The Gentlemen Ransomware: Dissecting a Self-Propagating Go Encryptor
Microsoft analyzes The Gentlemen ransomware, a Go-based RaaS using Curve25519 and XChaCha20 encryption with aggressive lateral movement, targeting multiple sectors globally.
Microsoft Threat Intelligence has published a detailed analysis of The Gentlemen ransomware, a Go-based ransomware-as-a-service (RaaS) platform tracked as Storm-2697. The ransomware combines per-file ephemeral Curve25519 keys with XChaCha20 stream cipher and employs simultaneous lateral movement methods to rapidly propagate across networks. Observed impacting education, transportation, healthcare, and financial sectors across North America, South America, Europe, Africa, and Asia, The Gentlemen uses double extortion tactics, encrypting data while exfiltrating sensitive information to pressure victims.
The ransomware emerged around mid-2025 as a closed group before transitioning to a RaaS model in September 2025. Recently, its operators established an official partnership with BreachForums to recruit affiliates, including penetration testers and initial access brokers. This partnership may lead to increased activity as the program becomes accessible to a broader pool of threat actors. The encryptor is written in Go and obfuscated with Garble, targeting Windows environments.
Execution begins with command-line argument processing. A password is required, and optional arguments control encryption scope, speed, lateral movement, and post-encryption behaviors. The `--full` argument spawns two child processes: one with `--system` to encrypt local drives under SYSTEM privileges, and one with `--shares` to encrypt network shares. Speed arguments (`--fast`, `--superfast`, `--ultrafast`) control how much of large files is encrypted, with default per-chunk percentage of 9% for files over 1 MB.
Defense evasion techniques include disabling renaming files, changing timestamps, and setting desktop wallpaper when `--silent` mode is enabled. The malware can self-delete after encryption unless `--keep` is specified. It also wipes free disk space if `--wipe` is used. The ransomware uses a branded usage banner displayed via PowerShell commands when executed without arguments.
Lateral movement is a key differentiator. The `--spread` argument enables self-propagation using provided credentials or the current session token. The malware attempts multiple simultaneous lateral movement methods to maximize infection speed. This aggressive propagation significantly increases the risk of broad network compromise once initial access is achieved.
Microsoft provides Defender detections, hunting queries, and indicators of compromise (IOCs) to help organizations defend against this threat. Mitigation guidance includes implementing network segmentation, restricting lateral movement, and enabling multi-factor authentication. The analysis aims to equip defenders with a deeper understanding of The Gentlemen's execution flow, encryption design, and propagation techniques.