Analyzing “The Gentlemen”: Ransomware and its SYSTEM-Level Escalation Tactics
Security researchers have identified a sophisticated new ransomware strain dubbed “The Gentlemen,” which is causing significant alarm due to its highly efficient blend of high-privilege execution and aggressive lateral movement. Unlike many commodity ransomware variants, this threat is designed to maximize impact by operating at the highest possible level of the Windows operating system.
The hallmark of this malware is its ability to leverage SYSTEM-level scheduled tasks to perform encryption. By escalating its privileges, the ransomware can bypass standard user-level file restrictions, ensuring it can lock down critical system files and application data that would otherwise be protected from a standard user process.
The execution of The Gentlemen is highly modular, controlled via specific command-line arguments. A particularly destructive mode is the --full flag, which triggers a multi-threaded attack vector. This mode spawns two simultaneous processes: one utilizing the --system flag to target local drives with elevated permissions, and another using the --shares flag to aggressively encrypt accessible network shares.

To ensure a clean and uninterrupted execution, the malware performs a series of “environmental grooming” steps. Before the first file is even encrypted, it disables Microsoft Defender, purges Volume Shadow Copies to prevent easy recovery, wipes event logs, and clears forensic artifacts like PowerShell history. To prevent conflicts during the escalation process, the malware first identifies and deletes any existing scheduled task named “gentlemen_system” before immediately deploying a new, high-privilege version of itself.
Tracked by Microsoft as Storm-2697, this Ransomware-as-a-Service (RaaS) operation has seen rapid evolution since mid-2025, transitioning from niche use to widespread, industry-agnostic deployment.
Cryptographic Architecture
The Gentlemen employs a modern, high-performance hybrid cryptographic scheme. It utilizes Curve25519 (Elliptic-Curve Cryptography) to manage key exchanges, paired with the XChaCha20 stream cipher for file encryption. This combination provides both mathematical rigor and high-speed processing.
To prevent a single key compromise from exposing the entire dataset, the malware generates a unique, ephemeral key for every single file. To balance speed against destruction, the ransomware uses a tiered approach: small files undergo full encryption, while larger files are encrypted in strategic chunks. The speed of this process can be tuned using the --fast, --superfast, or --ultrafast arguments, which dictate the density of the encryption chunks.
Aggressive Lateral Movement and Propagation
What truly differentiates The Gentlemen from its peers is its “spread” capability. When the --spread argument is invoked, the malware transforms from a localized encryptor into a network-wide infection engine. It utilizes a redundant array of propagation techniques, including:
- PsExec for remote process execution.
- WMI (Windows Management Instrumentation) for remote management exploitation.
- Scheduled Tasks and Services for persistence and remote triggering.
- PowerShell Remoting for script-based lateral movement.

The malware even prepares infected hosts to act as distribution hubs by creating hidden SMB shares and enabling anonymous access. By attempting up to 21 different execution methods per target, the malware ensures that even if a single security control (like a blocked WMI call) is in place, the infection can pivot to an alternative method.
This is compounded by double extortion tactics. Beyond simple encryption, the attackers exfiltrate sensitive data prior to the payload execution, threatening public leaks. This puts immense pressure on high-stakes sectors such as healthcare, finance, and education.

To further complicate incident response, the malware maintains persistence via registry run keys and may attempt to wipe free disk space, effectively destroying any possibility of recovering “deleted” data through traditional forensic carving.
Technical Summary & Defense Focus
The combination of SYSTEM-level privilege escalation, high-speed XChaCha20 encryption, and multi-vector propagation makes The Gentlemen a formidable threat. Organizations should prioritize monitoring for:
- Unusual creation of scheduled tasks by non-admin users.
- Sudden spikes in WMI or PsExec activity across the internal network.
- Massive deletions of Volume Shadow Copies.
- Unusual outbound traffic indicative of large-scale data exfiltration.
Indicators of Compromise (IoCs)
| Indicator | Type | Description |
|---|---|---|
22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 |
SHA-256 | Gentlemen ransomware encryptor binary |
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b |
SHA-256 | Associated PsExec binary |
fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68 |
SHA-256 | Gentlemen wallpaper Bitmap file |