Gentlemen ransomware: self-propagating Go-based RaaS with aggressive lateral movement
Storm-2697 operates Gentlemen, a RaaS platform combining per-file Curve25519/XChaCha20 encryption with multi-vector lateral movement, targeting education, healthcare, transportation, and finance sectors globally.
Attack Brief
TargetWindows environments across education, transportation, healthcare, and financial servicesVectorRansomware-as-a-service (RaaS) platform with self-propagating lateral movement via simultaneous credential-based network compromiseAttributionStorm-2697
Technical Details
MITRE ATT&CKT1486T1570T1021T1140T1562AffectedGo-compiled Windows executable obfuscated with Garble; command-line configurable with --password, --path, --T, --silent, --system, --shares, --full, --spread, --ultrafast, --superfast, --fast, --keep, --wipe arguments
Impact
Sectorseducationtransportationhealthcarefinancial servicesConfirmed DamageData encryption with double extortion (exfiltration + encryption) for ransom pressureGeographyNorth AmericaSouth AmericaEuropeAfricaAsia
Mitigation
DetectionMicrosoft Defender for Endpoint and Microsoft Defender for Cloud Apps provide detections; hunting guidance available via Microsoft Sentinel queries for lateral movement patterns and file encryption behaviors
Context
Previous CampaignsGentlemen emerged mid-2025 as closed group; transitioned to RaaS in September 2025; established official BreachForums partnership to recruit affiliates including penetration testers and initial access brokers