216.73.217.80

The Gentlemen ransomware: Dissecting a self-propagating Go encryptor

· Published 28/05/2026 19:56 · Modified 29/05/2026 10:39

Export JSON

Essential information

Published
28/05/2026 19:56
Modified
29/05/2026 10:39
Tags
2026-05-28 go-language kazuar ransomware-as-a-service the gentlemen
Related entities
2 observables, 1 intrusion sets (apt), 19 techniques (mitre), 2 malware, 4 others

Description

is a operation tracked as Storm-2697, distinguished by combining robust per-file encryption using Curve25519 with XChaCha20 stream cipher alongside aggressive self-propagation capabilities designed for broad network compromise. Emerging in mid-2025 and transitioning to RaaS by September 2025, the operation recently partnered with BreachForums to recruit affiliates including penetration testers and initial access brokers. Written in Go and obfuscated with Garble, the ransomware employs double extortion tactics, encrypting data while exfiltrating sensitive information. It utilizes 21 distinct lateral movement techniques per target host, including PsExec, WMI, scheduled tasks, services, and PowerShell remoting. The malware disables defenses, deletes shadow copies and forensic artifacts, and can optionally wipe free disk space to prevent recovery, impacting organizations globally across education, transportation, healthcare, and finance sectors.

External references