The Gentlemen Ransomware Employs 21 Remote Execution Techniques

A new ransomware strain known as The Gentlemen has emerged as a significant threat, combining robust encryption with aggressive self-propagation capabilities that can compromise entire corporate networks from a single point of infection. Written in the Go programming language and obfuscated using the Garble tool, this malware first appeared in mid-2025 and has since evolved into a full-fledged ransomware-as-a-service (RaaS) operation.

Unlike traditional ransomware that typically encrypts files on the initially infected machine, The Gentlemen actively seeks out other computers within the same network to propagate the infection. This self-spreading feature transforms a single compromised device into a launchpad for a widespread attack.

Security researchers have been closely monitoring The Gentlemen and have detailed its operational sequence, which includes password validation, privilege escalation, defense evasion, encryption, and network-wide dissemination. The ransomware has impacted various sectors, including education, transportation, healthcare, and finance, across multiple continents. The group behind The Gentlemen has also collaborated with online communities to recruit affiliates, such as penetration testers and initial access brokers, thereby expanding the pool of attackers utilizing this tool. Coupled with double extortion tactics—where stolen data is used as leverage alongside encryption—this threat poses a serious risk to organizations of all sizes and sectors.

Self-Propagation Mechanism

The Gentlemen’s self-propagation feature is activated via a command-line flag called --spread. Once enabled, the infected machine becomes a distribution hub by copying its own binary into a folder and sharing it over a hidden network share configured for anonymous access. The malware then utilizes legitimate system tools, such as PsExec, to scan the network for accessible machines, including workstations, servers, and domain controllers. Each discovered machine becomes a target for infection.

Before executing the ransomware payload, The Gentlemen employs a script to weaken the target machine’s defenses. This script disables security monitoring, turns off firewall protection, and re-enables outdated and insecure versions of file-sharing protocols. Following this, the malware attempts to execute the payload using up to 21 different remote execution methods per target, including remote file copying, PsExec, scheduled tasks, Windows services, and PowerShell-based techniques. Each method operates independently, increasing the likelihood that at least one will succeed, thereby facilitating further spread of the infection.

Implications and Mitigation

The Gentlemen’s sophisticated propagation techniques underscore the evolving nature of ransomware threats. Organizations must adopt a multi-layered security approach to defend against such attacks. This includes regularly updating and patching systems, implementing robust access controls, monitoring network activity for unusual behavior, and educating employees about phishing and other common attack vectors. Additionally, maintaining up-to-date backups and developing a comprehensive incident response plan are crucial steps in mitigating the impact of ransomware incidents.