The emergence of The Gentlemen ransomware serves as a stark reminder of the challenges that many Chief Information Security Officers (CISOs) face: thwarting attackers after they breach initial defenses. Researchers have found that this malware spreads across enterprise networks by leveraging legitimate Windows management tools, all while attempting to disrupt security and disaster recovery protocols.
A detailed report from Picus Security reveals that The Gentlemen employs self-propagation techniques, taking advantage of trusted administrative tools and actively seeks to undermine recovery systems before engaging in file encryption. This analysis follows Microsoft Threat Intelligence's technical breakdown of the malware released in late May.
Originally surfacing around mid-2025 as a closed operation, The Gentlemen ransomware-as-a-service platform started providing its capabilities to affiliates in September 2025. The Picus report highlights a Windows-targeting encryptor, yet there have also been reports detailing Gentlemen's cross-platform capabilities affecting Linux and VMware ESXi environments. Various sectors, including education, healthcare, and finance across multiple continents, have already fallen victim to its attacks.
The most alarming aspect for enterprise defenders is the malware's self-propagation feature. Once activated, The Gentlemen can scan for reachable systems and deploy its binary via SMB shares. It reportedly attempts up to 21 distinct remote execution operations for every target—a redundancy aimed at increasing attack success rates.
These methods consist of PsExec, WMIC, scheduled tasks, Windows services, and PowerShell remoting, among others. This multiplicity enhances the likelihood that the ransomware will successfully propagate throughout the network.
Prior to encryption, The Gentlemen seeks to compromise the victim's environment by disabling Microsoft Defender, deleting shadow copies, and eliminating forensic traces. It also terminates essential services associated with databases, backup mechanisms, and endpoint protection, complicating recovery efforts once encryption occurs.
This encryption process employs a hybrid Curve25519 and XChaCha20 scheme, utilizing unique keys for each file. According to Picus, files encrypted by the ransomware are typically marked with the .umc16h extension, although different campaigns have seen various extensions. Additionally, the group has adopted double extortion strategies, threatening to publish stolen data if a ransom isn't paid.
Lateral Movement and Identity Risks
Once a foothold is established, the significance of compromised identities and excessive privileges often outweighs the malware's capabilities, as noted by Sakshi Grover, senior research manager for Cybersecurity Services at IDC Asia/Pacific. "The Gentlemen highlights a trend where attackers are leveraging trusted administrative tools and compromised identities, rather than just sophisticated malware," she observed.
This reality pushes CISOs to rethink how ransomware defenses are evaluated. It’s not enough to merely prevent the initial breach; organizations must also fortify their networks against further lateral movement by attackers.
Grover suggests enhancing controls around privileged accounts, incorporating phishing-resistant multi-factor authentication (MFA), and tightening access limits to vital systems. Employing identity governance alongside network segmentation is also recommended to narrow the paths available for attackers within the environment.
Testing these controls through adversary emulation and attack path validation is crucial; assumptions based on documentation alone won't suffice.
Backups and Endpoint Tools
The Gentlemen’s strategy of targeting security and recovery tools exposes critical weaknesses in many enterprises' ransomware preparedness, according to analysts.
"Many organizations mistakenly equate the deployment of backup systems or endpoint detection tools with resilience against ransomware," Grover stated. "However, modern ransomware increasingly aims to undermine these very capabilities." Testing recovery systems for efficacy during an active compromise is essential, she emphasized, ensuring that even otherwise immutable backups are safeguarded against tampering.
Datta, a cybersecurity researcher, underscored that simply having backups does not equate to recovery readiness. "If your backups reside on the same compromised network or depend on compromised Active Directory credentials, they become part of the attack surface, rather than a recovery asset," she cautioned.
Datta also highlighted a concerning over-dependence on endpoint detection and response tools. ESET researchers have traced The Gentlemen’s activities back to an advanced toolkit specifically designed to neutralize these security solutions.
An Operational Resilience Problem
The Gentlemen's operational model illustrates the ongoing industrialization of ransomware-as-a-service, a trend noted for reducing the technical barriers for affiliates by combining encryption with standardized evasion tactics.
CISOs are advised to evaluate not only the availability of backup and endpoint tools but also their functionality post-attack. Key areas of focus include assessing identity infrastructure, Active Directory, cloud services, and backup environments. The priority should be to minimize attackers’ pathways and regularly conduct resilience exercises to ensure that breaches can be contained before they escalate into larger incidents.