Skip to content

Gentlemen Ransomware Tests Identity and Recovery Controls

To the point: Gentlemen leverages compromised identities and trusted admin tools after initial access rather than exploits — therefore controls over privileges and network segmentation must be tested, not merely deployed.

Gentlemen ransomware exposes a central challenge for many CISOs: stopping attackers after initial compromise. The malware uses legitimate Windows administrative tools to spread across networks and simultaneously attempts to weaken security and recovery systems.

A Picus Security report documents how the malware, written in Go and obfuscated with Garble, propagates itself, abuses trusted administrative tools, and attempts to weaken recovery systems before encryption begins. The group initially emerged in mid-2025 as a closed operation, offered its platform to affiliates from September 2025 onwards, and has already targeted organizations in education, transport, healthcare, and financial services across multiple continents.

The self-propagation capability represents the most critical feature: the malware can enumerate reachable systems, deliver its binary via SMB shares, and attempt up to 21 different remote execution methods against each target — including PsExec, WMIC, scheduled tasks, Windows services, PowerShell remoting, and WMI process creation. This redundancy increases the probability of successful network propagation. Before encryption, Gentlemen disables Microsoft Defender, deletes shadow copies, removes forensic artifacts, and stops services from databases, backup tools, endpoint protection, and virtualization platforms — a tactic that significantly complicates recovery.

The key distinction from focusing on malware sophistication lies, according to analysis by Sakshi Grover (IDC Asia/Pacific), in the fact that attackers after initial compromise primarily exploit compromised identities and excessive privileges. This means for CISOs: ransomware defense cannot be measured solely by blocking the initial compromise. Organizations must limit how far attackers can spread across the network.

Grover recommends beginning with stronger controls over privileged accounts — including phishing-resistant MFA and more restrictive access policies for critical systems. Identity governance and network segmentation should then reduce the number of possible attack paths. Critically: these controls must be validated through adversary emulation and attack path testing, not merely exist in documentation.

The encryption procedure uses a hybrid approach with Curve25519 and XChaCha20 with unique keys per file. In the Picus sample, files were assigned the .umc16h extension; other researchers observed different extensions in separate campaigns. The group also employs double-extortion tactics and threatens data leaks if ransom is not paid.


Source: www.csoonline.com · Published 7 July 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.

Share on: