Analyzing “The Gentlemen”: Ransomware and its SYSTEM-Level Escalation Tactics

Security researchers have identified a sophisticated new ransomware strain dubbed “The Gentlemen,” which is causing significant alarm due to its highly efficient blend of high-privilege execution and aggressive lateral movement. Unlike many commodity ransomware variants, this threat is designed to maximize impact by operating at the highest possible level of the Windows operating system.

The hallmark of this malware is its ability to leverage SYSTEM-level scheduled tasks to perform encryption. By escalating its privileges, the ransomware can bypass standard user-level file restrictions, ensuring it can lock down critical system files and application data that would otherwise be protected from a standard user process.

The execution of The Gentlemen is highly modular, controlled via specific command-line arguments. A particularly destructive mode is the --full flag, which triggers a multi-threaded attack vector. This mode spawns two simultaneous processes: one utilizing the --system flag to target local drives with elevated permissions, and another using the --shares flag to aggressively encrypt accessible network shares.

Encryption mode command-line arguments
Encryption mode command-line arguments (Source: Microsoft Security)

To ensure a clean and uninterrupted execution, the malware performs a series of “environmental grooming” steps. Before the first file is even encrypted, it disables Microsoft Defender, purges Volume Shadow Copies to prevent easy recovery, wipes event logs, and clears forensic artifacts like PowerShell history. To prevent conflicts during the escalation process, the malware first identifies and deletes any existing scheduled task named “gentlemen_system” before immediately deploying a new, high-privilege version of itself.

Tracked by Microsoft as Storm-2697, this Ransomware-as-a-Service (RaaS) operation has seen rapid evolution since mid-2025, transitioning from niche use to widespread, industry-agnostic deployment.

Cryptographic Architecture

The Gentlemen employs a modern, high-performance hybrid cryptographic scheme. It utilizes Curve25519 (Elliptic-Curve Cryptography) to manage key exchanges, paired with the XChaCha20 stream cipher for file encryption. This combination provides both mathematical rigor and high-speed processing.

To prevent a single key compromise from exposing the entire dataset, the malware generates a unique, ephemeral key for every single file. To balance speed against destruction, the ransomware uses a tiered approach: small files undergo full encryption, while larger files are encrypted in strategic chunks. The speed of this process can be tuned using the --fast, --superfast, or --ultrafast arguments, which dictate the density of the encryption chunks.

Aggressive Lateral Movement and Propagation

What truly differentiates The Gentlemen from its peers is its “spread” capability. When the --spread argument is invoked, the malware transforms from a localized encryptor into a network-wide infection engine. It utilizes a redundant array of propagation techniques, including:

  • PsExec for remote process execution.
  • WMI (Windows Management Instrumentation) for remote management exploitation.
  • Scheduled Tasks and Services for persistence and remote triggering.
  • PowerShell Remoting for script-based lateral movement.
The Gentlemen ransomware’s usage prompt
The Gentlemen ransomware’s usage prompt (Source: Microsoft Security)

The malware even prepares infected hosts to act as distribution hubs by creating hidden SMB shares and enabling anonymous access. By attempting up to 21 different execution methods per target, the malware ensures that even if a single security control (like a blocked WMI call) is in place, the infection can pivot to an alternative method.

This is compounded by double extortion tactics. Beyond simple encryption, the attackers exfiltrate sensitive data prior to the payload execution, threatening public leaks. This puts immense pressure on high-stakes sectors such as healthcare, finance, and education.

The Gentlemen ransomware’s file encryption mechanism
The Gentlemen ransomware’s file encryption mechanism (Source: Microsoft Security)

To further complicate incident response, the malware maintains persistence via registry run keys and may attempt to wipe free disk space, effectively destroying any possibility of recovering “deleted” data through traditional forensic carving.

Technical Summary & Defense Focus

The combination of SYSTEM-level privilege escalation, high-speed XChaCha20 encryption, and multi-vector propagation makes The Gentlemen a formidable threat. Organizations should prioritize monitoring for:

  • Unusual creation of scheduled tasks by non-admin users.
  • Sudden spikes in WMI or PsExec activity across the internal network.
  • Massive deletions of Volume Shadow Copies.
  • Unusual outbound traffic indicative of large-scale data exfiltration.

Indicators of Compromise (IoCs)

Indicator Type Description
22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 SHA-256 Gentlemen ransomware encryptor binary
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b SHA-256 Associated PsExec binary
fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68 SHA-256 Gentlemen wallpaper Bitmap file

 

Related Articles

Back to top button