The Gentlemen Ransomware: Worm-Like Self-Propagation and Network-Wide Encryption via Storm-2697's RaaS Affiliate Program — Threadlinqs Intelligence
Threat ID: TL-2026-1138 · Severity: CRITICAL · Status: ACTIVE · Category: RANSOMWARE
Attribution: Storm-2697 · FINANCIAL
The Gentlemen is a Go-based, Garble-obfuscated Ransomware-as-a-Service operated by Microsoft-tracked threat cluster Storm-2697 (administrator alias zeta88/hastalamuerte), first seen mid-2025 with an
The Gentlemen is a financially motivated Ransomware-as-a-Service (RaaS) operation tracked by Microsoft Threat Intelligence as Storm-2697. The group began as a closed ransomware crew around mid-2025 (earliest known Windows encryptor sample uploaded to VirusTotal on 2025-07-17), transitioned to an open affiliate model in September 2025 under a 90/10 (affiliate/operator) profit split, and in May 2026 formalized an official partnership with the BreachForums cybercrime marketplace to recruit penetration testers and initial-access brokers after suffering its own infrastructure breach.
Affiliates gain initial access primarily by targeting internet-exposed edge appliances — brute-forcing and exploiting Fortinet FortiOS/FortiProxy (CVE-2024-55591) and Erlang/OTP SSH servers (CVE-2025-32433), abusing NTLM reflection against unsigned SMB (CVE-2025-33073) for SYSTEM-level privilege escalation, purchasing credentials/access from initial access brokers, and in at least one documented case reusing credentials stolen from a breached UK consultancy to compromise a downstream Turkish client (a trusted-relationship/supply-chain technique the group has weaponized for double-pressure extortion). Post-compromise, affiliates deploy Cobalt Strike beacons and the SystemBC SOCKS5 proxy for covert C2/tunneling, alongside a toolkit of signed/legitimate software abused for evasion (Velociraptor, TailVNC, Rclone, OpenConnect) and offensive AD tooling (NetExec, CertiHound, PowerZure, RegPwn, KslDump/KslKatz).
The ransomware payload itself, written in Go and obfuscated with Garble, is engineered for worm-like self-propagation: on each target host it attempts up to 21 distinct remote-execution operations across six technique families (PsExec in three variants, WMIC process creation in three variants, user- and SYSTEM-context scheduled tasks, service-based execution, PowerShell remoting, and PowerShell WMI execution) plus SMB C$ share copy and a self-hosted anonymous SMB share (\\<self>\share$). Before encrypting, the malware performs extensive defense evasion: disabling Microsoft Defender real-time protection and excluding the entire C:\ volume, deleting Volume Shadow Copies via two independent methods, clearing System/Application/Security event logs and PowerShell history, clearing Defender/RDP logs and prefetch files, disabling Domain/Public/Private firewall profiles, re-enabling legacy SMB1, and loosening anonymous (null-session) SMB access via registry modification. It forcibly terminates 40+ processes and 60+ services spanning databases (SQL Server), backup software (Veeam), EDR agents, and virtualization platforms (Hyper-V) before encryption begins. In a documented DFIR case, a Gentlemen affiliate used GPO-based deployment to trigger near-simultaneous ransomware execution (renamed r.exe/g.exe/o.exe) across an entire domain after establishing Domain Admin access.
Encryption uses a per-file ephemeral Curve25519 key pair, an ECDH shared secret computed against the operator's embedded public key, and XChaCha20 stream encryption; files under 1 MB are fully encrypted while larger files are partially encrypted in three 64 KB chunks at varying speed settings (--fast/--superfast/--ultrafast) to accelerate large-scale encryption runs. Encrypted files receive the .umc16h extension and a README-GENTLEMEN.txt ransom note is dropped in every scanned directory; the desktop wallpaper is replaced with gentlemen.bmp. The group operates double-extortion via a Tor data-leak site and a separate Tor negotiation portal, and had listed roughly 483 victims across 66 countries by mid-June 2026 spanning education, transportation, healthcare, financial-services, and professional-services sectors on five continents. A May 2026 breach of Gentlemen's own "Rocket" backend (leaked by actor n7778) exposed operator/affiliate identities, Rocket.Chat logs, ransom-negotiation transcripts (including a $250,000-to-$190,000 negotiated case), and confirmed the group's use of AI coding assist
Weaknesses (CWE)
CWE-288, CWE-306, CWE-287
Target sectors: education, transport, health, financial services, professional services, technology
Target regions: North America, 005 - South America, Europe, Africa, Asia
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 35 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
RANSOMWARE, CRITICAL, threat intelligence, cybersecurity, CVE-2024-55591, CVE-2025-32433, CVE-2025-33073, T1595, T1591, T1583, T1587, T1588, T1585, T1190, T1133, T1078, T1199