{"id":8668,"date":"2026-07-07T09:53:33","date_gmt":"2026-07-07T09:53:33","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8668"},"modified":"2026-07-07T09:53:33","modified_gmt":"2026-07-07T09:53:33","slug":"why-the-gentlemen-ransomware-is-a-test-of-identity-and-recovery-controls","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8668","title":{"rendered":"Why The Gentlemen ransomware is a test of identity and recovery controls"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The Gentlemen ransomware underscores a challenge many CISOs face: stopping attackers after they gain an initial foothold. Researchers say the malware can spread across enterprise networks using legitimate Windows management tools while simultaneously attempting to weaken security and recovery systems.<\/p>\n<p>A <a href=\"https:\/\/www.picussecurity.com\/resource\/blog\/how-the-gentlemen-ransomware-spreads-and-encrypts-entire-networks\" target=\"_blank\" rel=\"noopener\">report<\/a> from Picus Security shows the malware combines self-propagation with the abuse of <a href=\"https:\/\/www.csoonline.com\/article\/4161104\/top-techniques-cyberattackers-use-to-infiltrate-your-systems-today.html\" target=\"_blank\" rel=\"noopener\">trusted administrative tools<\/a> and attempts to impair recovery systems before encryption begins. The report follows a technical analysis of the encryptor <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/28\/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor\/\">published<\/a> by Microsoft Threat Intelligence in late May.<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/4178580\/the-gentlemen-are-coming-for-your-files-and-then-your-network.html\">The Gentlemen<\/a> is a ransomware-as-a-service operation written in Go and obfuscated with Garble. The group first emerged around mid-2025 as a closed operation and began offering its platform to affiliates in September 2025.<\/p>\n<p>The Picus report focuses on a Windows-targeting encryptor, but other researchers have <a href=\"https:\/\/www.broadcom.com\/support\/security-center\/protection-bulletin\/cross-platform-and-coordinated-the-gentlemen-raas-targets-windows-linux-and-esxi\" target=\"_blank\" rel=\"noopener\">reported<\/a> broader Gentlemen tooling aimed at Linux and VMware ESXi environments. The group has been observed in attacks on organizations in sectors including education, transportation, healthcare, and financial services across North America, South America, Europe, Africa, and Asia.<\/p>\n<p>Its self-propagation capability is the most significant feature for enterprise defenders. When enabled, the malware can enumerate reachable systems, stage its binary through an SMB share, and attempt up to 21 remote execution operations against each target.<\/p>\n<p>Those methods include PsExec, WMIC, scheduled tasks, Windows services, PowerShell remoting, and WMI process creation. The redundancy is intended to improve the chances that at least one method will succeed, allowing the malware to continue spreading through the network.<\/p>\n<p>Before encryption, The Gentlemen attempts to weaken the victim environment by disabling Microsoft Defender, deleting shadow copies, and removing forensic artifacts. It also stops services linked to databases, backup tools, endpoint protection, and virtualization platforms, a tactic that can make recovery harder once encryption begins.<\/p>\n<p>The encryptor uses a hybrid Curve25519 and XChaCha20 encryption scheme with unique keys for each file, Picus said. In the sample cited by Picus, encrypted files were appended with the .umc16h extension, though <a href=\"https:\/\/www.broadcom.com\/support\/security-center\/protection-bulletin\/gentlemen-ransomware\" target=\"_blank\" rel=\"noopener\">other researchers<\/a> have observed different extensions in separate Gentlemen campaigns. The group also uses double extortion tactics, threatening to leak stolen data if victims do not pay.<\/p>\n<h2 class=\"wp-block-heading\">Lateral movement and identity risks<\/h2>\n<p>Once attackers gain an initial foothold, compromised identities and excessive privileges often matter more than the malware itself, said <a href=\"https:\/\/my.idc.com\/getdoc.jsp?containerId=PRF005665\" target=\"_blank\" rel=\"noopener\">Sakshi Grover<\/a>, senior research manager for Cybersecurity Services Research at IDC Asia\/Pacific.<\/p>\n<p>\u201cThe Gentlemen reinforces a trend IDC has been observing across modern ransomware operations: attackers are increasingly exploiting trusted administrative tools, compromised identities, and excessive privileges rather than relying solely on sophisticated malware or zero-day exploits,\u201d Grover said.<\/p>\n<p>For CISOs, that means ransomware defense cannot be judged only by whether the initial compromise is blocked. Organizations also need to limit how far an attacker can move once inside the network.<\/p>\n<p>Grover said security leaders should start with stronger controls around privileged accounts, including <a href=\"https:\/\/www.csoonline.com\/article\/4155179\/5-ways-to-strengthen-identity-security-and-improve-attack-resilience.html\">phishing-resistant MFA<\/a> and tighter limits on who can access critical systems. Identity governance and network segmentation should then be used to reduce the number of paths an attacker can take once inside the environment.<\/p>\n<p>Those controls should be tested through adversary emulation and attack path testing, rather than assumed to be effective because they exist on paper.<\/p>\n<h2 class=\"wp-block-heading\">Backups and endpoint tools<\/h2>\n<p>The Gentlemen\u2019s attempt to impair security and recovery tools highlights a common weakness in enterprise ransomware planning, according to analysts.<\/p>\n<p>\u201cMany organizations continue to equate deploying backup platforms or endpoint detection solutions with being ransomware resilient,\u201d Grover said. \u201cHowever, sophisticated ransomware increasingly targets these very capabilities before encryption begins.\u201d<\/p>\n<p>Grover added that CISOs should test whether recovery systems remain usable during an active compromise, including backups that are meant to be immutable and endpoint tools protected against tampering. Those exercises should also account for the possibility that Active Directory or key security management consoles may be unavailable.<\/p>\n<p>The most dangerous assumption is that having backups is the same as being able to recover from ransomware, according to <a href=\"https:\/\/www.linkedin.com\/in\/devashri-datta-522b364b\/\" target=\"_blank\" rel=\"noopener\">Devashri Datta<\/a>, a cybersecurity researcher.<\/p>\n<p>\u201cIf your backups live on the same flat network or depend on the same compromised Active Directory credentials, they are not a recovery asset; they are part of the attack surface,\u201d she said.<\/p>\n<p>Datta also pointed to over-reliance on endpoint detection and response tools. <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/killing-me-gently-inside-gentlemens-edr-killer-framework\/\" target=\"_blank\" rel=\"noopener\">ESET<\/a> researchers have linked The Gentlemen to a mature EDR-killer toolset, including variants that abuse vulnerable drivers to disrupt security software.<\/p>\n<h2 class=\"wp-block-heading\">An operational resilience problem<\/h2>\n<p>The group\u2019s model reflects the continued industrialization of ransomware-as-a-service, a framework that Datta said lowers the technical barrier for affiliates by pairing encryption with standardized evasion and propagation layers.<\/p>\n<p>For CISOs, the question is not whether backup and endpoint tools are in place, but whether they still work after attackers have gained administrative access. Datta said organizations need to assess exposure across identity infrastructure, Active Directory, cloud services, and backup environments.<\/p>\n<p>The priority, she said, is to reduce the paths available to attackers and prove, through regular resilience exercises, that the organization can contain an intrusion before it becomes a wider outage.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The Gentlemen ransomware underscores a challenge many CISOs face: stopping attackers after they gain an initial foothold. Researchers say the malware can spread across enterprise networks using legitimate Windows management tools while simultaneously attempting to weaken security and recovery systems. A report from Picus Security shows the malware combines self-propagation with the abuse of trusted [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8669,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8668","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8668"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8668"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8668\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8669"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8668"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8668"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8668"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}