The modern threat landscape is increasingly characterized by the convergence of swift lateral movement and robust cryptographic execution. A prominent manifestation of this evolution is “The Gentlemen” ransomware, a sophisticated ransomware-as-a-service (RaaS) platform operated by the financially motivated threat group tracked as Storm-2697. Emerging as a closed group in mid-2025 before adopting an affiliate model in late 2025, this threat actor recently expanded its reach through a strategic partnership with cybercriminal hubs like BreachForums to recruit initial access brokers and penetration testers. The malware is written in Go, obfuscated via Garble, and actively targets critical infrastructure across industries such as education, healthcare, finance, and transportation on a global scale. By combining double-extortion tactics with an automated propagation framework, The Gentlemen significantly reduces the time window between initial perimeter breach and network-wide compromise.

Technical Analysis of Command-Line Argument Processing and Operator Authentication

The Gentlemen encryptor provides operators with granular execution control via an extensive array of command-line parameters. Unlike less sophisticated lockers that run blindly upon execution, this binary mandates operator authentication by validating a build-specific string passed via the --password parameter. In the analyzed sample, the malware cross-references the input against a hardcoded value, specifically 9VoAvR7G; any mismatch immediately stops execution and prints an error message. This structural guardrail serves to prevent accidental detonation during testing or analysis but remains a static comparison that reverse engineers can easily identify.

Beyond authentication, parameters dictate the structural blast radius and operational speed of the payload. The operator can restrict or target specific paths via --path, introduce a localized latency window via --T, or enforce a stealth mode with --silent to prevent desktop wallpaper alterations and file renaming. For comprehensive system encryption, the malware leverages a multi-stage architecture triggered by the --full argument. When executed with this parameter, the orchestrator spawns two distinct, simultaneous child processes: one with --system privileges designed to target local storage nodes, and another with --shares privileges to search for and encrypt mounted Universal Naming Convention (UNC) paths.

Command-Line Argument	Operational Description
--password <password>	Required. Authenticates the operator against a static build-specific string.
--path <paths>	Specifies comma-separated target directories or precise file paths.
--T <minutes>	Implements a timed execution delay prior to initiating encryption routines.
--silent	Disables desktop wallpaper modification, file renaming, and timestamp manipulation.
--system	Executes local file encryption isolated under local SYSTEM account privileges.
--shares	Restricts encryption activity to mapped network drives and network shares.
--full	Spawns twin child processes managing concurrent local (--system) and remote (--shares) encryption threads.
--spread <creds>	Activates self-propagation routines using provided or ambient session tokens.
--keep	Bypasses the default automated self-deletion routine post-encryption.
--wipe	Executes zero-fill operations across all unallocated free disk space to prevent data carving.

To accelerate the impact of a deployment across large-scale data systems, the malware includes mutually exclusive performance modifiers (--fast, --superfast, and --ultrafast). These parameters modify intermittent file chunking algorithms applied exclusively to files exceeding 1 MB in size, whereas files smaller than 1 MB are systematically encrypted in their entirety.

• Default Mode: Encrypts 9% per chunk, culminating in a ~27% overall file encryption density.
• --fast: Encrypts 3% per chunk, reducing the encryption footprint to ~9% of the file.
• --superfast: Drops chunk processing to 1% per chunk, totaling ~3% of the target payload.
• --ultrafast: Limits exposure to 0.3% per chunk, yielding a highly elusive ~0.9% total modification rate.

Privilege Escalation and Host-Based Defense Evasion Mechanisms

Upon receiving the --system modifier (either directly or via an inherited task from a --full instantiation), the malware initiates local privilege escalation routines. This behavior relies on the initial process possessing local administrative rights, allowing it to interface directly with the host task scheduler. The malware issues a series of shell commands designed to clear any legacy configuration footprints by deleting any pre-existing scheduled task named gentlemen_system. It subsequently provisions a new, high-privilege scheduled task running under the context of the NT AUTHORITY\SYSTEM account. Once this task is forced into immediate execution, the newly spawned instance sets a distinct environment variable: LOCKER_BACKGROUND=1. This flag signals to the malware’s runtime logic that it is operating as an elevated, decoupled background encryption worker.

PowerShell

# Structural example of defense evasion script patterns utilized by the payload
Set-MpPreference -DisableRealtimeMonitoring $true -Force
Add-MpPreference -ExclusionPath C:\ -Force

Before a single file block is altered, the locker executes a thorough defense evasion script designed to leave the host blind and strip incident responders of retrospective visibility. Through heavily forced PowerShell sessions, the malware deactivates Microsoft Defender’s real-time monitoring infrastructure. To guarantee that its ongoing file modifications do not spark behavioral alerts, it manipulates environmental configuration parameters, explicitly adding its own executable name to the local exclusion engine. In an exceptionally bold move, it attempts to exclude the entire root volume directory (C:\) from active defensive scanning.

Following this defensive neutralization, the malware systematically targets host logging systems and volume recovery assets to minimize forensic trails. Volume Shadow Copies are wiped from the host using parallel calls to both vssadmin and the Windows Management Instrumentation Command-line (wmic) utility to undermine any point-in-time file recovery tools. To erase the footprint of its setup phase, the binary leverages wevtutil to comprehensively clear the core Windows Event Log architecture, specifically purging the System, Application, and Security log hives. Finally, host forensic artifacts such as system prefetch paths, Defender diagnostic logs, Remote Desktop Protocol (RDP) connection history logs, and user-specific PSReadline PowerShell history stores are wiped, preventing defenders from reconstructing the attacker’s execution timeline.

Process Neutralization and Service Termination Matrices

To ensure unrestricted file access and prevent data corruption during encryption, The Gentlemen utilizes an aggressive process and service termination loop. When critical databases, mail servers, or hypervisors hold exclusive write locks on production data stores, standard encryption routines are blocked. The ransomware mitigates this obstacle by querying the system process table and iteratively executing targeted termination routines across several key application layers:

• Virtualization and Hypervisors: The malware terminates vmms, vmwp, vmcompute, and Docker Desktop to release the storage locks held by live virtual machines and container instances.
• Databases and Structured Stores: Core data platforms including sqlservr, mysqld, postgres, oracle, and related administrative utilities like Ssms or pgAdmin are force-closed.
• Backup and Continuity Engines: Security software and enterprise recovery suites such as VeeamNFSSvc, VeeamTransportSvc, and IperiusService are terminated to prevent real-time backups or data preservation.
• Enterprise Resource Planning (ERP): Dedicated business applications, particularly SAP, saphostexec, and sapstartsrv, are explicitly targeted due to the high financial value of their data stores.
• Productivity and Communications: Active instances of Microsoft Office (winword, excel, powerpnt) and email clients (outlook, thunderbird) are closed to ensure user documents can be encrypted without access conflicts.

Concurrently, the malware transitions targeted Windows services into a stopped and disabled state using administrative commands. Service targets mirror the process termination matrix, specifically neutralizing database services (MSSQLSERVER, MySQL), security components (Sophos, RTVscan, ccSetMgr), messaging backends (msexchange), and general system tracking vectors. This double-layer enforcement mechanism permanently frees up file system access rights across the environment.

Cryptographic Design: Hybrid Curve25519 and XChaCha20 Execution

The cryptographic engine built into The Gentlemen avoids weak, symmetric-only architectures, opting instead for a highly secure hybrid public-key scheme. Prior to modifying a chosen file, the ransomware changes the host’s access controls to prevent authorization blockages. It leverages a series of system commands including takeown to strip ownership from the original account and assign it to the active user context. This is immediately followed by an icacls invocation granting full access control permissions to the global Everyone SID group, while an attrib pass strips any lingering read-only flags from the file attributes.

Once the file system constraints are eliminated, the Go-based encryptor executes a structured cryptographic routine for each individual file:

1. Key Generation: The malware initializes an internal pseudo-random number generator to generate a completely unique, ephemeral Curve25519 private key and its corresponding public key for the specific target file.
2. Shared Secret Derivation: Utilizing Elliptic-curve Diffie-Hellman (ECDH), the malware computes a shared secret. This calculation pairs the newly minted per-file ephemeral private key with the master RaaS operator public key that is statically hardcoded as a Base64 string within the malware binary.
3. Symmetric Key Contextualization: The derived ECDH shared secret functions directly as the raw keying material for an XChaCha20 stream cipher stream. Crucially, the mandatory 24-byte XChaCha20 nonce is deterministically derived from the first 24 bytes of the file’s unique ephemeral public key.
4. Payload Encryption: The target data blocks are processed using the XChaCha20 cipher stream according to the speed and chunk parameters defined at runtime.
5. Footer Structuring: To facilitate decryption by the RaaS operators, the Base64-encoded ephemeral public key is appended directly to the end of the encrypted file footer.

This setup prevents the structural reuse of keys or nonces across different files, neutralizing the risk of cryptographic leakage or decryption via known-plaintext analysis. During recovery, the operators can take their private master key, pair it with the ephemeral public key stored in the file footer, reconstruct the exact ECDH shared secret, and reverse the XChaCha20 stream cipher without needing separate nonce tracking.

Network Propagation and Lateral Movement Vectors

What truly sets The Gentlemen apart from standard ransomware threats is its built-in automation framework designed to drive independent, multi-threaded lateral movement. When an operator triggers execution with the --spread parameter, the binary switches from a localized encryptor into an active network worm. If explicit credentials are not provided via the command line string (domain/user:password), the malware extracts the active security token from its current session context to authorize its remote traversal routines.

The binary conducts network discovery by mapping out reachable endpoints across adjacent subnets and Active Directory environments. Upon identifying a target remote machine, it establishes an authenticated connection over the Server Message Block (SMB) protocol. It copies a duplicate copy of its executable binary directly into remote administrative file shares.

Once the executable is positioned on the target host, the malware triggers remote execution by abusing administrative management channels like WMI commands or PsExec routines. This chain reaction launches the duplicate binary on the remote endpoint, where it validates its deployment parameters, drops evasive configurations, terminates running processes, and begins encrypting the new host. By automating this lateral movement cycle, the ransomware spreads exponentially across an enterprise network without requiring manual intervention for every machine.

Strategic Mitigations and Architectural Defenses

Defending an enterprise architecture against an automated, self-propagating asset like The Gentlemen requires a multi-layered defense strategy focused on breaking the attack path. Security teams must move away from relying on basic signature matches and instead implement aggressive identity and administrative restrictions.

1. Harden Administrative Vectors: Enforce strict Endpoint Detection and Response (EDR) configurations running in active block mode. This ensures that even if local malware components attempt to turn off standard antivirus layers, the behavioral monitoring engine can step in to contain the threat.
2. Enforce Attack Surface Reduction (ASR): Implement targeted ASR policies designed to block process creation attempts originating from WMI or PsExec commands across standard workstations. Restricting cross-workstation SMB communications significantly limits the malware’s propagation pathways.
3. Protect Identity Infrastructures: Given the threat’s reliance on credential harvesting and NTLM relay mechanics, organizations must harden Active Directory implementations. This includes auditing Active Directory Certificate Services (ADCS), disabling legacy NTLM authentication options wherever possible, and enforcing robust multi-factor authentication (MFA) parameters across all internal and edge systems.
4. Implement Folder Access Restrictions: Deploy controlled folder access parameters to ensure that only verified, cryptographically signed applications can modify key data directories, effectively creating a barrier against unauthorized file adjustments.

Our Opinion: The Self-Propagating Ransomware Paradigm

The rapid rise of The Gentlemen ransomware signals a significant shift in how modern cybercriminal syndicates approach enterprise extortion. By building aggressive, automated self-propagation directly into a Go-based binary, the operators behind Storm-2697 have successfully removed a major bottleneck in the traditional ransomware attack chain: the need for manual, hands-on-keyboard lateral movement. Historically, defenders had a usable time window to detect an intrusion as attackers manually navigated a network. The Gentlemen compresses this defense window from days or hours down to mere minutes, shifting the advantage back to the attacker.

Furthermore, their strategic shift toward using AI-assisted coding frameworks—as seen in their rapid RaaS administration panel deployment—highlights how threat actors are successfully using modern development tools to accelerate software optimization and scaling. For corporate security teams, this means treating ransomware not merely as a localized file-system threat or a patch-management issue, but as a complex, fast-moving attack-path problem. Organizations can no longer rely on catching a threat during the final encryption phase; instead, security strategies must focus on stopping the attacker during early discovery and lateral movement. If your defense architecture cannot detect and isolate a compromised host within the first few minutes of a lateral push, standard containment strategies will likely fail against this new class of automated threats.