The Gentlemen Ransomware Uses 21 Remote Execution Techniques to Encrypt Entire Networks


The Gentlemen ransomware has become a serious network-wide threat because it does more than encrypt the first system it infects. A new Picus Security report says its self-propagation module can try up to 21 remote execution operations against each reachable host.

Microsoft tracks the ransomware operation as Storm-2697, a financially motivated group behind the ransomware-as-a-service platform known as The Gentlemen. The Microsoft Security Blog says the ransomware is written in Go, obfuscated with Garble, and used in double extortion attacks against Windows environments.

The key danger is lateral movement at speed. Once the ransomware reaches one compromised machine, it can stage itself, weaken defenses on nearby systems, and launch the payload through several Windows execution paths until one works.

What is The Gentlemen ransomware?

The Gentlemen is a ransomware-as-a-service operation that emerged around mid-2025 and expanded into an affiliate model later that year. Instead of a single closed crew handling every attack, affiliates can use the platform to compromise victims, steal data, and deploy the encryptor.

Microsoft says the group has affected organizations in education, transportation, healthcare, and financial services across North America, South America, Europe, Africa, and Asia. Kaspersky’s Securelist analysis also describes the group as rapidly growing, with observed activity against large corporations and critical infrastructure.

The ransomware combines three traits that make it especially disruptive: credential-backed lateral movement, aggressive defense evasion, and strong per-file encryption. That mix can turn one infected endpoint into a launch point for a wider corporate outage.

AttributeDetails
Malware typeRansomware-as-a-service with worm-like propagation
Primary platformWindows environments
LanguageGo, with Garble obfuscation
Encrypted extension.umc16h
Ransom noteREADME-GENTLEMEN.txt

How the 21 remote execution techniques work

The self-spreading feature activates when the ransomware runs with the –spread argument. That argument can use explicit credentials in a domain, username, and password format, or it can reuse the current session token for lateral movement.

After activation, the infected machine becomes a distribution point. It copies its binary into C:\Temp, creates a hidden SMB share called share$, and prepares PsExec for remote execution. The ransomware then enumerates reachable workstations, servers, and domain controllers.

The Microsoft analysis says the malware attempts several independent payload deployment paths, including PsExec, WMIC, scheduled tasks, services, PowerShell remoting, and PowerShell WMI. Across those paths, the malware reaches 21 remote execution operations per target host.

  • Remote file copy through administrative shares
  • PsExec-based execution
  • WMIC process creation
  • User-context scheduled tasks
  • SYSTEM-context scheduled tasks
  • Windows service creation
  • PowerShell remoting through WinRM
  • PowerShell WMI process creation

Why one successful method is enough

The Gentlemen does not need every execution method to work. Each method runs independently, so the attacker only needs one successful path on one additional machine to keep the spread going.

Before the payload runs on a remote host, the ransomware can push a PowerShell defense evasion routine that disables Microsoft Defender real-time monitoring, adds broad exclusions, turns off Windows Firewall profiles, enables SMB1, and loosens anonymous access settings. Picus says this makes the target more exposed before the encryption payload arrives.

The Picus breakdown describes this redundancy as central to the ransomware’s propagation strategy. In a partly hardened network, blocked PsExec access may not matter if scheduled tasks, WMI, or services remain available.

Propagation stepPurpose
Stage binary in C:\TempPrepares a local copy of the ransomware for network deployment
Create hidden SMB shareMakes the payload reachable from other hosts
Drop or download PsExecProvides a legitimate remote execution tool
Enumerate network hostsFinds workstations, servers, and domain controllers
Try 21 execution operationsImproves the chance of successful lateral movement

Defense evasion begins before encryption

The Gentlemen ransomware tries to weaken the environment before encrypting files. It disables Microsoft Defender protections, adds exclusions, stops selected processes, stops services, and targets backup or recovery tools that could help victims restore data.

Huntress observed The Gentlemen incidents in April and May 2026 where attackers used scheduled tasks and PowerShell, cleared Windows event logs, and tried to disable Microsoft Defender or add antivirus exclusions. The Huntress analysis also notes that ransomware-as-a-service attacks can vary because different affiliates use different intrusion chains.

This matters for defenders because blocking the encryptor alone may not stop the intrusion. The activity around it, including PowerShell commands, event log clearing, persistence creation, and remote execution, often gives earlier signs of an active ransomware deployment.

Encryption and recovery impact

The Gentlemen uses a hybrid encryption design that combines Curve25519 elliptic-curve cryptography with the XChaCha20 stream cipher. Each file receives unique per-file ephemeral keys, which makes decryption without the attacker’s private key impractical.

The ransomware also deletes Volume Shadow Copies through more than one method and can wipe free disk space when the operator enables that option. Those steps reduce the chance of recovering unencrypted remnants after the attack.

Kaspersky’s Securelist report says the group drops README-GENTLEMEN.txt ransom notes and has continued to expand its toolset, including newer implant development. That points to an operation that is still changing, not a static ransomware family.

The Gentlemen’s activity also fits a wider ransomware pattern where affiliates combine lockers with proxy tools, stolen credentials, and exposed remote services. In one case, Check Point Research documented an affiliate using SystemBC, a proxy malware often used for covert tunneling and payload delivery.

Check Point said The Gentlemen RaaS had publicly claimed more than 320 victims at the time of its report, with much of that activity occurring in 2026. The group’s locker portfolio also spans several platforms, which can matter in mixed corporate environments.

The operational model increases risk because affiliates do not always follow the same playbook. One intrusion may begin with stolen credentials, another with an exposed edge device, and another with an initial access broker. The common end goal remains data theft, encryption, and pressure on the victim to pay.

Indicators defenders should monitor

Security teams should watch for staging in C:\Temp, hidden SMB share creation, suspicious PsExec use, remote scheduled tasks, new Windows services, WMI process creation, and PowerShell commands that weaken Defender or firewall settings.

Huntress also observed event log clearing across Security, System, and Application logs in incidents involving The Gentlemen. That behavior should trigger investigation because attackers often erase logs shortly before or during ransomware deployment.

TypeIndicatorWhy it matters
File extension.umc16hAppended to encrypted files in the analyzed variant
Ransom noteREADME-GENTLEMEN.txtRansom note dropped on infected systems
File pathC:\TempUsed to stage malware and PsExec during propagation
Network share\\<self>\share$Hidden SMB share used to distribute the payload
ToolPsExecLegitimate tool abused for remote execution

How organizations can reduce the risk

Defenders should focus on stopping lateral movement before the encryption phase starts. That means restricting administrative shares, limiting local administrator reuse, monitoring remote execution, and hardening Windows Remote Management and WMI access.

The Huntress report recommends paying close attention to defense evasion signals, while Check Point Research shows why proxy malware and covert tunneling can appear before ransomware deployment. Together, those findings support a layered detection strategy rather than waiting for file encryption alerts.

  • Keep offline, immutable backups that ransomware cannot reach.
  • Restrict PsExec, WMI, WinRM, and remote scheduled task usage.
  • Disable SMB1 and audit anonymous share access.
  • Enable tamper protection and monitor Defender policy changes.
  • Alert on mass event log clearing and Volume Shadow Copy deletion.
  • Segment networks so one infected endpoint cannot reach every server.
  • Test ransomware controls against realistic lateral movement chains.

Bottom line

The Gentlemen ransomware stands out because its network propagation is built into the malware’s execution flow. It can stage itself, weaken remote hosts, and try 21 execution operations until one path works.

For enterprises, the lesson is direct: stopping ransomware at the first encrypted file is too late. The better defense is to detect the staging, credential use, remote execution, policy tampering, and recovery destruction that happen before the final encryption wave.

FAQ

What is The Gentlemen ransomware?

The Gentlemen is a ransomware-as-a-service operation that targets corporate environments. It is known for Go-based Windows malware, double extortion tactics, and a self-propagation module that can spread across reachable systems on a network.

Why are the 21 remote execution techniques important?

The 21 remote execution operations make the ransomware more resilient during lateral movement. If one method fails, the malware can try others, including PsExec, WMIC, scheduled tasks, Windows services, PowerShell remoting, and PowerShell WMI.

What file extension does The Gentlemen ransomware use?

In the analyzed variant, encrypted files receive the .umc16h extension. The ransomware also drops a ransom note named README-GENTLEMEN.txt on infected systems.

Can victims decrypt files without paying The Gentlemen operators?

The analyzed encryption design uses Curve25519 and XChaCha20 with unique per-file keys, making decryption without the attacker’s private key impractical. Recovery usually depends on clean offline backups and incident response preparation.

How can organizations defend against The Gentlemen ransomware?

Organizations should restrict remote execution tools, disable SMB1, segment networks, protect backups, monitor Defender policy changes, alert on event log clearing, and test controls against realistic ransomware lateral movement chains.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages