Skip to content

Gentlemen Ransomware: Self-Propagating Encryptor Destroys Networks by the Minute

Bottom line: Gentlemen uses autonomous network propagation to roll out encryption across multiple systems simultaneously, overwhelming conventional detection and containment mechanisms.

Microsoft warns of Gentlemen ransomware, which spreads independently through networks and encrypts file systems and entire infrastructures in a matter of minutes. The malware, written in Go, was first observed in mid-2025 and has since operated as ransomware-as-a-service with a growing partner affiliate network.

Gentlemen differs from classic ransomware attacks through its self-propagating design. The encryptor independently identifies reachable systems on the network, authenticates using stolen credentials, and copies itself across remote machines via Server Message Block (SMB). After deployment, the malware is executed remotely and continues spreading – attackers do not need to remain constantly active.

Microsoft documents two central functionalities: The command “–full” launches separate processes with SYSTEM privileges to encrypt local drives and visible network shares, maximizing encryption coverage. The argument “–spread” triggers lateral propagation. Additionally, the malware validates a hardcoded password against a RaaS affiliate specification (in the analyzed sample: “9VoAvR7G”) to block unauthorized use.

Gentlemen started as a closed ransomware project, was converted to a RaaS model in September 2025, and recruits affiliates via BreachForums – including penetration testers and initial-access brokers. Affected sectors include education, transportation, healthcare, and finance; geographically affected regions span North and South America, Europe, Africa, and Asia.

The propagation speed significantly reduces detection and containment windows. Conventional response mechanisms such as help desk tickets or user reports of lock messages fail when the malware has already spread to dozens or hundreds of systems. Microsoft emphasizes monitoring lateral movement patterns and early detection as key factors – the difference between contained incident and enterprise-wide operational disruption.

Security professionals should treat Gentlemen as an attack-path problem: not in isolation as a patch or detection challenge, but holistically as a propagation risk. Priority lies in mapping potential propagation paths, implementing controls to detect and interrupt spread, and identifying gaps before an incident occurs.


Source: www.csoonline.com · Published May 29, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.8.

Share on: