{ "name": "Ransomware Analysis: Go Binary and Fast Encryption", "slug": "ransomware-analysis-go-binary-and-fast-encryption", "description": "The Gentlemen is a Ransomware-as-a-Service operation, tracked as Storm-2697, that emerged in mid-2025 after splitting from Qilin ransomware following a payment dispute. Operating as a highly structured syndicate with at least 9 core operators, the group has compromised over 1,570 organizations across 70+ countries, with approximately 71-78% paying ransoms and never appearing on public leak sites. The operation uses custom Go and C-compiled cross-platform lockers featuring partial encryption modes (0.3%-9% per file), built-in lateral movement via WMI and PowerShell remoting, aggressive defense evasion including Windows Defender disabling and event log clearing, and self-propagation capabilities. A formal partnership with BreachForums in May 2026 expanded distribution through integrated affiliate onboarding. Despite sophisticated encryption using X25519 key exchange and XChaCha20, a critical CWE-244 implementation flaw allows key recovery from process memory dumps.", "published": "2026-06-10T11:58:42.962000+00:00", "created_at": "2026-06-10T14:01:02.455000+00:00", "modified_at": "2026-06-10T12:01:02+00:00", "created_at_opencti": "2026-06-10T14:01:02.455000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "anydesk", "breachforums partnership", "cobalt strike", "cve-2024-55591", "double extortion", "gentlemen", "go binary", "larva-368", "lateral movement", "ransomware-as-a-service", "storm-2697", "systembc", "xchacha20 encryption" ], "tags": [ "2026-06-10", "CVE-2024-55591", "anydesk", "breachforums partnership", "cobalt strike", "double-extortion", "gentlemen", "go binary", "larva-368", "lateral movement", "ransomware-as-a-service", "storm-2697", "systembc", "xchacha20 encryption" ], "related_entities": { "vulnerabilities": [ { "id": "4d34801a-eb98-4022-b8f3-aeac5bacc285", "name": "CVE-2024-55591" } ], "indicators": [ { "id": "fd0bdf8a-fb2a-489b-a323-73c5e413359c", "name": "tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion" }, { "id": "96940790-a6e5-44e9-832d-47861e96eb91", "name": "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235" }, { "id": "ed86ec2f-71ee-4d40-b171-4c47a9b0b5f9", "name": "http://tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion/" } ], "intrusion_sets": [ { "id": "c920a404-92c6-423b-9714-146e22302900", "name": "The Gentlemen", "slug": "the-gentlemen" } ], "attack_patterns": [ { "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e", "name": "T1003" }, { "id": "67c697ce-a6cc-475f-9bee-e14c1bef7067", "name": "T1047" }, { "id": "ab1a2f00-2489-4c89-af29-e767f5fa5a23", "name": "T1070.003" }, { "id": "5d2af906-6187-4702-ab9f-590fbe5b1ca3", "name": "T1021.002" }, { "id": "d9f271ed-7685-4362-b90d-f16a14102f39", "name": "T1489" }, { "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f", "name": "T1490" }, { "id": "9643a7e9-771b-4396-83a3-26fcec5200e4", "name": "T1021.006" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1", "name": "T1486" }, { "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7", "name": "T1018" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "28784df4-38e7-4195-b0aa-bd35746dfbe7", "name": "T1069.002" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58", "name": "T1562.001" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "da44e22e-1925-42e4-b30d-ac38860d39bb", "name": "T1070.001" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "d5c953ff-b143-41b6-bf2d-87b829132ea5", "name": "T1135" } ], "malware": [ { "id": "912191ff-cd6b-4a1e-8fb4-628fc5c4feea", "name": "Gentlemen", "slug": "gentlemen" }, { "id": "25c206e0-ce3f-45db-ac64-14247e93d44a", "name": "SystemBC", "slug": "systembc" }, { "id": "ab138766-9b64-4880-87fb-1942a709d778", "name": "Cobalt Strike - S0154", "slug": "cobalt-strike-s0154" }, { "id": "7193649e-f5a2-4601-8529-3e35ea193839", "name": "AnyDesk", "slug": "anydesk" } ], "observables": [ { "id": "841e1f84-5da9-469c-b470-7d10150da731", "name": "tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion" }, { "id": "48c097cc-3c06-4498-9594-48f7a87fd867", "name": "http://tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion/" }, { "id": "", "name": "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235" } ], "others": [ { "id": "", "name": "Brazil" }, { "id": "", "name": "United Kingdom of Great Britain and Northern Ireland" }, { "id": "", "name": "Germany" }, { "id": "", "name": "United States of America" }, { "id": "", "name": "Finance" }, { "id": "", "name": "Manufacturing" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Healthcare" }, { "id": "", "name": "Government" }, { "id": "", "name": "tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion" } ] }, "external_refs": [ { "id": "886f8d96-d06c-482f-9993-3fe4eb11454e", "standard_id": "external-reference--00d1b5f0-f3bc-5e4c-898f-32233157486b", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/6a2951722e6ca0cbaaac430b", "hash": null, "external_id": "6a2951722e6ca0cbaaac430b", "created": "2026-06-10T14:01:02.348Z", "modified": "2026-06-10T14:01:02.348Z", "createdById": null }, { "id": "ac214f0b-2b1d-4207-a08f-566cfd93ab21", "standard_id": "external-reference--366767aa-7b07-5047-851b-c08afd137baf", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://darkatlas.io/blog/how-a-go-binary-locks-down-enterprise-networks-in-minutes-the-story-behind-gentlemen-ransomware", "hash": null, "external_id": null, "created": "2026-06-10T14:01:02.378Z", "modified": "2026-06-10T14:01:02.378Z", "createdById": null } ] }