Skip to content
Chimera readability score 78 out of 100, Expert reading level.

The ransomware’s use of trusted administrative tools and recovery-disruption tactics shows why containment, not just endpoint detection, is becoming central to enterprise defense.
The Gentlemen ransomware underscores a challenge many CISOs face: stopping attackers after they gain an initial foothold. Researchers say the malware can spread across enterprise networks using legitimate Windows management tools while simultaneously attempting to weaken security and recovery systems.
A report from Picus Security shows the malware combines self-propagation with the abuse of trusted administrative tools and attempts to impair recovery systems before encryption begins. The report follows a technical analysis of the encryptor published by Microsoft Threat Intelligence in late May.
The Gentlemen is a ransomware-as-a-service operation written in Go and obfuscated with Garble. The group first emerged around mid-2025 as a closed operation and began offering its platform to affiliates in September 2025.
The Picus report focuses on a Windows-targeting encryptor, but other researchers have reported broader Gentlemen tooling aimed at Linux and VMware ESXi environments. The group has been observed in attacks on organizations in sectors including education, transportation, healthcare, and financial services across North America, South America, Europe, Africa, and Asia.
Its self-propagation capability is the most significant feature for enterprise defenders. When enabled, the malware can enumerate reachable systems, stage its binary through an SMB share, and attempt up to 21 remote execution operations against each target.
Those methods include PsExec, WMIC, scheduled tasks, Windows services, PowerShell remoting, and WMI process creation. The redundancy is intended to improve the chances that at least one method will succeed, allowing the malware to continue spreading through the network.
Before encryption, The Gentlemen attempts to weaken the victim environment by disabling Microsoft Defender, deleting shadow copies, and removing forensic artifacts. It also stops services linked to databases, backup tools, endpoint protection, and virtualization platforms, a tactic that can make recovery harder once encryption begins.
The encryptor uses a hybrid Curve25519 and XChaCha20 encryption scheme with unique keys for each file, Picus said. In the sample cited by Picus, encrypted files were appended with the .umc16h extension, though other researchers have observed different extensions in separate Gentlemen campaigns. The group also uses double extortion tactics, threatening to leak stolen data if victims do not pay.
Lateral movement and identity risks
Once attackers gain an initial foothold, compromised identities and excessive privileges often matter more than the malware itself, said Sakshi Grover, senior research manager for Cybersecurity Services Research at IDC Asia/Pacific.
“The Gentlemen reinforces a trend IDC has been observing across modern ransomware operations: attackers are increasingly exploiting trusted administrative tools, compromised identities, and excessive privileges rather than relying solely on sophisticated malware or zero-day exploits,” Grover said.
For CISOs, that means ransomware defense cannot be judged only by whether the initial compromise is blocked. Organizations also need to limit how far an attacker can move once inside the network.
Grover said security leaders should start with stronger controls around privileged accounts, including phishing-resistant MFA and tighter limits on who can access critical systems. Identity governance and network segmentation should then be used to reduce the number of paths an attacker can take once inside the environment.
Those controls should be tested through adversary emulation and attack path testing, rather than assumed to be effective because they exist on paper.
Backups and endpoint tools
The Gentlemen’s attempt to impair security and recovery tools highlights a common weakness in enterprise ransomware planning, according to analysts.
“Many organizations continue to equate deploying backup platforms or endpoint detection solutions with being ransomware resilient,” Grover said. “However, sophisticated ransomware increasingly targets these very capabilities before encryption begins.”
Grover added that CISOs should test whether recovery systems remain usable during an active compromise, including backups that are meant to be immutable and endpoint tools protected against tampering. Those exercises should also account for the possibility that Active Directory or key security management consoles may be unavailable.
The most dangerous assumption is that having backups is the same as being able to recover from ransomware, according to Devashri Datta, a cybersecurity researcher.
“If your backups live on the same flat network or depend on the same compromised Active Directory credentials, they are not a recovery asset; they are part of the attack surface,” she said.
Datta also pointed to over-reliance on endpoint detection and response tools. ESET researchers have linked The Gentlemen to a mature EDR-killer toolset, including variants that abuse vulnerable drivers to disrupt security software.
An operational resilience problem
The group’s model reflects the continued industrialization of ransomware-as-a-service, a framework that Datta said lowers the technical barrier for affiliates by pairing encryption with standardized evasion and propagation layers.
For CISOs, the question is not whether backup and endpoint tools are in place, but whether they still work after attackers have gained administrative access. Datta said organizations need to assess exposure across identity infrastructure, Active Directory, cloud services, and backup environments.
The priority, she said, is to reduce the paths available to attackers and prove, through regular resilience exercises, that the organization can contain an intrusion before it becomes a wider outage.

Sentinel — Human

Confidence

This text reads like a synthesis of research findings, skillfully weaving specific technical details with high-level strategic advice regarding enterprise resilience.

Signals Detected
low severity: Moderate sentence length variance; use of nuanced technical phrasing interspersed with direct statements.
low severity: Strong, focused argument supported by named sources and clear thematic progression (malware mechanics -> identity risks -> recovery failures).
low severity: Integration of multiple quoted expert views (Grover, Datta) that build upon each other logically rather than presenting separate talking points.
low severity: Specific technical details (encryption schemes, tool names like PsExec, mentions of Picus/Microsoft reports) appear grounded, suggesting research compilation rather than pure fabrication.
Human Indicators
Effective use of specific expert testimony to drive abstract points; the transition from technical description to strategic implication is nuanced.
The argument pivots effectively based on stated concerns (e.g., backups as an attack surface) rather than just listing facts.