Gentlemen Ransomware: Tactical Analysis of a High-Velocity RaaS Operation

Gentlemen is a ransomware operation that emerged in mid-2025 and has rapidly established itself as one of the most active and operationally mature threat groups of the year. Operating as a Ransomware-as-a-Service (RaaS) platform, the group follows a double-extortion model: sensitive data is exfiltrated from victim networks before file encryption begins, and if the ransom is not paid, the stolen data is published on a dedicated Tor-based leak site.

This profile covers the group’s origins, technical methods, known indicators of compromise, and actionable defensive guidance.

Gentlemen’s emergence and attribution have attracted significant scrutiny due to the group’s rapid operational maturity and high victim velocity.

The earliest known Gentlemen victim is JN Aceros, a Peruvian steel company compromised on June 30, 2025. The operation became publicly visible in August 2025, when its Tor-based leak site went live and began listing victims.

The operation scaled quickly: 48 organizations had been published within the first two months of leak site activity. This publication velocity is consistent with affiliate-driven RaaS models, where multiple operators conduct parallel intrusions under a centralized brand. As of early February 2026, the confirmed victim count exceeds 130, with new targets appearing nearly daily.

Threat intelligence research has linked the Gentlemen operation to an individual operating under the alias “hastalamuerte.” The actor was observed on underground forums seeking access to multiple established RaaS programs, including Qilin, Embargo, LockBit, Medusa, and BlackLock, before developing a proprietary platform. This period of experimentation likely allowed the operators to study proven affiliate models and refine their own tooling and deployment workflow.

In September 2025, a separate alias, “Zeta88,” was observed advertising the Gentlemen RaaS on the RAMP cybercrime forum. The program explicitly prohibits targeting organizations in Russia and CIS countries, a restriction consistent with the behavioral norms of Russian-speaking ransomware ecosystems.

The group’s operational maturity and the absence of prior intelligence have prompted debate within the threat intelligence community. Multiple researchers have noted that Gentlemen’s capabilities are unusually advanced for a newly emerged operation, suggesting either a rebranding of experienced operators or the emergence of a well-resourced criminal team with significant prior ransomware experience. No definitive link to a predecessor group has been publicly confirmed.

Gentlemen targets a broad range of sectors, with the heaviest concentration in manufacturing, technology, financial services, and healthcare. Education, construction, insurance, energy, and consumer services are also represented. The inclusion of healthcare organizations and municipal governments indicates that the group does not avoid sectors associated with critical infrastructure.

The operators primarily focus on medium to large enterprises with centralized Active Directory environments and domain-level management. Confirmed targets include hospitals, school districts, energy providers, municipal governments, and multinational manufacturers. These environments offer high-value data for extortion and centralized control points that enable rapid, domain-wide encryption.

The United States is the most frequently targeted country, followed by Thailand, Brazil, France, and Malaysia. Affected organizations have been identified across dozens of countries spanning Asia-Pacific, North and South America, Europe, and the Middle East. The broad geographic distribution, combined with the CIS exclusion policy, suggests opportunistic target selection based on access availability rather than a strict regional strategy.

Gentlemen operates as a full-featured RaaS platform. Affiliates receive customizable builds with pre-configured or adjustable settings, cross-platform lockers for Windows, Linux, BSD, NAS, and ESXi environments, and access to negotiation infrastructure. Per the program’s operational rules, affiliates must upload exfiltrated data to approved cloud resources for publication on the group’s leak site. The revenue split is reported at 90% to affiliates and 10% to the operators.

The platform is actively maintained, with forum posts and operator announcements documenting regular feature additions, including improved encryption performance, expanded propagation methods, and new persistence mechanisms. Certain tools, including an EDR-killer utility and multi-chain system, are restricted to trusted affiliates only. A forum discussion noted that the locker was partially developed using “vibecoding” techniques.

Gentlemen follows a structured enterprise intrusion model with clearly delineated phases: exploitation of internet-facing services for initial access, thorough network reconnaissance, BYOVD-based security neutralization, GPO-driven domain-wide deployment, encrypted data exfiltration, and selective file encryption. The ransomware payload is written in Go, a choice increasingly common among ransomware developers for its cross-platform compilation and resistance to static analysis. The full chain is designed for speed, stealth, and maximum operational impact before defenders can respond.

Gentlemen operators gain entry through compromised credentials and exposed administrative panels on internet-facing infrastructure. In the most extensively documented intrusion, a FortiGate appliance with exposed administrative access served as the entry point, giving the attackers a direct path to domain credentials. Collaboration with initial access brokers (IABs) is considered plausible given the speed and volume of new intrusions.

Once inside the network, the operators immediately deploy reconnaissance tools. Advanced IP Scanner is used for initial network mapping, followed by Nmap for detailed service discovery. Custom batch scripts enumerate domain user accounts and privilege groups. PowerShell commands collect information on all accessible volumes, including local drives and Cluster Shared Volumes, to identify encryption targets across the environment.

The group employs a Bring Your Own Vulnerable Driver (BYOVD) technique using the ThrottleStop.sys driver (renamed ThrottleBlood.sys), which contains the CVE-2025-7771 vulnerability. This allows the operators to gain kernel-level privileges and terminate security software processes that are normally protected. Custom tools (All.exe and its improved variant Allpatch2.exe) exploit this vulnerability to neutralize antivirus and EDR solutions at the kernel level.

Additional defense evasion measures include disabling Windows Defender real-time protection via PowerShell, adding global directory and process exclusions, deleting Defender support files, and using ICACLS to grant the Everyone group (SID S-1-1-0) full control over targeted directories.

Lateral movement relies on a combination of legitimate administrative tools and custom techniques. PsExec, PowerRun, and AnyDesk are used for remote execution and access. Additional evidence indicates the possible use of PuTTY for SSH-based lateral movement, likely targeting Linux systems and network appliances within the environment. The operators also enable Windows Firewall rules for the Network Discovery group via PowerShell, opening discovery and file-sharing ports across the environment. WMI and PowerShell remoting enable propagation across network segments.

The operators manipulate Group Policy Objects (GPOs) to deploy ransomware payloads across the domain via NETLOGON shares, ensuring simultaneous infection of all domain-joined machines. Persistence is established through registry modifications, scheduled tasks (schtasks), and the ransomware’s built-in auto-restart and run-on-boot functionality.

Data exfiltration is conducted using WinSCP over encrypted channels to prioritize operational security. Per the RaaS program rules, affiliates upload stolen data to public cloud resources or approved platforms, where it is staged for publication on the group’s leak site if the ransom is not paid.

Before encryption begins, the ransomware executes a preparation sequence designed to maximize impact and inhibit recovery:

• Service Termination: A built-in kill list stops critical services and processes, including database engines (MSSQL, MySQL, PostgreSQL, MongoDB, Oracle), backup utilities (Veeam), virtualization components, remote access tools (TeamViewer), and Microsoft Exchange.
• Recovery Inhibition: Shadow copies are deleted via vssadmin, Windows event logs are cleared using wevtutil, RDP log files are removed, Prefetch data is wiped, and PowerShell command history is deleted.

Self-Deletion: After encryption, the ransomware removes itself from the system using a delayed ping-and-delete command.

No public decryptor for Gentlemen ransomware exists. The ransomware encryption uses a per-file ephemeral key design, meaning no private key material is stored on the victim system—making decryption without the operator’s private key infeasible with current methods. No weaknesses in the cryptographic implementation have been identified to date.

During negotiations, the operators offer to decrypt two sample files as proof of capability. Victims are directed to communicate via Tox messenger and a Tor-based onion site. The ransom note typically provides a window of approximately 10 days before the group begins publishing stolen data.

Given the absence of recovery tools, organizations affected by Gentlemen should prioritize verified offline backups as the primary recovery path. Organizations weighing whether to engage with the operators should first understand the consequences of paying the ransom, including the legal, regulatory, and operational risks involved.

This section summarizes stable operational indicators and defensive priorities derived from confirmed Gentlemen intrusions.

Based on the observed attack chain, the following activities should be treated as high-priority alerts in any monitoring environment:

• Unexpected kernel driver loads, particularly ThrottleStop.sys or ThrottleBlood.sys
• Sudden GPO modifications or new scripts deployed via NETLOGON shares
• Programmatic addition of Windows Defender exclusions
• WinSCP execution on servers, especially with large outbound transfers
• Mass service termination (Veeam, MSSQL, Exchange) within a short time window
• PsExec, AnyDesk, or PowerRun execution from unexpected sources
• Shadow copy deletion (vssadmin) or bulk event log clearing (wevtutil), particularly when observed together, constitute immediate pre-encryption indicators.
• ICACLS commands granting the Everyone group (S-1-1-0) full control over directories

Individual signals may have legitimate administrative explanations. However, when two or more of these activities occur within the same environment in a short time window, particularly Defender tampering followed by shadow copy deletion, this should be treated as a probable ransomware incident in progress and trigger immediate containment procedures.

The following recommendations address the specific tactics, techniques, and procedures documented in Gentlemen ransomware operations, organized by attack phase to align with the intrusion lifecycle.

• Harden Internet-Facing Services: Ensure FortiGate and other VPN/firewall appliances are fully patched and running current firmware. Disable or restrict access to administrative management interfaces from the public internet. Enforce multi-factor authentication on all remote access points, including VPN portals and administrative panels. Audit for exposed administrative accounts and rotate credentials proactively.
• Implement Driver Allowlisting: Deploy Windows Defender Application Control (WDAC) or equivalent policies to block the loading of unauthorized kernel drivers. This represents an effective mitigation against the BYOVD technique Gentlemen uses to neutralize security tools via the ThrottleStop.sys/ThrottleBlood.sys driver.
• Monitor and Protect Group Policy Objects: Alert on unexpected GPO modifications, particularly new scripts or payloads deployed via NETLOGON shares. Restrict GPO editing privileges to a minimal set of accounts and review GPO change logs regularly. This is a critical control, as Gentlemen primarily uses GPO manipulation to deploy ransomware domain-wide.
• Enforce Privileged Access Controls: Apply the principle of least privilege to domain administrative accounts. Implement Just-In-Time (JIT) access for elevated privileges. Monitor for new account creation, unauthorized privilege escalation, and anomalous use of existing admin credentials.
• Deploy EDR/XDR with Tamper Protection: Ensure endpoint detection and response solutions are configured with anti-tamper capabilities. Gentlemen operators use multiple-layered techniques to neutralize security tools, including BYOVD-based process termination, PowerShell-based Defender disabling, exclusion injection, and support file deletion. Tamper protection must cover all of these vectors.
• Monitor Administrative Tool Usage: Establish baselines and alert on anomalous usage of PsExec, AnyDesk, PowerRun, WinSCP, Advanced IP Scanner, and Nmap. Detect unauthorized WMI and PowerShell remoting activity. These are all legitimate tools that Gentlemen operators abuse across multiple phases of the attack chain.
• Restrict and Monitor Outbound Data Transfers: Gentlemen affiliates exfiltrate data using WinSCP over encrypted channels before encryption begins. Deploy network-level controls to detect and block large-volume outbound transfers from servers, particularly over SCP/SFTP protocols. Segment sensitive data repositories to limit what an attacker can access from a single compromised host.
• Verify Backup Integrity and Isolation: Maintain offline, immutable backups that are not accessible from the production network. Test restoration procedures regularly. Gentlemen specifically targets Veeam and other backup services for termination before encryption, so backup infrastructure must be isolated from domain-joined environments.
• Enable PowerShell Logging and Script Block Auditing: Gentlemen operators rely on PowerShell across multiple attack phases: volume enumeration during discovery, Defender disabling during evasion, and remoting during lateral movement. Comprehensive logging, including Module Logging, Script Block Logging, and Transcription, enables detection and forensic reconstruction of these activities.

Gentlemen is an actively expanding operation with no signs of slowing down. The combination of a mature RaaS platform, rapid victim accumulation, and the absence of any known cryptographic weakness makes this group a serious and ongoing threat. Organizations that suspect a Gentlemen ransomware incident should initiate containment procedures immediately, following an established response framework, and engage qualified digital forensics and incident response support as early as possible.

If you suspect data loss or network breach, or are looking for ways to compile digital evidence through forensics and eDiscovery services – our team can help.

Our expert advisor will contact you to schedule your free consultation.

You’ll receive a customized proposal or quote for approval.

Our specialized team immediately jumps into action, as time is critical.