{"id":8310,"date":"2026-05-29T09:00:05","date_gmt":"2026-05-29T09:00:05","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8310"},"modified":"2026-05-29T09:00:05","modified_gmt":"2026-05-29T09:00:05","slug":"the-gentlemen-are-coming-for-your-files-and-then-your-network","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8310","title":{"rendered":"The Gentlemen are coming for your files, and then your network"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Ransomware operators have spent years refining the art of locking files. Now, some are working harder to get those lockers to every reachable system first.<\/p>\n<p>Microsoft\u2019s recent <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/28\/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor\/\" target=\"_blank\" rel=\"noopener\">warning<\/a> of the Gentlemen ransomware revealed its operators using a self-propagating Go-based encryptor capable of moving laterally through compromised environments and deploying itself across additional systems.<\/p>\n<p>\u201cModern ransomware is no longer just about encrypting files,\u201d said <a href=\"https:\/\/www.linkedin.com\/in\/paul-reid-77097a15\/\" target=\"_blank\" rel=\"noopener\">Paul Reid<\/a>, vice president of Adversary Research at AttackIQ. \u201cThe bigger risk is how quickly a single compromised machine can become a broader business disruption.\u201d<\/p>\n<p>In a technical breakdown of its operations, Microsoft said the Gentlemen Ransomware was first observed in mid-2025 and remains highly active through 2026, impacting organizations across education, transportation, healthcare, and financial industries in North America, South America, Europe, Africa, and Asia.<\/p>\n<p>Gentlemen began as a \u201cclosed ransomware,\u201d turned into a ransomware-as-a-service (<a href=\"https:\/\/www.csoonline.com\/article\/4123492\/sicarii-ransomware-locks-your-data-and-throws-away-the-keys.html\">RaaS<\/a>) offering in September 2025, and eventually partnered up with BreachForums to pick up affiliates, including pen-testers and initial access brokers, from the popular cybercriminal <a href=\"https:\/\/www.csoonline.com\/article\/2110830\/breachforums-seized-by-law-enforcement-admin-baphomet-arrested.html\">marketplace<\/a>.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Built to move before it encrypts<\/h2>\n<p>Microsoft\u2019s analysis specifically focused on the ransomware\u2019s ability to propagate through a network without relying entirely on manual operator intervention.<\/p>\n<p>The encryptor, written in Go, includes functionality designed to identify additional systems, authenticate using harvested credentials, and copy itself to remote machines over Server Message Block (SMB). Once deployed, it can execute remotely and continue spreading, creating a chain infection inside compromised environments.<\/p>\n<p>According to Microsoft, the malware leverages legitimate administrative tools and Windows functionality to facilitate movement while reducing the need for attackers to remain actively engaged through the operation.<\/p>\n<p>\u201cThe ransomware operator can control The Gentlemen encryptor through command-line arguments,\u201d Microsoft said. \u201cA password is required for execution, and optional arguments allow the operator to specify encryption scope, speed, lateral movement, and post-encryption behaviors.\u201d<\/p>\n<p>One of the command line arguments,\u201c\u2013full,\u201d launches separate processes to encrypt local drives with SYSTEM privileges and network shares visible to the user, to maximize encryption coverage once the machine is compromised. Additionally, a \u201c\u2013spread\u201d command is used for lateral propagation.<\/p>\n<p>\u201cDefenders should treat The Gentlemen as an attack-path problem, not just a patching or detection problem,\u201d Reid said. \u201cThe priority is to understand where the ransomware could move, which controls would detect, contain, or disrupt it, and where gaps still exist before an incident occurs.\u201d<\/p>\n<p>Gentlemen performs a \u201cpassword check\u201d to validate the use of its RaaS by the affiliates, and blocks its usage from unwanted binary recovery or interception. \u201cBefore executing its primary functionality, the malware validates the <em>\u2013password<\/em> argument against a hardcoded value embedded within the binary,\u201d Microsoft noted. \u201cFor the sample analyzed in this blog, the expected password is \u20189VoAvR7G\u2019.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Detection windows are shrinking<\/h2>\n<p>Microsoft\u2019s analysis highlights the defensive challenges posed by self-propagating ransomware. Once execution begins, the time available to detect, investigate, and contain malicious activity can shrink considerably as the malware spreads to additional systems.<\/p>\n<p>\u201cThis is not the kind of threat where an organization can wait for a help desk ticket or a locked screen to realize something is wrong,\u201d said <a href=\"https:\/\/www.linkedin.com\/in\/johnjoyner\/\">John Joyner<\/a>, Senior Director of Technology at Corsica Technologies. \u201cMalware can move quickly through a network once it gets a foothold, which makes early detection the difference between a contained incident and a business-wide disruption.\u201d<\/p>\n<p>Microsoft emphasized the importance of monitoring lateral movement activity, credential abuse, remote execution attempts, and other behaviors associated with Gentlemen\u2019s propagation rather than focusing solely on encryption events.<\/p>\n<p>Additionally, it shared a list of indicators of compromise (IOCs) to support detection efforts. For those who don\u2019t catch it on time, the ransomware leaves a note. \u201cYour network is locked by the Gentlemen,\u201d a desktop wallpaper reads on the victim\u2019s machines.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Ransomware operators have spent years refining the art of locking files. Now, some are working harder to get those lockers to every reachable system first. Microsoft\u2019s recent warning of the Gentlemen ransomware revealed its operators using a self-propagating Go-based encryptor capable of moving laterally through compromised environments and deploying itself across additional systems. \u201cModern ransomware [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8311,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8310","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8310"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8310"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8310\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8311"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8310"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8310"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8310"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}