Gentlemen
Intelligence Profile
According to Cybereason, "The Gentlemen" ransomware is a cross-platform ransomware family with lockers for Windows, Linux, and ESXi, with the analyzed Windows locker implemented as a 64-bit Golang executable. It is operated as a Ransomware-as-a-Service, supports configurable encryption levels using XChaCha20 and Curve25519, and implements dual-extortion by both encrypting and exfiltrating data. The malware emphasizes persistence and automation (self-restart, run-on-boot, registry and autostart usage), broad system interaction via tools like task schedulers, WMI, and remote PowerShell, and extensive discovery of local, network, and clustered storage to maximize impact. It also includes security evasion and anti-forensics behavior such as disabling security tools, deleting logs and traces, manipulating permissions, and terminating database, backup, remote-access, and virtualization-related services before encryption.
Threat Analysis
Gentlemen is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.
Financially motivated threat actors like Gentlemen prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.
With high sophistication, Gentlemen is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.