Ransomware Analysis: Go Binary and Fast Encryption
Essential information
- Published
- 10/06/2026 13:58
- Modified
- 10/06/2026 14:01
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- anydesk breachforums partnership cobalt strike cve-2024-55591 double extortion gentlemen go binary larva-368 lateral movement ransomware-as-a-service storm-2697 systembc xchacha20 encryption
- Tags
- 2026-06-10 CVE-2024-55591 anydesk breachforums partnership cobalt strike double-extortion gentlemen go binary larva-368 lateral movement ransomware-as-a-service storm-2697 systembc xchacha20 encryption
- Related entities
- 1 vulnerabilities (cve), 3 indicators, 3 observables, 1 intrusion sets (apt), 20 techniques (mitre), 4 malware, 10 others
Description
The Gentlemen is a Ransomware-as-a-Service operation, tracked as Storm-2697, that emerged in mid-2025 after splitting from Qilin ransomware following a payment dispute. Operating as a highly structured syndicate with at least 9 core operators, the group has compromised over 1,570 organizations across 70+ countries, with approximately 71-78% paying ransoms and never appearing on public leak sites. The operation uses custom Go and C-compiled cross-platform lockers featuring partial encryption modes (0.3%-9% per file), built-in lateral movement via WMI and PowerShell remoting, aggressive defense evasion including Windows Defender disabling and event log clearing, and self-propagation capabilities. A formal partnership with BreachForums in May 2026 expanded distribution through integrated affiliate onboarding. Despite sophisticated encryption using X25519 key exchange and XChaCha20, a critical CWE-244 implementation flaw allows key recovery from process memory dumps.