The Gentlemen Ransomware Uses 21 Remote Execution Techniques to Encrypt Entire Networks
The Gentlemen ransomware has become a serious network-wide threat because it does more than encrypt the first system it infects. A new Picus Security report says its self-propagation module can try up to 21 remote execution operations against each reachable host.
Microsoft tracks the ransomware operation as Storm-2697, a financially motivated group behind the ransomware-as-a-service platform known as The Gentlemen. The Microsoft Security Blog says the ransomware is written in Go, obfuscated with Garble, and used in double extortion attacks against Windows environments.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The key danger is lateral movement at speed. Once the ransomware reaches one compromised machine, it can stage itself, weaken defenses on nearby systems, and launch the payload through several Windows execution paths until one works.
What is The Gentlemen ransomware?
The Gentlemen is a ransomware-as-a-service operation that emerged around mid-2025 and expanded into an affiliate model later that year. Instead of a single closed crew handling every attack, affiliates can use the platform to compromise victims, steal data, and deploy the encryptor.
Microsoft says the group has affected organizations in education, transportation, healthcare, and financial services across North America, South America, Europe, Africa, and Asia. Kaspersky’s Securelist analysis also describes the group as rapidly growing, with observed activity against large corporations and critical infrastructure.
The ransomware combines three traits that make it especially disruptive: credential-backed lateral movement, aggressive defense evasion, and strong per-file encryption. That mix can turn one infected endpoint into a launch point for a wider corporate outage.
| Attribute | Details |
|---|---|
| Malware type | Ransomware-as-a-service with worm-like propagation |
| Primary platform | Windows environments |
| Language | Go, with Garble obfuscation |
| Encrypted extension | .umc16h |
| Ransom note | README-GENTLEMEN.txt |
How the 21 remote execution techniques work
The self-spreading feature activates when the ransomware runs with the –spread argument. That argument can use explicit credentials in a domain, username, and password format, or it can reuse the current session token for lateral movement.
After activation, the infected machine becomes a distribution point. It copies its binary into C:\Temp, creates a hidden SMB share called share$, and prepares PsExec for remote execution. The ransomware then enumerates reachable workstations, servers, and domain controllers.
The Microsoft analysis says the malware attempts several independent payload deployment paths, including PsExec, WMIC, scheduled tasks, services, PowerShell remoting, and PowerShell WMI. Across those paths, the malware reaches 21 remote execution operations per target host.
- Remote file copy through administrative shares
- PsExec-based execution
- WMIC process creation
- User-context scheduled tasks
- SYSTEM-context scheduled tasks
- Windows service creation
- PowerShell remoting through WinRM
- PowerShell WMI process creation
Why one successful method is enough
The Gentlemen does not need every execution method to work. Each method runs independently, so the attacker only needs one successful path on one additional machine to keep the spread going.
Before the payload runs on a remote host, the ransomware can push a PowerShell defense evasion routine that disables Microsoft Defender real-time monitoring, adds broad exclusions, turns off Windows Firewall profiles, enables SMB1, and loosens anonymous access settings. Picus says this makes the target more exposed before the encryption payload arrives.
The Picus breakdown describes this redundancy as central to the ransomware’s propagation strategy. In a partly hardened network, blocked PsExec access may not matter if scheduled tasks, WMI, or services remain available.
| Propagation step | Purpose |
|---|---|
| Stage binary in C:\Temp | Prepares a local copy of the ransomware for network deployment |
| Create hidden SMB share | Makes the payload reachable from other hosts |
| Drop or download PsExec | Provides a legitimate remote execution tool |
| Enumerate network hosts | Finds workstations, servers, and domain controllers |
| Try 21 execution operations | Improves the chance of successful lateral movement |
Defense evasion begins before encryption
The Gentlemen ransomware tries to weaken the environment before encrypting files. It disables Microsoft Defender protections, adds exclusions, stops selected processes, stops services, and targets backup or recovery tools that could help victims restore data.
Huntress observed The Gentlemen incidents in April and May 2026 where attackers used scheduled tasks and PowerShell, cleared Windows event logs, and tried to disable Microsoft Defender or add antivirus exclusions. The Huntress analysis also notes that ransomware-as-a-service attacks can vary because different affiliates use different intrusion chains.
This matters for defenders because blocking the encryptor alone may not stop the intrusion. The activity around it, including PowerShell commands, event log clearing, persistence creation, and remote execution, often gives earlier signs of an active ransomware deployment.
Encryption and recovery impact
The Gentlemen uses a hybrid encryption design that combines Curve25519 elliptic-curve cryptography with the XChaCha20 stream cipher. Each file receives unique per-file ephemeral keys, which makes decryption without the attacker’s private key impractical.
The ransomware also deletes Volume Shadow Copies through more than one method and can wipe free disk space when the operator enables that option. Those steps reduce the chance of recovering unencrypted remnants after the attack.
Kaspersky’s Securelist report says the group drops README-GENTLEMEN.txt ransom notes and has continued to expand its toolset, including newer implant development. That points to an operation that is still changing, not a static ransomware family.
Links to broader ransomware operations
The Gentlemen’s activity also fits a wider ransomware pattern where affiliates combine lockers with proxy tools, stolen credentials, and exposed remote services. In one case, Check Point Research documented an affiliate using SystemBC, a proxy malware often used for covert tunneling and payload delivery.
Check Point said The Gentlemen RaaS had publicly claimed more than 320 victims at the time of its report, with much of that activity occurring in 2026. The group’s locker portfolio also spans several platforms, which can matter in mixed corporate environments.
The operational model increases risk because affiliates do not always follow the same playbook. One intrusion may begin with stolen credentials, another with an exposed edge device, and another with an initial access broker. The common end goal remains data theft, encryption, and pressure on the victim to pay.
Indicators defenders should monitor
Security teams should watch for staging in C:\Temp, hidden SMB share creation, suspicious PsExec use, remote scheduled tasks, new Windows services, WMI process creation, and PowerShell commands that weaken Defender or firewall settings.
Huntress also observed event log clearing across Security, System, and Application logs in incidents involving The Gentlemen. That behavior should trigger investigation because attackers often erase logs shortly before or during ransomware deployment.
| Type | Indicator | Why it matters |
|---|---|---|
| File extension | .umc16h | Appended to encrypted files in the analyzed variant |
| Ransom note | README-GENTLEMEN.txt | Ransom note dropped on infected systems |
| File path | C:\Temp | Used to stage malware and PsExec during propagation |
| Network share | \\<self>\share$ | Hidden SMB share used to distribute the payload |
| Tool | PsExec | Legitimate tool abused for remote execution |
How organizations can reduce the risk
Defenders should focus on stopping lateral movement before the encryption phase starts. That means restricting administrative shares, limiting local administrator reuse, monitoring remote execution, and hardening Windows Remote Management and WMI access.
The Huntress report recommends paying close attention to defense evasion signals, while Check Point Research shows why proxy malware and covert tunneling can appear before ransomware deployment. Together, those findings support a layered detection strategy rather than waiting for file encryption alerts.
- Keep offline, immutable backups that ransomware cannot reach.
- Restrict PsExec, WMI, WinRM, and remote scheduled task usage.
- Disable SMB1 and audit anonymous share access.
- Enable tamper protection and monitor Defender policy changes.
- Alert on mass event log clearing and Volume Shadow Copy deletion.
- Segment networks so one infected endpoint cannot reach every server.
- Test ransomware controls against realistic lateral movement chains.
Bottom line
The Gentlemen ransomware stands out because its network propagation is built into the malware’s execution flow. It can stage itself, weaken remote hosts, and try 21 execution operations until one path works.
For enterprises, the lesson is direct: stopping ransomware at the first encrypted file is too late. The better defense is to detect the staging, credential use, remote execution, policy tampering, and recovery destruction that happen before the final encryption wave.
FAQ
The Gentlemen is a ransomware-as-a-service operation that targets corporate environments. It is known for Go-based Windows malware, double extortion tactics, and a self-propagation module that can spread across reachable systems on a network.
The 21 remote execution operations make the ransomware more resilient during lateral movement. If one method fails, the malware can try others, including PsExec, WMIC, scheduled tasks, Windows services, PowerShell remoting, and PowerShell WMI.
In the analyzed variant, encrypted files receive the .umc16h extension. The ransomware also drops a ransom note named README-GENTLEMEN.txt on infected systems.
The analyzed encryption design uses Curve25519 and XChaCha20 with unique per-file keys, making decryption without the attacker’s private key impractical. Recovery usually depends on clean offline backups and incident response preparation.
Organizations should restrict remote execution tools, disable SMB1, segment networks, protect backups, monitor Defender policy changes, alert on event log clearing, and test controls against realistic ransomware lateral movement chains.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages