The Massive Gentlemen Ransomware Threat Sweeping Global Networks

Microsoft Threat Intelligence recently uncovered a dangerous global cyber security operation. Specifically, security researchers are tracking the rapidly growing Gentlemen ransomware threat across multiple continents. This sophisticated platform functions as a ransomware-as-a-service model for financially motivated cybercriminals. Affiliates aggressively deploy the malware to infiltrate and encrypt high-value corporate targets. Therefore, defense operations teams must update their perimeter firewalls immediately to prevent data loss.

Tracking the Storm-2697 Operators

Security analysts attribute this active operation to an organized syndicate known as Storm-2697. The threat group first emerged around mid-2025 as a tightly closed network. However, the operators transitioned into a public ransomware-as-a-service ecosystem later that year. “More recently, The Gentlemen operators established an official partnership with BreachForums, a popular cybercriminal marketplace, to recruit affiliates including penetration testers and initial access brokers.” Consequently, this collaboration allows the cartel to scale their malicious activities exponentially.

The threat actors consistently deploy destructive double extortion tactics against their targets. First, the malware systematically encrypts critical production assets to halt local business operations. Concurrently, the application exfiltrates confidential corporate files to cloud storage repositories. The attackers then threaten to release this data publicly if the corporate victim refuses payment. Currently, Microsoft has observed this activity impacting healthcare, transportation, and education sectors worldwide.

Analyzing Pre-Encryption Evasion and Controls

Disabling System Defenses

The software utilizes sophisticated defense evasion behaviors to establish an unmonitored environment. Upon execution, the payload aggressively executes PowerShell commands to disable Microsoft Defender real-time monitoring. Furthermore, the malware adds its own binary to the localized exclusion list. It then excludes the entire local C:\ volume from future security scans. Thus, the ransomware effectively creates a completely blind zone for its malicious file operations.

Forensic Cleanups and Application Sabotage

To prevent file restoration, the threat systematically eliminates local system recovery markers. For example, it forcibly deletes Volume Shadow Copies via administrative command utilities. The application also clears the local Security and System event logs using the wevtutil utility. Additionally, it deletes the comprehensive PowerShell execution history across all active user profiles. This precise cleanup prevents incident response teams from reconstructing the primary intrusion timeline.

Next, the payload terminates an extensive directory of active corporate services and applications. The targeted processes encompass enterprise databases, virtualization modules, and email management software. Crucially, the threat also stops active endpoint detection and response agents. “By forcibly terminating these processes, the ransomware ensures that locked files become accessible for encryption.” Consequently, this aggressive Gentlemen ransomware threat guarantees total execution reliability during the primary attack phase.

Cryptographic Engineering and File Chunking

The underlying executable implements a highly advanced hybrid cryptographic architecture. Specifically, it pairs Curve25519 elliptic-curve keys alongside the speedy XChaCha20 stream cipher. This custom combination eliminates any possibility of key or nonce reuse across the system. Once the application completely finishes corrupting a file, it appends a distinct marker. It renames every affected target asset by adding the unique .umc16h file extension.

The encryptor also adapts its core behavioral strategy based on file sizes. Small files undergo complete encryption to ensure total data corruption. However, processing large databases completely would require excessive time. Therefore, the malware encrypts three distinct chunks distributed across the target asset. Operators can customize this speed dynamically using command-line arguments like --fast or --ultrafast. This chunking model successfully disrupts file structures while maximizing processing efficiency.

Self-Propagation Architecture and Worm Capabilities

The Gentlemen ransomware threat becomes particularly dangerous when operators enable the --spread parameter. Specifically, this configuration transforms the binary from a static payload into a self-propagating worm. The malware immediately prepares the infected machine to function as a primary distribution hub. Then, it copies itself into a temporary folder and establishes a hidden network share. Consequently, this strategy allows adjacent machines to pull the malicious binary without valid authentication tokens.

The worm systematically attempts 21 distinct remote execution operations against each discovered network host. It relies on diverse utilities including PsExec, WMIC, and remote PowerShell commands. “Notes: notably, these techniques are executed without dependency on prior success, and each method is attempted regardless of whether earlier attempts fail.” This immense redundancy ensures maximum propagation across strict enterprise network boundaries. Therefore, a single successful execution allows the malware to continue its network-wide expansion.

Post-Encryption Cleaning Procedures

In the final phase, the ransomware executes thorough post-encryption protocols to erase remaining traces. For instance, it generates a temporary file named wipefile.tmp to fill all remaining disk space with random data. This process completely overwrites unallocated sectors to obstruct digital forensic tools. Finally, the utility spawns a localized batch file to delete its primary binary from the system. Ultimately, these combined maneuvers significantly minimize on-disk artifacts and preserve actor anonymity. Security teams must deploy proactive endpoint controls to defend against this evolving global menace.