What happened
A ransomware strain called The Gentlemen has emerged as an aggressive network-wide threat that combines strong encryption with self-spreading capabilities. The malware is written in Go, obfuscated with Garble, and first appeared in the wild around mid-2025 before evolving into a ransomware-as-a-service operation.
Picus Security researchers said the ransomware follows a deliberate attack sequence, starting with password validation and privilege escalation before moving into defense evasion, encryption, and network-wide propagation. The impact has reportedly been observed across education, transportation, healthcare, and financial organizations in North America, South America, Europe, Africa, and Asia.
The ransomware’s standout feature is a self-propagation mode triggered by a command-line flag. Once activated, an infected machine copies its own binary into a staging folder, exposes it through a hidden network share configured for anonymous access, pulls in PsExec, and scans for reachable workstations, servers, and domain controllers. Before deploying the ransomware to other systems, it runs a script that weakens defenses by disabling monitoring, turning off firewall protection, and re-enabling an outdated file-sharing protocol.
The malware then tries as many as 21 remote execution methods against each target, including file copying, PsExec, scheduled tasks, Windows services, and PowerShell-based techniques. Before encryption, it disables Microsoft Defender, wipes forensic logs, deletes Volume Shadow Copies twice for reliability, clears command history, and removes backup and recovery tools. For encryption, it uses a hybrid design pairing Curve25519 with XChaCha20 and generates a unique key for every file.
Who is affected
Organizations in education, transportation, healthcare, financial services, and other sectors are affected by the reported activity.
Windows networks face the highest risk if one compromised system can reach other workstations, servers, or domain controllers over internal network paths.
Organizations with weak lateral movement controls, exposed administrative shares, permissive remote execution, insufficient endpoint monitoring, or poor backup isolation may face network-wide encryption from a single infected machine.
Why CISOs should care
The Gentlemen shows how ransomware operators are building malware that does not stop at the first infected host. Once inside, the malware attempts to turn that machine into a distribution hub for encrypting the wider network.
For CISOs, the 21 remote execution methods are the main concern. If one method fails, the malware can keep trying others, meaning defenders need layered controls rather than relying on a single blocked technique.
The defense evasion and recovery disruption steps are also important. Disabling Microsoft Defender, wiping logs, deleting shadow copies, and removing recovery tools can make containment, investigation, and restoration much harder.
The ransomware-as-a-service model adds scale risk. The group has reportedly recruited affiliates, including penetration testers and initial access brokers, which could broaden the number of attackers capable of using the tool.
3 practical actions
- Restrict lateral movement and remote execution: The Gentlemen uses PsExec, scheduled tasks, Windows services, file copying, and PowerShell-based methods. Security teams should limit administrative shares, restrict remote execution tools, and monitor unusual service or scheduled task creation across the network.
- Protect backups and recovery paths: The ransomware deletes shadow copies and backup-related tools before encryption. CISOs should maintain offline or immutable backups, test restoration regularly, and monitor for shadow copy deletion or backup tampering.
- Hunt for propagation behavior early: An infected machine can create a hidden share, stage the ransomware binary, scan for reachable systems, and weaken remote defenses before encryption. Defenders should alert on anonymous shares, unexpected PsExec use, firewall disabling, Defender tampering, and suspicious PowerShell activity.
More cybersecurity news:
-
- SilverFox Hackers Use Go RAT, AV Killer, and Kernel Rootkit in ValleyRAT Campaign
- Gaslight macOS Malware Uses Prompt Injection to Evade AI Security Analysis
- Alibaba to Ban Claude Code Over Alleged Backdoor Risks
- Ransomware Campaign Uses Fake Interpol Notices to Target Small Businesses
- China-Linked Threat Group Expands Attacks on Southeast Asia’s Critical Infrastructure
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

