The Gentlemen Ransomware: Exploiting SYSTEM Scheduled Tasks for Elevated Privileges
A newly identified ransomware strain, dubbed The Gentlemen, has emerged as a significant threat in the cybersecurity landscape. Developed using the Go programming language and obfuscated with the Garble tool, this malware combines robust per-file encryption with an aggressive self-propagation mechanism, enabling it to spread silently across networks without human intervention. Industries such as education, healthcare, transportation, and finance across multiple continents—including North America, South America, Europe, Africa, and Asia—have already experienced its damaging effects.
Ransomware-as-a-Service Model
Operating under a Ransomware-as-a-Service (RaaS) model, The Gentlemen’s core developers lease access to the malware to affiliates. Initially surfacing around mid-2025 as a closed group, the operation expanded in September 2025 by opening its platform to affiliates. More recently, the operators have partnered with BreachForums, a notorious cybercriminal marketplace, actively recruiting penetration testers and initial access brokers to facilitate attacks.
Microsoft Threat Intelligence, tracking the group behind this malware as Storm-2697, has observed the use of double extortion tactics. This approach involves encrypting a victim’s data while simultaneously exfiltrating sensitive files, with threats to publicly release the stolen information if the ransom is not paid. Microsoft’s report indicates that this partnership could attract a broader pool of criminal actors, amplifying the threat’s reach.
Sophisticated Attack Strategies
The Gentlemen distinguishes itself through a layered attack strategy that includes:
– Disabling Antivirus Tools: Neutralizing security software to avoid detection.
– Deleting Backups: Removing system backups to prevent data recovery.
– Clearing System Logs: Erasing logs to eliminate forensic evidence.
– Wiping Forensic Traces: Ensuring minimal traceability post-attack.
Once activated, the ransomware can autonomously propagate across a network, complicating containment efforts for security teams.
Command-and-Control Flexibility
The Gentlemen requires a build-specific password for execution, granting operators extensive control over its behavior through command-line arguments. These options allow customization of:
– Encryption Speed: Adjusting the rate at which files are encrypted.
– Network Spreading: Enabling or disabling the malware’s ability to spread across networks.
– Persistence Mechanisms: Determining how the malware maintains its presence after system reboots.
This level of operational control enhances the malware’s flexibility and effectiveness in large-scale deployments.
Exploiting SYSTEM Scheduled Tasks
A particularly notable aspect of The Gentlemen is its method of achieving elevated system privileges. Upon receiving specific command-line instructions, the ransomware creates a Windows scheduled task named `gentlemen_system` that runs the malware executable under the SYSTEM account—the highest privilege level on a Windows machine. The process involves:
1. Deleting Existing Tasks: Removing any pre-existing tasks with the same name.
2. Registering a New Task: Creating a fresh scheduled task configured to run under SYSTEM privileges.
3. Immediate Execution: Triggering the task to execute the malware promptly.
Once operating under elevated privileges, the malware sets an internal environment variable `LOCKER_BACKGROUND=1` to signal its active status.
Implications and Mitigation Strategies
The Gentlemen’s exploitation of SYSTEM scheduled tasks underscores the evolving tactics of ransomware operators. By leveraging legitimate system functionalities, the malware achieves deep system integration, making detection and removal more challenging.
Mitigation strategies include:
– Regular System Audits: Conducting frequent reviews of scheduled tasks and system logs to identify unauthorized changes.
– Enhanced Endpoint Detection: Deploying advanced endpoint detection and response (EDR) solutions to monitor and respond to suspicious activities.
– User Education: Training staff to recognize phishing attempts and other common attack vectors used to deliver ransomware.
– Patch Management: Ensuring all systems are up-to-date with the latest security patches to close vulnerabilities exploited by malware.
By understanding and addressing the sophisticated methods employed by The Gentlemen ransomware, organizations can bolster their defenses against this and similar threats.
