The Gentlemen Ransomware: A New Self-Propagating Threat
Severity: High (Score: 68.0)
Sources: Cybersecuritynews, Blogs.Microsoft
Published: · Updated:
Keywords: ransomware, gentlemen, called, uses, system, scheduled, task
Severity indicators: ransomware
Summary
A new ransomware strain named The Gentlemen has emerged, utilizing the Go programming language and obfuscation techniques. It employs per-file encryption and can spread across networks without human intervention, targeting sectors like education, healthcare, and transportation. The ransomware is linked to the Storm-2697 group and utilizes SYSTEM scheduled tasks to gain elevated privileges. Its aggressive self-propagation methods allow it to deploy rapidly across networks, raising significant concerns within the cybersecurity community. Organizations are urged to enhance their defenses against this evolving threat. Current status indicates ongoing analysis and heightened alertness among security professionals. Key Points: • The Gentlemen ransomware uses Go and SYSTEM scheduled tasks for encryption. • It spreads silently across networks, impacting sectors like education and healthcare. • The ransomware is linked to the Storm-2697 group and employs aggressive self-propagation techniques.
Detailed Analysis
**Impact** The Gentlemen ransomware targets organizations across education, healthcare, and transportation sectors. It encrypts local drives with elevated privileges, enabling widespread data encryption within affected networks. The ransomware’s self-propagation capability allows it to silently spread across entire networks, increasing the scope of operational disruption and data loss. Specific geographic impact details are not provided. **Technical Details** The malware is written in Go and obfuscated using Garble. It uses a SYSTEM scheduled task to execute encryption with elevated privileges and employs a self-propagation module that performs simultaneous lateral movement techniques to spread across networks. The ransomware uses per-file ephemeral key encryption and is linked to affiliates of the Storm-2697 group. No CVEs or specific infrastructure details were disclosed. Indicators of compromise (IOCs) were not mentioned. **Recommended Response** Defenders should monitor for unusual SYSTEM scheduled task creation and lateral movement activity within networks. Deploy detection rules targeting Go-based obfuscated binaries and per-file encryption behaviors. Harden endpoint and network segmentation to limit lateral spread. No patch or specific CVE mitigation details are available; continuous monitoring for related TTPs is advised.
Source articles (2)
- The Gentlemen ransomware: Dissecting a self — Blogs.Microsoft · 2026-05-28
Microsoft Threat Intelligence presents a comprehensive analysis of The Gentlemen, a Go-based ransomware deployed by affiliates of Storm-2697 that combines per-file ephemeral key encryption with an agg… - Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges — Cybersecuritynews · 2026-05-29
A newly analyzed ransomware strain called The Gentlemen is raising serious alarms across the cybersecurity community. Built in the Go programming language and obfuscated with a tool called Garble, it…
Timeline
- 2026-05-28 — The Gentlemen ransomware analyzed: Microsoft Threat Intelligence published a detailed analysis of The Gentlemen, highlighting its encryption and self-propagation capabilities.
- 2026-05-29 — Cybersecurity alarms raised: Cybersecuritynews reported on the alarming capabilities of The Gentlemen ransomware, emphasizing its silent spread and impact on critical sectors.
Related entities
- Storm-2697 (Apt Group)
- Ransomware (Attack Type)
- Education (Company)
- Healthcare (Industry)
- Transportation (Industry)
- The Gentlemen (Ransomware Group)
- T1021 - Remote Services (Mitre Attack)
- T1053 - Scheduled Task/Job (Mitre Attack)
- T1486 - Data Encrypted for Impact (Mitre Attack)
- Garble (Tool)