Sophisticated “The Gentlemen” Ransomware RaaS Emerges with XChaCha20 Encryption and 48 Victims in 3 Months

The Cybereason Threat Intelligence Team has published an in-depth analysis of a rapidly evolving ransomware group known as “The Gentlemen”, which surfaced in mid-2025 and has quickly become one of the most technically sophisticated threats seen this year.

According to the report, “The Gentlemen group employs a dual-extortion strategy, not only encrypting sensitive files but also exfiltrating critical business data and threatening to publish it on dark web leak sites unless a ransom is paid.”

Their leak site went live shortly after the group’s emergence, and by the fall of 2025 the operators had published 48 victims—an unusually aggressive pace for a newly formed ransomware organization.

Cybereason notes that the group did not start with its own codebase. Instead, The Gentlemen operators first experimented with affiliate models, joining existing ransomware ecosystems to learn distribution, negotiation, and operational tactics.

The report highlights: “Before creating their own Ransomware-as-a-Service (RaaS) platform, ‘The Gentlemen’ experimented with various affiliate models used by other prominent ransomware groups.”

One dark-web user, Hastalamuerte (LARVA-368), even sought access to the Qilin ransomware locker panel, suggesting that members were testing multiple RaaS platforms before creating their own. This experience appears to have informed the creation of a much more advanced and operator-friendly system.

Cybereason’s analysis shows significant development velocity. The newest update introduces enhanced automation, stealth, and performance improvements across Windows, Linux, and ESXi variants.

Key enhancements include:

Persistence & Automation

• Implements automatic self-restart at run-on-boot, leveraging schtasks and registry entries.
• Silent execution mode for stealth operations.
• Linux autostart entries and optional privilege escalation to root.

Encryption Enhancements

• Encrypts both removable and mapped drives, while preserving original file modification dates.
• Speed increase of 9–15%.
• Flexible encryption ranges (1% to 9% of file content) for rapid attacks and low-profile intrusions.

Propagation

• Improved propagation techniques using WMI, SCHTASKS, SC, and PowerShell Remoting.
• Dual-mode operation capable of encrypting both local disks and network shares.

ESXi Capabilities

The ESXi locker is especially dangerous, featuring:

• Optimized concurrent encryption across clustered hosts
• Support for vSAN storage
• Stealthy, asynchronous locking routines

“The Gentlemen” has quickly become a standout presence on cybercrime forums, advertising a professionally built RaaS platform with features typically seen in top-tier ransomware families such as LockBit or BlackCat.

According to Cybereason: “The Gentlemen ransomware combines advanced encryption techniques with dynamic propagation options… continuously updated to adapt to new defense strategies.”

Its most notable attributes include:

• Reliable Encryption: uses XChaCha20 and Curve25519, aligning with modern cryptographic best practices.
• Configurable Modes: affiliates can fine-tune encryption depth, speed, and target directories.
• Dual-Extortion: sensitive data is exfiltrated before encryption to maximize ransom pressure.
• Network Propagation: aggressive lateral movement using WMI, PowerShell remoting, UNC paths, and mapped drives.
• Strong Affiliate Support: including negotiation assistance, customizable builds, and access to specialized tools like EDR-killers (reserved for trusted affiliates).
• Geo-restrictions: the ransomware is prohibited from operating in Russia and CIS countries, a common pattern in Eastern-European ransomware gangs.

Cybereason analyzed a Windows variant compiled in Go, which displays a long list of configurable command-line arguments and operational flags.

The malware includes a built-in help message and requires a “–password” argument to initiate encryption. This password is likely supplied by a loader or dropper during infection.

The ransomware executes several PowerShell commands for lateral movement, evasion, and anti-forensics.

One key command disables Defender in real time: Set-MpPreference -DisableRealtimeMonitoring $true and adds exclusions to avoid detection.

Other hostile actions include:

• Enabling firewall rules for Network Discovery, making it easier to identify accessible hosts
• Deleting RDP logs, Defender logs, Prefetch files, and other forensic artifacts
• Using WMI process creation for remote execution on other machines
• Enumerating all accessible volumes and cluster shared volumes
• Granting Everyone (S-1-1-0) full control permissions via ICACLS

These actions are typical of advanced ransomware with an emphasis on stealth, persistence, and mass encryption capability.

Before encryption, “The Gentlemen” terminates critical processes that may lock files or enable recovery. The kill list includes:

• SQL Server, PostgreSQL, MySQL
• Veeam, GxVss, vsnapvss
• TeamViewer
• Exchange services
• vmms, VMware processes

This ensures smoother encryption and cripples backup and recovery infrastructure.

Related Posts:

• AndoryuBot: The Emerging Botnet Exploiting Ruckus Vulnerability
• NetSupport RAT Returns: Weaponized via WordPress & “ClickFix” for Remote Access
• Cuckoo Spear Threat Alert: APT10 Targets Japan’s Critical Infrastructure
• Cybereason Uncovers Widespread Exploitation of Apache ActiveMQ Vulnerability