Gentlemen Ransomware: Self-Propagation and Identity Risks

Gentlemen ransomware highlights identity and recovery control gaps

Gentlemen ransomware is making headlines for its advanced self-propagation methods and its focus on identity and recovery controls. The ransomware, which targets Windows, Linux, and VMware ESXi environments, leverages trusted Windows administrative tools to spread and actively disrupts security and backup systems before encrypting files.

Gentlemen ransomware: What happened and when

The Gentlemen ransomware-as-a-service (RaaS) operation was first observed around mid-2025 as a closed group, later expanding to affiliates in September 2025. Its emergence has been tracked by multiple security researchers, including Picus Security and Microsoft Threat Intelligence, who published deep technical analyses in May 2026. The group has launched attacks against organisations across sectors such as education, healthcare, transportation, and financial services in regions spanning North America, Europe, Asia, Africa, and South America.

The campaign’s most notable phase began in late May 2026, when researchers highlighted how Gentlemen ransomware deploys a self-propagating encryptor. This capability means that once an initial system is compromised, the threat can automatically spread across a target’s network, leveraging legitimate Windows management tools in the process.

Attack techniques: Self-propagation and system weakening

The key differentiator for Gentlemen ransomware is its sophisticated lateral movement. The malware can enumerate all reachable systems on the network, then copy its payload to those machines via SMB shares. It does not rely on a single method for remote command execution; instead, it attempts up to 21 different remote execution techniques for each target. These include:

  • PsExec
  • WMIC (Windows Management Instrumentation Command-line)
  • Scheduled tasks
  • Windows services
  • PowerShell remoting
  • WMI process creation

This redundancy increases the likelihood that at least one method will succeed, allowing the malware to continue spreading throughout the environment. By abusing legitimate and trusted admin tools, Gentlemen ransomware can bypass many traditional security controls that look for suspicious binaries or behaviour.

Before encrypting files, the malware specifically targets an organisation’s ability to detect and recover from an attack. It attempts to:

  • Disable Microsoft Defender antivirus protection
  • Delete Windows shadow copies (used for file recovery)
  • Remove forensic artefacts to hinder incident response
  • Stop services related to databases, backup tools, endpoint protection, and virtualisation platforms

These steps are designed to make recovery much harder once encryption is underway, and to reduce the effectiveness of backup and endpoint detection and response (EDR) tools.

Technical details: Encryption, file extensions, and impact

Gentlemen ransomware uses a hybrid cryptographic approach, combining Curve25519 and XChaCha20 algorithms. Each file is encrypted with a unique key, complicating decryption attempts. In the Picus Security analysis, encrypted files were given the .umc16h extension, though researchers have seen other extensions in different campaigns.

The group also adopts double extortion tactics. In addition to encrypting data, they threaten to leak stolen files if the ransom is not paid. This approach increases pressure on victims to comply with ransom demands, as a data leak can cause reputational and regulatory damage.

Variants of the Gentlemen ransomware have been observed targeting not only Windows systems but also Linux and VMware ESXi environments, broadening the potential impact and making the group a threat across hybrid enterprise infrastructures.

Lateral movement, identity threats, and affected organisations

Security researchers stress that, after gaining an initial foothold, the attackers focus on compromised credentials and excessive privileges. By exploiting legitimate tools and accounts, the malware can blend in with normal administrative activities, evading detection.

The sophistication of Gentlemen’s self-propagation means that organisations with flat networks, weak segmentation, or overly permissive administrative access are especially vulnerable. The attacks have so far affected organisations in critical sectors worldwide, demonstrating a broad and opportunistic targeting strategy.

Current evidence suggests that the group is actively developing and refining its tooling, and that attacks are ongoing. Security vendors and researchers continue to observe new campaigns, with the malware being offered to affiliates for wider deployment.

Why this event matters for organisations

The Gentlemen ransomware campaign highlights the growing risks from threats that abuse trusted administrative tools. The ability to self-propagate and degrade security and recovery defences before encryption represents a step-change in ransomware tactics. Organisations are reminded that robust identity and privilege management, strong segmentation, and resilient, immutable backups are crucial to resisting such attacks.

Immediate actions for defenders

  • Review and restrict the use of remote administrative tools such as PsExec, WMIC, and PowerShell.
  • Harden identity and privilege management to minimise lateral movement risk.
  • Ensure backup systems are segmented, protected, and cannot be easily disabled.
  • Monitor for suspicious use of administrative tools and audit privileged account usage.

Staying informed on evolving ransomware techniques is essential, as groups like Gentlemen continue to innovate and target new sectors and platforms.

Originally reported by csoonline.com.

Share this bulletin

About the Author

Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO

Jonny Pelter

Partner

  • CIPM
  • CIPP/E
  • CISSP
  • CISM
  • CRISC
  • ISO27001
  • Prince2
  • MSc
  • BSc

Jonny Pelter

Jonny is a Founding Partner at CyPro and executive group level CISO who has worked closely with the British intelligence agencies NCSC and GCHQ.

An ex-professional rugby player and originating from KPMG and Deloitte, Jonny has a wealth of experience across numerous sectors including technology, critical national infrastructure, financial services, oil & gas, insurance, betting, pharmaceuticals and utilities.

Jonny is a leading cyber security expert in the UK, having featured on national media for his professional commentary such as BBC News, iPlayer, Telegraph and Times Radio.

View Profile
Back to Bulletins
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call