A recent analysis has drawn attention to a dangerous new strain of ransomware identified as “The Gentlemen.” This ransomware is alarming cybersecurity experts primarily due to its sophisticated combination of strong encryption mechanisms and aggressive lateral movement techniques, which together enhance its potential for widespread damage.
One of the most concerning attributes of The Gentlemen ransomware is its unique utilization of SYSTEM-level scheduled tasks to encrypt local drives. By executing this method, attackers can operate with elevated Windows system privileges. This level of access not only deepens penetration into target systems but also significantly enhances the malware’s encryption reliability while bypassing many standard user-level restrictions that would ordinarily limit unauthorized access.
In performing its malicious functions, The Gentlemen employs command-line arguments for execution control. A notable feature of this ransomware is its “–full” mode, which initiates two concurrent processes. One of these processes specifically targets local drives while using the “–system” flag, while the other focuses on network shares via the “–shares” flag. This dual-pronged attack strategy ensures comprehensive coverage and maximizes the ransomware’s impact.
When in SYSTEM mode, the malware sets up a scheduled task that runs under the SYSTEM account, further solidifying its means of access. Prior to commencing the encryption process, The Gentlemen disables Microsoft Defender, deletes shadow copies, clears event logs, and removes other forensic artifacts, such as PowerShell history. By doing so, it significantly reduces the odds of detection and hinders recovery efforts, giving the attackers unfettered access to files that might otherwise be protected.
Specifically, the ransomware first eliminates any pre-existing scheduled task identified as “gentlemen_system” before creating a new task configured to operate with elevated privileges. This sequence is crucial for ensuring a smooth execution while avoiding conflict with any existing processes. According to Microsoft, the cybersecurity community has tracked this malware under the designation Storm-2697. Since its emergence in mid-2025, this ransomware-as-a-service (RaaS) operation has rapidly gained traction and is now being deployed in extensive attacks across various sectors globally.
From a cryptographic perspective, The Gentlemen utilizes a hybrid encryption model that pairs Curve25519 elliptic-curve cryptography with the XChaCha20 stream cipher. Each file is encrypted using a unique ephemeral key, a tactic that enhances isolation between files. Smaller files receive complete encryption, while larger files are partitioned and encrypted in segments. This technique serves to expedite the process of encryption while still rendering the files unusable to their rightful owners.
Ransomware Abuses SYSTEM Task
The Gentlemen ransomware also distinguishes itself through its highly aggressive self-propagation abilities. When triggered with the “–spread” option, the malware aims to spread laterally across networks using various simultaneous methods, including PsExec, Windows Management Instrumentation (WMI), scheduled tasks, services, and PowerShell remoting.
The ransomware’s speed arguments—designated as --fast, --superfast, and --ultrafast—are mutually exclusive and dictate how much of each large file will be encrypted. Moreover, infected systems are prepared as distribution points by setting up hidden SMB shares and facilitating anonymous access, allowing for ongoing propagation of the malware. It can attempt up to 21 different execution methods per target, thereby ensuring that even if some of the techniques fail, others may succeed, significantly increasing the threat of a widespread compromise.
In addition to file encryption, The Gentlemen employs double extortion tactics. It not only encrypts files but also exfiltrates sensitive data, subsequently threatening to publicly leak this information if the ransom is not satisfied. This tactic exerts additional pressure on victims, particularly within critical sectors such as healthcare, finance, and education, where the sensitivity of data is paramount.
Persistence mechanisms are also employed, with the ransomware leveraging both scheduled tasks and registry run keys. This strategy allows it to persist through system reboots and continue operating undetected. In certain scenarios, the malware even obliterates free disk space to prevent any potential recovery of deleted data, further complicating the incident response efforts.
The combined elements of SYSTEM-level execution, robust encryption, and multi-faceted propagation pathways make The Gentlemen a notably effective and perilous ransomware variant. Its increasing prevalence in underground forums indicates that organizations should brace for heightened activity related to this threat. There is an urgent need for a concerted focus on detecting any abuse of scheduled tasks, privilege escalation efforts, and unusual patterns of lateral movement across networks.
Indicators of Compromise
To fortify defenses, organizations must remain vigilant for specific indicators of compromise associated with The Gentlemen ransomware. Key indicators include SHA-256 hashes of the ransomware encryptor, PsExec binary, and specific wallpaper bitmap files related to the ransomware.
In summary, the emergence of The Gentlemen ransomware underscores a crucial challenge in the cybersecurity landscape. Organizations must prioritize the implementation of advanced detection and response strategies to mitigate the risks posed by this evolving threat.