begins, and if the ransom is not paid, the stolen data is published on a dedicated Tor-based leak site.
This profile covers the group’s origins, technical methods, known indicators of compromise, and actionable defensive guidance.
Origins and attribution
Gentlemen’s emergence and attribution have attracted significant scrutiny due to the group’s rapid operational maturity and high victim velocity.
Timeline and emergence
The earliest known Gentlemen victim is JN Aceros, a Peruvian steel company compromised on June 30, 2025. The operation became publicly visible in August 2025, when its Tor-based leak site went live and began listing victims.
The operation scaled quickly: 48 organizations had been published within the first two months of leak site activity. This publication velocity is consistent with affiliate-driven RaaS models, where multiple operators conduct parallel intrusions under a centralized brand. As of early February 2026, the confirmed victim count exceeds 130, with new targets appearing nearly daily.
Threat actor attribution
Threat intelligence research has linked the Gentlemen operation to an individual operating under the alias “hastalamuerte.” The actor was observed on underground forums seeking access to multiple established RaaS programs, including Qilin, Embargo, LockBit, Medusa, and BlackLock, before developing a proprietary platform. This period of experimentation likely allowed the operators to study proven affiliate models and refine their own tooling and deployment workflow.
In September 2025, a separate alias, “Zeta88,” was observed advertising the Gentlemen RaaS on the RAMP cybercrime forum. The program explicitly prohibits targeting organizations in Russia and CIS countries, a restriction consistent with the behavioral norms of Russian-speaking ransomware ecosystems.
Rebranding considerations
The group’s operational maturity and the absence of prior intelligence have prompted debate within the threat intelligence community. Multiple researchers have noted that Gentlemen’s capabilities are unusually advanced for a newly emerged operation, suggesting either a rebranding of experienced operators or the emergence of a well-resourced criminal team with significant prior ransomware experience. No definitive link to a predecessor group has been publicly confirmed.
Target profile
Gentlemen targets a broad range of sectors, with the heaviest concentration in manufacturing, technology, financial services, and healthcare. Education, construction, insurance, energy, and consumer services are also represented. The inclusion of healthcare organizations and municipal governments indicates that the group does not avoid sectors associated with critical infrastructure.
The operators primarily focus on medium to large enterprises with centralized Active Directory environments and domain-level management. Confirmed targets include hospitals, school districts, energy providers, municipal governments, and multinational manufacturers. These environments offer high-value data for extortion and centralized control points that enable rapid, domain-wide encryption.
The United States is the most frequently targeted country, followed by Thailand, Brazil, France, and Malaysia. Affected organizations have been identified across dozens of countries spanning Asia-Pacific, North and South America, Europe, and the Middle East. The broad geographic distribution, combined with the CIS exclusion policy, suggests opportunistic target selection based on access availability rather than a strict regional strategy.
Ransomware-as-a-service model
Gentlemen operates as a full-featured RaaS platform. Affiliates receive customizable builds with pre-configured or adjustable settings, cross-platform lockers for Windows, Linux, BSD, NAS, and ESXi environments, and access to negotiation infrastructure. Per the program’s operational rules, affiliates must upload exfiltrated data to approved cloud resources for publication on the group’s leak site. The revenue split is reported at 90% to affiliates and 10% to the operators.
The platform is actively maintained, with forum posts and operator announcements documenting regular feature additions, including improved encryption performance, expanded propagation methods, and new persistence mechanisms. Certain tools, including an EDR-killer utility and multi-chain system, are restricted to trusted affiliates only. A forum discussion noted that the locker was partially developed using “vibecoding” techniques.
Attack lifecycle
Gentlemen follows a structured enterprise intrusion model with clearly delineated phases: exploitation of internet-facing services for initial access, thorough network reconnaissance, BYOVD-based security neutralization, GPO-driven domain-wide deployment, encrypted data exfiltration, and selective file encryption. The ransomware payload is written in Go, a choice increasingly common among ransomware developers for its cross-platform compilation and resistance to static analysis. The full chain is designed for speed, stealth, and maximum operational impact before defenders can respond.
Initial access
Gentlemen operators gain entry through compromised credentials and exposed administrative panels on internet-facing infrastructure. In the most extensively documented intrusion, a FortiGate appliance with exposed administrative access served as the entry point, giving the attackers a direct path to domain credentials. Collaboration with initial access brokers (IABs) is considered plausible given the speed and volume of new intrusions.
Reconnaissance and discovery
Once inside the network, the operators immediately deploy reconnaissance tools. Advanced IP Scanner is used for initial network mapping, followed by Nmap for detailed service discovery. Custom batch scripts enumerate domain user accounts and privilege groups. PowerShell commands collect information on all accessible volumes, including local drives and Cluster Shared Volumes, to identify encryption targets across the environment.
Privilege escalation and defense evasion
The group employs a Bring Your Own Vulnerable Driver (BYOVD) technique using the ThrottleStop.sys driver (renamed ThrottleBlood.sys), which contains the CVE-2025-7771 vulnerability. This allows the operators to gain kernel-level privileges and terminate security software processes that are normally protected. Custom tools (All.exe and its improved variant Allpatch2.exe) exploit this vulnerability to neutralize antivirus and EDR solutions at the kernel level.
Additional defense evasion measures include disabling Windows Defender real-time protection via PowerShell, adding global directory and process exclusions, deleting Defender support files, and using ICACLS to grant the Everyone group (SID S-1-1-0) full control over targeted directories.
Lateral movement and persistence
Lateral movement relies on a combination of legitimate administrative tools and custom techniques. PsExec, PowerRun, and AnyDesk are used for remote execution and access. Additional evidence indicates the possible use of PuTTY for SSH-based lateral movement, likely targeting Linux systems and network appliances within the environment. The operators also enable Windows Firewall rules for the Network Discovery group via PowerShell, opening discovery and file-sharing ports across the environment. WMI and PowerShell remoting enable propagation across network segments.
The operators manipulate Group Policy Objects (GPOs) to deploy ransomware payloads across the domain via NETLOGON shares, ensuring simultaneous infection of all domain-joined machines. Persistence is established through registry modifications, scheduled tasks (schtasks), and the ransomware’s built-in auto-restart and run-on-boot functionality.
Data exfiltration
Data exfiltration is conducted using WinSCP over encrypted channels to prioritize operational security. Per the RaaS program rules, affiliates upload stolen data to public cloud resources or approved platforms, where it is staged for publication on the group’s leak site if the ransom is not paid.
Encryption and impact
Before encryption begins, the ransomware executes a preparation sequence designed to maximize impact and inhibit recovery:
- Service Termination: A built-in kill list stops critical services and processes, including database engines (MSSQL, MySQL, PostgreSQL, MongoDB, Oracle), backup utilities (Veeam), virtualization components, remote access tools (TeamViewer), and Microsoft Exchange.
- Recovery Inhibition: Shadow copies are deleted via vssadmin, Windows event logs are cleared using wevtutil, RDP log files are removed, Prefetch data is wiped, and PowerShell command history is deleted.
Self-Deletion: After encryption, the ransomware removes itself from the system using a delayed ping-and-delete command.
The encryption routine generates a unique 32-byte ephemeral key for each file via X25519 (ECDH) key exchange, then encrypts file contents using XChaCha20. Files smaller than approximately 1 MB are fully encrypted, while larger files are only partially encrypted to optimize performance. Operators can select from multiple speed modes: --fast (9% encryption), --superfast (3%), and --ultrafast (1%).
Execution requires a mandatory --password argument. Without the correct value, the binary terminates immediately. Additional command-line flags allow targeting local drives only --system , network shares only --shares , or both --full , with optional delayed start --T and silent mode --silent to encrypt without appending the custom extension.
Encryption and recovery assessment
No public decryptor for Gentlemen ransomware exists. The ransomware encryption uses a per-file ephemeral key design, meaning no private key material is stored on the victim system—making decryption without the operator’s private key infeasible with current methods. No weaknesses in the cryptographic implementation have been identified to date.
During negotiations, the operators offer to decrypt two sample files as proof of capability. Victims are directed to communicate via Tox messenger and a Tor-based onion site. The ransom note typically provides a window of approximately 10 days before the group begins publishing stolen data.
*************************** = YOUR ID
Gentlemen, your network is under our full control.
All your files are now encrypted and inaccessible.
1. Any modification of encrypted files will make recovery impossible.
2. Only our unique decryption key and software can restore your files.
Brute-force, RAM dumps, third-party recovery tools are useless.
It’s a fundamental mathematical reality. Only we can decrypt your data.
3. Law enforcement, authorities, and “data recovery” companies will NOT help you.
They will only waste your time, take your money, and block you from recovering your files — your business will be lost.
4. Any attempt to restore systems, or refusal to negotiate, may lead to irreversible wipe of all data and your network.
5. We have exfiltrated all your confidential and business data (including NAS, clouds, etc).
If you do not contact us, it will be published on our leak site and distributed to major hack forums and social networks.
TOX CONTACT – RECOVER YOUR FILES
Contact us (add via TOX ID): **************************************************************
Download Tox messenger: https://tox.chat/download.html
COOPERATE TO PREVENT DATA LEAK (239 HOURS LEFT)
Check our blog: http://*******************************.onion/
Download Tor browser: https://www.torproject.org/download/
Any other means of communication are fake and may be set up by third parties.
Only use the methods listed in this note or on the specified website.
Given the absence of recovery tools, organizations affected by Gentlemen should prioritize verified offline backups as the primary recovery path. Organizations weighing whether to engage with the operators should first understand the consequences of paying the ransom, including the legal, regulatory, and operational risks involved.
Security checklist
This section summarizes stable operational indicators and defensive priorities derived from confirmed Gentlemen intrusions.
Indicators and Artifacts
| Category | Indicator | Context |
|---|---|---|
| File Extension | Random 6 chars (e.g., .7mtzhh, .ojuopo) | Appended to all encrypted files |
| Ransom Note | README-GENTLEMEN.txt | Dropped in every encrypted directory |
| BYOVD Driver | ThrottleStop.sys renamed to ThrottleBlood.sys | CVE-2025-7771; enables kernel-level process termination |
| EDR/AV Killer | All.exe, Allpatch2.exe | Custom tools exploiting BYOVD for security software termination |
| Network Scanners | Advanced IP Scanner, Nmap | Network mapping and service discovery |
| Lateral Movement | PsExec, AnyDesk, PowerRun | Legitimate admin tools abused for remote execution |
| Exfiltration Tool | WinSCP | Encrypted file transfer to attacker-controlled infrastructure |
| GPO Manipulation | Payload deployment via NETLOGON shares | Domain-wide ransomware distribution to all joined machines |
| Defender Tampering | PowerShell exclusions, Defender file deletion, ICACLS S-1-1-0 grants | Multiple-layered evasion techniques |
| Recovery Inhibition | vssadmin, wevtutil, Prefetch, and RDP log deletion | Shadow copies, event logs, and forensic artifacts destroyed |
| Self-Deletion | Delayed ping-and-delete command | Binary removal post-encryption |
| Negotiation Channel | Tox messenger + Tor-based onion site | Primary communication channels for negotiation and victim contact |
| AV Signature | Ransomware/Win.GentlemenCrypt | AhnLab detection name |
Priority detection signals
Based on the observed attack chain, the following activities should be treated as high-priority alerts in any monitoring environment:
- Unexpected kernel driver loads, particularly ThrottleStop.sys or ThrottleBlood.sys
- Sudden GPO modifications or new scripts deployed via NETLOGON shares
- Programmatic addition of Windows Defender exclusions
- WinSCP execution on servers, especially with large outbound transfers
- Mass service termination (Veeam, MSSQL, Exchange) within a short time window
- PsExec, AnyDesk, or PowerRun execution from unexpected sources
- Shadow copy deletion (vssadmin) or bulk event log clearing (wevtutil), particularly when observed together, constitute immediate pre-encryption indicators.
- ICACLS commands granting the Everyone group (S-1-1-0) full control over directories
Individual signals may have legitimate administrative explanations. However, when two or more of these activities occur within the same environment in a short time window, particularly Defender tampering followed by shadow copy deletion, this should be treated as a probable ransomware incident in progress and trigger immediate containment procedures.
Defensive recommendations
The following recommendations address the specific tactics, techniques, and procedures documented in Gentlemen ransomware operations, organized by attack phase to align with the intrusion lifecycle.
- Harden Internet-Facing Services: Ensure FortiGate and other VPN/firewall appliances are fully patched and running current firmware. Disable or restrict access to administrative management interfaces from the public internet. Enforce multi-factor authentication on all remote access points, including VPN portals and administrative panels. Audit for exposed administrative accounts and rotate credentials proactively.
- Implement Driver Allowlisting: Deploy Windows Defender Application Control (WDAC) or equivalent policies to block the loading of unauthorized kernel drivers. This represents an effective mitigation against the BYOVD technique Gentlemen uses to neutralize security tools via the ThrottleStop.sys/ThrottleBlood.sys driver.
- Monitor and Protect Group Policy Objects: Alert on unexpected GPO modifications, particularly new scripts or payloads deployed via NETLOGON shares. Restrict GPO editing privileges to a minimal set of accounts and review GPO change logs regularly. This is a critical control, as Gentlemen primarily uses GPO manipulation to deploy ransomware domain-wide.
- Enforce Privileged Access Controls: Apply the principle of least privilege to domain administrative accounts. Implement Just-In-Time (JIT) access for elevated privileges. Monitor for new account creation, unauthorized privilege escalation, and anomalous use of existing admin credentials.
- Deploy EDR/XDR with Tamper Protection: Ensure endpoint detection and response solutions are configured with anti-tamper capabilities. Gentlemen operators use multiple-layered techniques to neutralize security tools, including BYOVD-based process termination, PowerShell-based Defender disabling, exclusion injection, and support file deletion. Tamper protection must cover all of these vectors.
- Monitor Administrative Tool Usage: Establish baselines and alert on anomalous usage of PsExec, AnyDesk, PowerRun, WinSCP, Advanced IP Scanner, and Nmap. Detect unauthorized WMI and PowerShell remoting activity. These are all legitimate tools that Gentlemen operators abuse across multiple phases of the attack chain.
- Restrict and Monitor Outbound Data Transfers: Gentlemen affiliates exfiltrate data using WinSCP over encrypted channels before encryption begins. Deploy network-level controls to detect and block large-volume outbound transfers from servers, particularly over SCP/SFTP protocols. Segment sensitive data repositories to limit what an attacker can access from a single compromised host.
- Verify Backup Integrity and Isolation: Maintain offline, immutable backups that are not accessible from the production network. Test restoration procedures regularly. Gentlemen specifically targets Veeam and other backup services for termination before encryption, so backup infrastructure must be isolated from domain-joined environments.
- Enable PowerShell Logging and Script Block Auditing: Gentlemen operators rely on PowerShell across multiple attack phases: volume enumeration during discovery, Defender disabling during evasion, and remoting during lateral movement. Comprehensive logging, including Module Logging, Script Block Logging, and Transcription, enables detection and forensic reconstruction of these activities.
Gentlemen is an actively expanding operation with no signs of slowing down. The combination of a mature RaaS platform, rapid victim accumulation, and the absence of any known cryptographic weakness makes this group a serious and ongoing threat. Organizations that suspect a Gentlemen ransomware incident should initiate containment procedures immediately, following an established response framework, and engage qualified digital forensics and incident response support as early as possible.
