These ‘Gentlemen’ Aren’t Gentle: Rapidly Evolving Ransomware Threat

A fast-moving ransomware group known as “The Gentlemen” has emerged as one of 2025’s most aggressive cybercrime operations, rapidly scaling its attacks across Windows, Linux, and ESXi environments. 

First observed in July 2025, the group has already listed 48 victims on its leak site and continues to release new, highly capable ransomware variants. 

Cybereason researchers said the group “… blends mature ransomware techniques with RaaS features, dual‑extortion, cross‑platform (Windows/Linux/ESXi) lockers, automated persistence, flexible propagation, and affiliate support, allowing it to scale attacks and evade basic defenses quickly.

“The Gentlemen ransomware group relies on tried-and-true tactics borrowed from other successful RaaS operations. Organizations can stay ahead by validating their defenses against these established methods before attackers utilize them,” said Hüseyin Can Yüceel, Security Research Lead at Picus Security.

The Gentlemen’s Rapid Rise

Cybereason’s analysis shows that The Gentlemen did not rush into building a ransomware empire — they studied the market first. 

Early underground forum posts reveal operators experimenting with multiple affiliate ecosystems, including attempts to gain access to Qilin’s ransomware locker panel, before eventually developing a tailored Ransomware-as-a-Service (RaaS) platform of their own. 

This period of reconnaissance allowed the group to borrow proven techniques from established operations while refining them into a more adaptable, efficient, and scalable model. That foundation now fuels one of the fastest-evolving ransomware families observed in 2025.

Their latest updates reflect a rapid and deliberate push toward automation, persistence, and cross-platform reach. 

The ransomware now includes automatic self-restart and run-on-boot mechanisms, ensuring continued access even after system reboots. 

Propagation capabilities have expanded through WMI, PowerShell remoting, SCHTASKS, and Windows Service Control, allowing the malware to spread quickly and quietly across enterprise networks. 

Encryption performance has improved as well, with a 9–15% speed increase across variants — an upgrade that shrinks defenders’ reaction window. 

The group also introduced dual execution modes that support both local and network-wide encryption from a single session, further complicating containment efforts.

The Gentlemen have also broadened their operating system coverage, adding enhanced support for Linux and ESXi environments. 

These variants include privilege escalation features, cluster-aware operations, and the ability to encrypt vSAN storage or multiple hypervisors simultaneously — capabilities that directly target the core infrastructure many enterprises rely on. 

Silent-execution modes and timestamp preservation add an additional stealth layer, making detection and forensic reconstruction more difficult.

Collectively, these capabilities enable The Gentlemen to encrypt local disks, removable media, mapped network drives, virtualized workloads, and clustered hypervisors with equal efficiency. 

Their technical maturity, combined with aggressive dual-extortion tactics, makes them a highly effective and increasingly dangerous ransomware operation.

How The Gentlemen Ransomware Evades Defenses

Cybereason’s technical analysis shows that The Gentlemen ransomware family is built on a highly sophisticated cryptographic and operational foundation. 

The group uses modern, resilient encryption schemes such as XChaCha20 and Curve25519. 

Their Windows variant offers an unusually rich set of command-line flags enabling fine-tuned control over each deployment. 

Operators can choose system-level encryption (–system), network-share targeting (–shares), stealth operations via silent mode (–silent), or full dual-phase execution (–full). 

They also have access to adjustable encryption speeds ranging from 1% to 9% (–fast, –superfast, –ultrafast), allowing them to balance stealth against impact depending on the victim’s defenses.

Reverse engineering by Cybereason uncovered embedded ransom notes and distinctive internal markers — strings previously discussed on dark-web forums as components of anti-ransomware bypass strategies. 

These artifacts suggest that the developers intentionally integrated techniques known to evade modern defensive tooling. 

During active intrusions, The Gentlemen rely heavily on PowerShell, executing commands that disable Microsoft Defender, add global exclusions, expand firewall discovery rules, enumerate volumes across local and clustered environments, and modify file permissions using icacls to guarantee full access before encryption begins. 

The ransomware also performs extensive anti-forensics, wiping Prefetch data, RDP logs, Defender support files, and other artifacts to obstruct post-incident investigations.

To maximize impact, the group maintains an internal “kill list” targeting critical processes such as database engines, virtualization components, backup services, and remote-access tools — ensuring no files remain locked or protected during encryption. 

Their Linux and ESXi lockers extend the threat even further, adding system-level autostart persistence, configurable user-to-root privilege escalation, concurrent encryption across ESXi clusters (including vSAN), and aggressive disk-space wiping after encryption to complicate recovery efforts.

Essential Defenses for Fast-Moving Ransomware Threats

As The Gentlemen ransomware group continues to evolve with advanced propagation, persistence, and encryption capabilities, organizations need proactive defenses that can detect and contain attacks before data is locked or exfiltrated.

• Monitor for pre-ransomware behaviors such as suspicious PowerShell execution, unauthorized admin tooling, or WMI-driven lateral movement.
• Enforce MFA, strong credential hygiene, and strict application allow-listing to prevent unauthorized binaries or privilege abuse.
• Maintain offline, immutable backups and regularly test restoration procedures to ensure rapid recovery after an attack.
• Patch Windows, Linux, and ESXi systems to close privilege escalation and remote-execution vulnerabilities.
• Segment networks to isolate high-value systems, hypervisors, and backups from user environments.
• Deploy endpoint protection with behavioral ransomware detection to block unauthorized encryption or mass file modification.
• Automate incident response to detect and contain suspicious activity appears.

Building resilience against fast-moving ransomware groups like The Gentlemen requires more than isolated security controls — it demands a coordinated strategy that limits attacker mobility and accelerates detection.

The New Ransomware Model: Agile, Modular, and Fast

The Gentlemen’s rapid evolution highlights a broader shift in the ransomware landscape, where emerging groups can now reach the sophistication of long-established gangs by relying on modular tooling, affiliate networks, and cross-platform development. 

Their dual-extortion tactics, expanding victim list, and steady stream of feature updates show how modern ransomware crews increasingly operate like full-fledged software organizations — iterating quickly, scaling efficiently, and continuously improving their capabilities.

This pace of adversary evolution underscores the need for organizations to adopt zero-trust principles to limit attacker movement and reduce risk.