Gentlemen is a Go-based ransomware group identified in August 2025 that uses double extortion, rapid internal propagation, GPO manipulation, BYOVD, and targeted evasion techniques to attack medium-to-large organizations across multiple industries and regions. The ransomware encrypts files using X25519 and XChaCha20 with per-file ephemeral keys, requires a correct execution password, and performs defense disabling and log deletion before encrypting; #Gentlemen #XChaCha20
Keypoints
- Gentlemen is a newly identified ransomware group (first observed ~August 2025) employing a double extortion model that combines data theft and encryption.
- Attacks have been reported across at least 17 countries and multiple industries including manufacturing, construction, healthcare, and insurance, targeting APAC, North America, South America, and the Middle East.
- The ransomware is written in Go and requires a correct –password execution argument to run, preventing execution in unintended/analysis environments.
- Before encryption, Gentlemen disables Windows Defender, stops backup and database services (e.g., Veeam, MSSQL, MongoDB), and deletes logs and system traces to hinder recovery and detection.
- Encryption uses X25519 (ECDH) to derive per-file shared secrets and XChaCha20 stream cipher; large files are partially encrypted (selective ranges) to speed operations while maintaining impact.
- Operational tactics include Group Policy Object (GPO) manipulation and Bring Your Own Vulnerable Driver (BYOVD) for privilege/defense evasion and internal propagation.
- No definitive evidence yet that Gentlemen operates as RaaS or is a rebrand/sub-group of an existing group; monitoring is recommended due to rapid activity and targeting of medium/large organizations.
MITRE Techniques
- [T1486 ] Data Encrypted for Impact – Used to encrypt victim files and demand payment as part of double extortion; quote (‘…all files are encrypted and inaccessible…’).
- [T1484 ] Domain/Group Policy Modification – GPO manipulation was used to facilitate spread and impact; quote (‘…employs typical tactics seen in advanced ransomware groups, such as Group Policy Objects (GPO) manipulation…’).
- [T1562.001 ] Disable or Modify Security Tools – The ransomware disables Windows Defender to evade detection and facilitate encryption; quote (‘…disabling Windows Defender…’).
- [T1070.001 ] Clear Windows Event Logs – The actor deletes logs and system traces to hinder forensics and detection; quote (‘…deleting logs and system traces…’).
- [T1218 ] Signed/Third-Party Driver Abuse (Bring Your Own Vulnerable Driver) – BYOVD is used for defense evasion or privilege escalation by leveraging vulnerable drivers; quote (‘…Bring Your Own Vulnerable Driver (BYOVD)…’).
Indicators of Compromise
- [File Hashes ] Ransomware binary samples – adf675ffc1acb357f2d9f1a94e016f52, de1a114a2c5552387a1bbb61501bf129
- [File Names ] Ransom note and artifacts – README-GENTLEMEN.txt (ransom note created in encrypted directories)
- [Detection/Signatures ] Vendor detection identifiers – AhnLab detections such as Ransomware/Win.GentlemenCrypt.C5799091, Ransomware/Win.GentlemenCrypt.C5825597
- [Services/Targets ] Stopped services during intrusion – Veeam (backup), MSSQL (database), MongoDB (database) as part of pre-encryption disruption
Read more: https://asec.ahnlab.com/en/91545/