The Gentlemen Ransomware Emerges with Self-Spreading Worm Engine
A new Go-based ransomware strain, 'The Gentlemen,' is rapidly spreading across networks using a sophisticated worm engine and 21 remote execution techniques, targeting organizations globally.

A potent new ransomware variant, dubbed 'The Gentlemen,' has surfaced, distinguishing itself with a formidable encryption capability coupled with an aggressive self-spreading worm engine. This malware, written in the Go programming language and obfuscated with the Garble tool, first appeared in the wild around mid-2025 and has since evolved into a ransomware-as-a-service (RaaS) operation. Its primary distinguishing feature is its ability to propagate across an entire corporate network from a single infected machine, transforming a localized breach into a widespread disaster.
Researchers from Picus Security have been closely monitoring The Gentlemen ransomware, detailing its operational sequence in a recent report. The malware's attack chain begins with rigorous password validation and privilege escalation, followed by a deliberate phase of defense evasion. Only after disabling security measures does it proceed to encrypt files and initiate its network-wide spreading mechanism. This comprehensive approach aims to cripple an organization's defenses before the encryption even begins.
The impact of The Gentlemen ransomware has been significant, with attacks observed across diverse sectors including education, transportation, healthcare, and financial services. Geographically, its reach extends across North America, South America, Europe, Africa, and Asia, indicating a global threat landscape. The ransomware group has also actively recruited affiliates, including penetration testers and initial access brokers, through platforms like BreachForums, a strategy likely to broaden its attack surface and increase its operational tempo.
Compounding the threat, The Gentlemen ransomware employs double extortion tactics. This involves not only encrypting victim data but also exfiltrating sensitive information, which is then used as leverage to demand ransom payments. This dual-pronged attack strategy significantly increases the pressure on victim organizations to comply with the attackers' demands, making recovery more complex and costly.
The self-propagation feature, activated by a command-line flag named '--spread,' is central to the ransomware's lateral movement capabilities. Once initiated, the infected host becomes a distribution hub. The malware copies its binary to a hidden network share, granting anonymous access, and then leverages legitimate tools like PsExec to scan the network for vulnerable machines, including workstations, servers, and domain controllers.
Before encrypting any files, The Gentlemen ransomware systematically dismantles security defenses. It disables Microsoft Defender, wipes forensic logs, and deletes Volume Shadow Copies using redundant commands. Furthermore, it clears command history and removes backup and recovery tools, making post-attack restoration without paying the ransom exceedingly difficult.
For file encryption, the ransomware utilizes a robust hybrid cryptographic approach, combining Curve25519 elliptic curve cryptography with the XChaCha20 stream cipher. This method generates a unique encryption key for every file, rendering decryption without the attacker's private key virtually impossible. Encrypted files are renamed with a distinct '.umc16h' extension, and a ransom note named 'README-GENTLEMEN.txt' is dropped on infected systems.
Organizations are advised to bolster their defenses by testing security controls against specific attack simulations, maintaining secure offline backups, and closely monitoring for the unique network behaviors and commands associated with this ransomware. Generic ransomware protections may not be sufficient against The Gentlemen's sophisticated propagation and evasion techniques.