LEGAL DISCLAIMER: This platform is for authorized security research and educational purposes only. Scanning assets without permission is illegal.
HOMEBLOGThe Gentlemen Ransomware Targets Windows Networks with 21 Lateral Movement Techniques
The Gentlemen Ransomware Targets Windows Networks with 21 Lateral Movement Techniques
Threat Intelligence

The Gentlemen Ransomware Targets Windows Networks with 21 Lateral Movement Techniques

SR
Surendra Reddy ↗ View profile
LAST UPDATED: JUL 8, 2026
11 MIN READ
499 VIEWS

Summarize this blog post with:
ChatGPT | Perplexity | Claude | Grok

You've probably assumed that a single infected laptop is a contained problem your IT team can isolate before it spreads. What many security teams don't realize is that one ransomware family now automates its way across an entire Windows network using 21 different remote execution methods, with almost no human operator needed after the initial foothold. In this guide, you'll learn how The Gentlemen ransomware propagates, what it does before it encrypts a single file, and how to detect it early.

Key Takeaways

  • The Gentlemen is a Go-based ransomware-as-a-service (RaaS) operation first observed in mid-2025 that has since claimed hundreds of victims worldwide.
  • The malware includes a self-propagation engine, triggered by a --spread argument, that attempts 21 distinct remote execution and lateral movement techniques across a compromised network.
  • Before encrypting anything, the ransomware disables Microsoft Defender, deletes shadow copies, clears event logs, and shuts down backup software to maximize damage and slow recovery.
  • Files are encrypted using a Curve25519 and XChaCha20 hybrid scheme and renamed with the .umc16h extension, alongside a ransom note named README-GENTLEMEN.txt.
  • The group has demonstrated the ability to abuse Active Directory Group Policy to detonate ransomware simultaneously across every machine in a domain.
  • Lateral movement tools observed include PsExec, PowerShell Remoting, WMI, WinRM, scheduled tasks, RDP, SSH, and living-off-the-land binaries already trusted by most enterprise environments.
  • Organizations across healthcare, education, manufacturing, government, and critical infrastructure have been affected, reflecting broad, opportunistic targeting rather than a single-industry focus.

What Is The Gentlemen Ransomware?

The Gentlemen is a ransomware-as-a-service (RaaS) family written in the Go programming language that combines strong encryption with a worm-like propagation engine capable of spreading across an entire enterprise network from one compromised endpoint. The malware was first observed in mid-2025 and has since evolved into a full RaaS platform, meaning its developers lease access to affiliates who carry out attacks in exchange for a cut of ransom payments. Researchers at Picus Security and Microsoft have both published detailed technical breakdowns of its behavior.

The binary is protected using Garble, an open-source Go obfuscation tool, which makes reverse engineering meaningfully harder for defenders analyzing a sample. For example, once an operator or affiliate has an initial foothold on a Windows host, running the malware with its --spread parameter shifts it from a single-machine encryptor into a self-propagating worm that automatically searches out and infects additional reachable systems. The group has reportedly listed more than 300 victims since emerging, spanning healthcare, education, transportation, financial services, and government contractors.

Why Does This Ransomware Matter?

The Gentlemen matters because it removes much of the manual effort ransomware operators traditionally needed to spread across a victim's network. A single compromised endpoint can become the starting point for organization-wide encryption within days rather than weeks, since the propagation engine automates discovery and remote execution instead of requiring an operator to manually pivot host by host.

At the same time, the group's use of Active Directory Group Policy for mass deployment raises the ceiling on potential damage. Researchers have described this as one of the most powerful detonation methods observed in ransomware to date, since it can trigger encryption simultaneously across every computer in a domain rather than machine by machine. Moreover, the RaaS model means the malware's reach isn't limited to a single skilled team — affiliates, including reported penetration testers and initial access brokers, can deploy the same tooling against new victims independently, which broadens the population of attackers capable of using it.

Technical Breakdown: The 21 Lateral Movement Techniques

The Gentlemen's lateral movement engine works by cycling through as many as 21 different remote execution methods until one succeeds on a given target host. This redundancy is deliberate: if one technique is blocked by a security control, the malware simply falls back to another rather than stalling out.

Living-Off-the-Land Execution Methods

For example, the malware relies heavily on tools that are already trusted inside most Windows environments, including PsExec over SMB administrative shares, PowerShell Remoting, Windows Management Instrumentation (WMI), WinRM, remote scheduled tasks, and Windows service creation. Because these are legitimate administrative mechanisms, traffic generated by The Gentlemen using compromised credentials can look identical to routine IT activity, making detection dependent on behavioral context rather than a simple tool blocklist.

Cross-Platform and Remote Access Tools

The group also deploys PuTTY for SSH-based lateral movement across Linux and ESXi systems, extending its reach beyond Windows into virtualization infrastructure — a strong signal of preparation for infrastructure-wide encryption rather than a narrowly scoped attack. In several documented incidents, the operators additionally installed AnyDesk as a persistent Windows service, giving them a reliable remote access channel that survives reboots and user logoffs, and used SystemBC as a proxy to disguise command-and-control traffic during the lateral movement phase.

Defense Evasion Before Encryption

Before any files are touched, The Gentlemen systematically weakens the environment's ability to detect or recover from the attack. This can allow the ransomware to disable Microsoft Defender, turn off Windows Firewall, terminate security monitoring processes, delete Volume Shadow Copies, remove backup software, and clear Windows Event Logs — all before the encryption phase even begins. Credential harvesting tools such as Mimikatz have also been observed supporting this stage, giving the operators the privileged access needed for the remaining techniques.

How Does the Full Attack Chain Unfold?

Picus Security and Microsoft's technical analyses describe a consistent multi-stage attack chain once the operators have an initial foothold, often on a domain controller with administrative privileges.

Initial access and validation — attackers confirm administrative access, often via compromised VPN appliances or exposed internet-facing infrastructure.

Reconnaissance — the malware or accompanying scripts enumerate user accounts, local groups, and virtualization-specific groups such as VMware, indicating deliberate preparation for both physical and virtual targets.

Lateral movement — the propagation engine attempts its full set of remote execution techniques, typically lasting two to seven days and touching dozens to hundreds of systems.

Defense evasion — security tools, backups, and logs are disabled or destroyed across reached systems.

Mass deployment — in some incidents, Group Policy is abused to push the ransomware binary domain-wide for simultaneous detonation.

Encryption — files are encrypted with the Curve25519/XChaCha20 scheme, renamed with the .umc16h extension, and a README-GENTLEMEN.txt ransom note is dropped.

Which Organizations and Systems Are at Risk?

Any Windows-based enterprise network with weak segmentation between endpoints and critical systems is a viable target for The Gentlemen's automated propagation engine. Reported victims span healthcare, education, transportation, financial services, manufacturing, government contractors, and critical infrastructure, suggesting broad, opportunistic targeting rather than a narrow industry focus.

Because the malware's lateral movement also reaches Linux and VMware ESXi systems through SSH-based techniques, organizations running mixed Windows and virtualization environments face exposure beyond their Windows estate alone. Domain controllers are a particularly high-value target given the group's demonstrated Group Policy abuse for mass deployment.

How Can You Detect The Gentlemen Ransomware?

Detection depends heavily on spotting abnormal use of legitimate administrative tools, since most of the group's lateral movement techniques don't involve custom malware at the network-traffic level.

  • Monitor for unusual PsExec activity, especially against multiple hosts in a short window, which is a strong early indicator of automated propagation rather than routine administration.
  • Watch for unexpected PowerShell Remoting or WMI-based remote execution originating from a single host against many others in sequence.
  • Flag new Windows services or scheduled tasks created remotely, particularly ones with generic or unfamiliar names.
  • Alert on Volume Shadow Copy deletion and Windows Event Log clearing, since both are used specifically to hinder recovery and investigation.
  • Track AnyDesk installations configured as a persistent service rather than launched interactively by an IT technician.
  • Look for the .umc16h file extension and README-GENTLEMEN.txt ransom notes as confirmed indicators of an active or completed encryption event.

Before trusting any domain associated with suspicious inbound connections during an investigation, a WHOIS domain lookup and an IP reputation lookup can help confirm whether the infrastructure has already been flagged elsewhere.

[Insert image: Diagram of The Gentlemen's attack chain from initial access to encryption | Alt text: "The Gentlemen ransomware attack chain diagram"]

Enterprise Mitigation Strategies

Restricting the tools this ransomware depends on for lateral movement is one of the most effective ways to blunt its automated propagation engine. Since the malware relies on redundancy across 21 techniques, closing off several at once meaningfully raises the difficulty of a successful spread.

  • Restrict administrative shares and remote execution tools such as PsExec, and require justification for their use outside approved maintenance windows.
  • Enforce least-privilege access so that a single compromised account can't validate administrative rights across the entire domain.
  • Monitor and alert on Group Policy Object changes, given the group's documented use of GPO for domain-wide ransomware detonation.
  • Segment Windows, Linux, and VMware environments from one another so that lateral movement across platforms requires more than a single set of credentials.
  • Maintain offline, tested backups that are isolated from the production network and can't be reached by the same account compromised on endpoints.
  • Deploy EDR with behavioral detection capable of flagging credential-based remote execution patterns rather than relying solely on signature matching.

Security teams assessing their exposure can pair these controls with a website vulnerability scanner to identify internet-facing weaknesses — such as exposed VPN appliances — that commonly serve as the initial access point for RaaS operations like this one.

Practical Security Best Practices

  • Require multi-factor authentication on RDP, VPN, and all privileged administrative accounts, since credential-based lateral movement is central to this ransomware's spread.
  • Patch internet-facing infrastructure promptly, particularly VPN appliances, which have been linked to initial access in similar campaigns.
  • Run regular attack simulation exercises that specifically test lateral movement detection rather than only perimeter defenses.
  • Audit domain administrator accounts and remove unnecessary standing privileges that could be abused for Group Policy manipulation.
  • Train staff on recognizing initial-access vectors like phishing and exposed remote access tools, since ransomware still typically needs a foothold before the automated spread begins.

Reviewing exposed services with a DNS lookup tool and a subdomain enumeration tool can help surface forgotten remote access points or shadow-IT subdomains before an attacker finds them first.

What's Next? Tracking Future Ransomware Evolution

The Gentlemen's automated propagation model is likely a preview of where other RaaS operations are heading, not an isolated case.

  • Follow ongoing research from Microsoft, Picus Security, and Trend Micro, all of which have published detailed technical breakdowns of this specific group's tooling.
  • Reassess network segmentation quarterly, since the group's cross-platform lateral movement specifically exploits weak boundaries between Windows, Linux, and virtualization layers.
  • Review our coverage of related persistence and evasion techniques, including our recent breakdown of a phishing campaign abusing AnyDesk for silent remote access, which shares several tooling overlaps with this group's tactics.
  • Bookmark our cybersecurity news hub for continued coverage of emerging ransomware and RaaS operations.

Conclusion

The Gentlemen represents a clear escalation in how ransomware-as-a-service groups approach network-wide compromise, automating what used to require a skilled operator manually pivoting host by host. With 21 lateral movement techniques, Group Policy-based mass deployment, and aggressive pre-encryption defense evasion, this group can turn a single compromised endpoint into an enterprise-wide incident in days. Organizations that rely solely on perimeter defenses and signature-based antivirus are not positioned to catch this kind of threat. Strengthen segmentation, monitor for abnormal administrative activity, and keep tested offline backups — and stay subscribed to trusted threat intelligence sources so evolving RaaS operations like this one don't catch your team off guard.

Written by ReconShield Editorial Team — a cybersecurity publication covering cyber threats, data breaches, vulnerabilities, malware, threat intelligence, and online privacy, providing practical insights to help readers stay informed and secure.

Reviewed by Surendra Reddy, Founder & Principal Security Engineer, ReconShield — a cybersecurity researcher specializing in OSINT, infrastructure exposure intelligence, and passive diagnostic tooling.

Disclaimer: This article was initially drafted using AI assistance. However, the content has undergone thorough revisions, editing, and fact-checking by human editors and subject matter experts to ensure accuracy.

Read More:

BugHunter AI: The Ultimate AI-Powered Bug Bounty Toolkit for Ethical Hackers in 2026

GPT-5.5-Cyber: OpenAI's AI Security Model That Finds and Fixes Vulnerabilities Automatically

AI Bug Hunting: How Security Researchers Use AI to Find Vulnerabilities in 2026

CVE-2026-46331: New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries

Massive Temu Data Leak Claim Emerges: 310 Million Accounts Allegedly Exposed

Update Chrome Now: 382 Security Vulnerabilities Patched, Including 15 Critical Bugs

Security Alert: Multiple FatFs Vulnerabilities Impact Embedded Devices Worldwide

## Analyst Commentary & Implementation Blueprint

Security advisory

Continuous security exposure assessment is critical to identifying public vulnerabilities before they are exploited. Organizations should maintain a passive inventory of all web servers, TLS configs, and open ports, ensuring that default configurations are eliminated and security advisories are actively implemented.

Hardened Security Configuration Blueprint

# General Security Hardening Directive
ServerTokens ProductOnly
ServerSignature Off
FileETag None

Actionable Mitigation Checklist

  • Perform passive asset inventories weekly.
  • Restrict administrative ports using local firewall controls.
  • Monitor active CVE alerts for exposed software.

Common Inquiries & FAQs

Why is passive scanning preferred for continuous auditing?

Passive audits do not cause operational impact or trigger firewall blocks, making them ideal for constant surveillance of internet-facing assets.

What should I do if a vulnerability is flagged?

Apply the latest vendor patches, restrict access to the resource via firewalls, or verify configuration flags to mitigate risks.

SR

Surendra Reddy

Surendra Reddy is a cybersecurity researcher and founder of ReconShield, specializing in OSINT and defensive infrastructure analysis.

Connect on LinkedIn ↗
#THREAT INTELLIGENCE#OSINT & RECONNAISSANCE#VULNERABILITY RESEARCH

// AUDIT BRIEFING DISCUSSION (2 COMMENTS)

agent_x9 // Verified Analyst2 HOURS AGO

Great breakdown of the passive infrastructure vectors. We recently audited our external DNS zones and found multiple dangling staging environments. Implementing wildcard certificates reduced our CT log leaks significantly.

sec_analyst_015 HOURS AGO

Is there any automated tooling you recommend for daily crt.sh scraping? Manually checking CT logs is becoming unsustainable for our domain portfolio.

// POST RESPONSE BRIEFING
* Encrypted transmission via Secure Socket LayerSUBMIT BRIEFING