The Gentlemen Ransomware is an operation that first emerged in August 2025 and operates as a ransomware-as-a-service (RaaS). The group reportedly operates in the double extortion method, where the group encrypts victim data and exfiltrates sensitive data that can be held for ransom. The group threatens to leak the data via a data leak site if the ransom demand is not paid.
Researchers have reported that The Gentlemen operators have displayed sophistication in their attacks, adapting tactics mid-campaign, and strategic initial access methods rather than opportunistic. Additionally, the group appears to conduct significant reconnaissance on their victims by using custom tools designed to target specific security vendors.
The Gentlemen operators have been reported to create new accounts, modify system processes, and hijack execution flows for persistence. Additionally, the group has been reported to deploy the tool, AnyDesk, to maintain remote access to victim environments.
The group has been reported to modify critical registry settings that govern authentication and remote access protocols and rely on PsExec for lateral movement. Additionally, The Gentlemen group was reported to use the Group Policy Management Console and Group Policy Management Editor to attempt to deploy malicious configurations across the domain.
The Gentlemen operators utilized WinSCP for data exfiltration and used encrypted channels highlighting how the group likely prioritizes operational security.
Similar to many other ransomware operations, The Gentlemen deletes Shadow Copies, disables defensive measures, such as Windows Defender, and modifies firewall rules.
Once the victims’ environment is encrypted, The Gentlemen drops a ransom note “README-GENTLEMEN.txt” and each file is appended with a six character extension. Additionally, the ransomware changes the desktop wallpapers.
In September 2025, a user “Zeta88” was observed advertising The Gentlemen RaaS operation on the cybercriminal forum, RAMP. According to the user, the ransomware targets Windows, Linus, BSD, NAS, and ESXi environments using compact, efficient binaries. The ransomware reported encrypts files with hybrid cryptography, XChaCha20 with Curve25519, and generates a unique ephemeral key for each file.
Additionally, the user stated that the ransomware can run multiple instances on the same machine without conflict, forcibly access locked folders, and contains an extended kill list to terminate processes and services.
While The Gentlemen operation recently appeared within the ransomware landscape, their tactics indicate the operators are likely experienced in ransomware operations. The group appears to be focused on extensive reconnaissance efforts, custom tooling to ensure successful attacks, and operational security to prevent identification.
It is likely that The Gentlemen is a persistent ransomware operation with a goal of conducting targeted, more customized attacks. It is very likely that ransomware will remain a pervasive threat to organizations worldwide over the next 12 months.
