The Rise of ‘Gentlemen’: A Multi-Platform RaaS Threat Targeting Enterprise Infrastructure

The ransomware landscape is witnessing the rapid ascent of a sophisticated Ransomware-as-a-Service (RaaS) operation known as Gentlemen. Unlike many opportunistic actors, Gentlemen is specifically architected to strike the backbone of modern enterprise environments, boasting a versatile toolkit capable of compromising Windows, Linux, NAS, BSD, and even VMware ESXi hypervisors. By utilizing a specialized locker written in C for virtualized environments, this group has positioned itself as a high-impact threat to global corporate networks.

Emerging in mid-2025, the Gentlemen RaaS quickly scaled its operations by cultivating a robust affiliate ecosystem. Through underground forums, the operators market their high-tier tooling to “penetration testers” and advanced persistent threat (APT) actors, providing them with the technical means to execute complex, multi-stage attacks.

The group’s technical arsenal is impressively diverse. While the primary lockers for Windows, Linux, NAS, and BSD are implemented in the Go programming language, they have developed a dedicated C-based locker for ESXi. This ensures that whether a target relies on standard workstations or high-density server clusters, Gentlemen has a native payload ready for deployment. To maximize leverage, the group employs a double extortion model, utilizing a dedicated Tor-hosted leak site to publish sensitive data if victims decline ransom negotiations.

The Gentlemen post on underground forums (Source : Check Point).
The Gentlemen post on underground forums (Source: Check Point).

Recent telemetry paints a grim picture of their reach. Data suggests over 320 victims have already been targeted, with a massive surge in activity observed in early 2026. Notably, incident response data from Check Point links Gentlemen affiliates to a SystemBC-powered botnet comprising more than 1,570 compromised hosts. These hosts are predominantly high-value corporate and organizational systems, rather than residential targets.

Anatomy of an Enterprise Intrusion

In a typical intrusion scenario, Gentlemen affiliates demonstrate a methodical approach to network conquest. After achieving Domain Admin privileges, attackers execute a lateral movement phase designed to map and dominate the environment. Common tactics include:

  • Deployment of Cobalt Strike: Beacons are frequently pushed via ADMIN$ shares to establish command-and-control (C2).
  • Environment Reconnaissance: Execution of standard discovery commands like whoami and systeminfo, alongside the exfiltration of internal documentation to identify critical assets.
  • Persistence through SOCKS5: Attempts have been made to deploy SystemBC (disguised as socks.exe) to establish covert tunnels for further payload staging, though this is often flagged by robust EDR solutions.
Top 15 Infected countries (Source : Check Point).
Top 15 Infected countries (Source: Check Point).

To maintain administrative control, attackers leverage legitimate remote management tools, such as installing AnyDesk with hard-coded credentials and enabling Remote Desktop (RDP). They also utilize Mimikatz to scrape credentials directly from memory. Once the stage is set, the Gentlemen payload is distributed across the domain using PowerShell, scheduled tasks, or Group Policy (GPO), facilitating near-simultaneous encryption.

The ransomware is highly configurable via command-line arguments, allowing attackers to fine-tune their destruction:

  • --system: Targets local drives.
  • --shares: Targets network-attached storage and paths.
  • --spread: Automates lateral movement using stolen domain credentials.
  • --gpo: Weaponizes Group Policy for massive, domain-wide deployment.
A high-level timeline of the attack (Source : Check Point).
A high-level timeline of the attack (Source: Check Point).

Defense Evasion and Encryption Logic

To bypass modern security stacks, the malware issues automated PowerShell commands to disable Microsoft Defender real-time protection and adds its own processes—and the entire C: drive—to the exclusion list. It then systematically terminates processes related to backups, databases, virtualization, and security software. This “scorched earth” approach ensures that data is both encrypted and unrecoverable via standard local tools.

The encryption engine utilizes X25519 key exchange paired with XChaCha20. To maximize speed, it offers “fast,” “superfast,” and “ultrafast” modes. These modes employ partial encryption, modifying only small percentages (1% to 9%) of large files to render them completely unusable while minimizing the time required to complete the operation.

The ESXi Focus: A Dedicated Hypervisor Killer

Recognizing the value of virtualized infrastructure, Gentlemen has developed a specialized ESXi locker compiled as an ELF binary in C. This variant is purpose-built to target VMware hypervisors, specifically focusing on directories like vmfs, datastore, and mnt/storage.

Argument – Hardcoded Password comparison (Source : Check Point).
Argument – Hardcoded Password comparison (Source: Check Point).

The ESXi variant is strictly controlled. It requires a --password flag that must match a hard-coded value within the binary to proceed. Before the encryption phase begins, the malware performs a highly disruptive sequence: it enumerates all virtual machines (VMs), attempts a graceful shutdown, and then force-kills any remaining VM processes to unlock the virtual disk files for encryption.

For persistence, the locker copies itself to bin/vmware-authd, creates boot-time scripts in /etc/rc.local.d, and inserts cron entries to ensure it survives reboots. Crucially, the malware tunes VMFS write buffers to accelerate the encryption process. It intelligently avoids core ESXi system files to ensure the hypervisor remains functional enough to display the ransom note.

Defensive Recommendations

The success of the Gentlemen RaaS lies in its repeatable, professionalized playbook. To mitigate the risk, organizations should implement the following security controls:

  • Harden Domain Controllers: Implement strict Tiered Administration models to prevent Domain Admin compromise.
  • Monitor for Lateral Movement: Establish alerts for unauthorized use of Cobalt Strike, AnyDesk, or suspicious GPO modifications.
  • Network Segmentation: Enforce rigorous isolation between management networks, user environments, and hypervisor management interfaces.
  • Endpoint Protection: Ensure EDR/XDR solutions are configured to prevent unauthorized PowerShell execution and the modification of Defender exclusion lists.

Related Articles

Back to top button