What changed

Microsoft’s latest threat‑intel brief reveals that the Gentlemen ransomware family has evolved from a closed‑group encryptor into a full‑featured ransomware‑as‑a‑service (RaaS) platform. Since its first appearance in mid‑2025, the operators (identified as Storm‑2697) have added a self‑propagation module, a rich set of command‑line switches, and a per‑file hybrid cryptography scheme that makes each encrypted file uniquely protected. The most visible change is the --spread flag, which turns a single‑host encryptor into a worm that attempts up to 21 distinct remote‑execution techniques on every discovered host.

Provider comparison

Feature	Gentlemen ransomware (Go)	Typical Windows ransomware (C/C++)
Language & obfuscation	Compiled Go binary, obfuscated with Garble – produces a single static executable that runs on any Windows x64 without additional runtimes.	Native C/C++ often bundled with packers (UPX, Themida) that add size and detection complexity.
Key management	Ephemeral Curve25519 key pair per file, ECDH with hard‑coded operator public key, XChaCha20 stream cipher. No nonce reuse, each file carries its own public key in the footer.	RSA‑based envelope encryption, static RSA key stored in the binary, often re‑used across files.
Encryption granularity	Full encryption for files ≤ 1 MiB; three‑chunk partial encryption for larger files (9 % default, configurable down to 0.3 % per chunk).	Full‑file encryption, which can be slower on large VMDKs or database files.
Lateral movement	21 independent techniques (SMB share staging, embedded PsExec, WMIC, scheduled tasks, services, PowerShell remoting, WMI class, etc.) with optional credential injection via --spread.	Usually a single method (e.g., credential dumping + SMB copy) or limited to SMB/PSExec.
Persistence	Dual scheduled‑task creation (system & user) plus HKLM/HKCU Run keys; hidden SMB share for staging.	Registry Run keys or a single scheduled task; fewer fallback paths.
Defense evasion	Disables Microsoft Defender real‑time monitoring, adds Defender exclusions, deletes VSS snapshots, clears event logs, terminates > 30 security‑related processes/services, disables firewall, enables SMB1 and anonymous access.	Often disables Windows Defender, clears logs, may stop specific services but rarely as extensive.
Post‑encryption	Optional free‑space wipe, wallpaper drop, self‑delete via delayed batch script, ransom note per directory.	Typically drops a single ransom note; free‑space wipe is less common.

The Go implementation gives Gentlemen a smaller footprint, cross‑platform compilation potential, and easier distribution, while the extensive lateral‑movement logic dramatically raises the risk of rapid network‑wide compromise.

Business impact

Enterprises that rely on shared network drives, backup agents, or virtualization platforms are especially vulnerable. The ransomware’s ability to terminate backup services (Veeam, Acronis, BackupExec) and delete shadow copies removes the most common recovery paths, forcing victims to consider paying the ransom or rebuilding from offline backups.

• Operational downtime – The partial‑file encryption strategy can corrupt large databases or VM images within minutes, causing immediate service interruption.
• Data exfiltration risk – Double extortion means that even if a victim restores from backups, the leaked data can damage reputation and trigger regulatory penalties.
• Lateral spread – With 21 independent execution paths, traditional perimeter controls (blocking SMB or PsExec) only reduce, not eliminate, propagation. A single successful vector can seed the worm across an entire subnet.
• Forensic challenges – The self‑delete routine, log wiping, and free‑space overwrite make post‑incident analysis costly and time‑consuming.

Mitigation guidance

Microsoft recommends a layered approach:

1. Enable cloud‑delivered protection and tamper protection in Microsoft Defender Antivirus.
2. Deploy Controlled Folder Access for critical data stores.
3. Run Defender for Endpoint in block mode and activate attack surface reduction rules that block unknown executables, PsExec, and WMI‑based process creation.
4. Restrict SMB1 and anonymous shares, and enforce least‑privilege for service accounts to limit the effectiveness of the --spread credential‑reuse path.
5. Monitor for the specific IOCs listed in the report (SHA‑256 hash 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67, PsExec binary hash, wallpaper bitmap hash) using the provided advanced hunting queries.

By hardening endpoint defenses, limiting lateral‑movement channels, and maintaining immutable, offline backups, organizations can reduce the likelihood that Gentlemen’s aggressive propagation will achieve the critical mass needed for a large‑scale encryption event.