Gentlemen Ransomware Global Double Extortion Campaigns
A new ransomware group known as Gentlemen has launched a series of attacks targeting organizations in at least 17 countries, employing a double extortion model that involves both data exfiltration and encryption. The ransomware, developed in the Go programming language, leverages advanced techniques such as Group Policy Object (GPO) manipulation and Bring Your Own Vulnerable Driver (BYOVD) tactics to disable security defenses and propagate laterally within corporate networks. Industries affected include healthcare, manufacturing, and insurance, with the group specifically focusing on medium to large enterprises. The malware requires a specific --password argument to execute, serving as an anti-analysis measure, and offers operators various command-line options to control its behavior and evade detection.
Analysts have identified Gentlemen as one of the most active emerging ransomware threats of 2025, with rapid expansion across North America, South America, and the Middle East. The group’s sophisticated evasion and propagation methods, combined with its aggressive targeting of sensitive data, underscore the urgent need for enhanced monitoring and defensive measures in enterprise environments. The campaign’s use of double extortion ensures that even organizations with robust backup strategies remain vulnerable to data leaks and reputational damage if ransoms are not paid.
Timeline
Dec 15, 2025
Researchers disclose Gentlemen's BYOVD and GPO-based attack techniques
Public reporting revealed that Gentlemen uses Group Policy Object manipulation and Bring Your Own Vulnerable Driver techniques to disable security tools, move laterally, and evade detection. The disclosures also described its use of X25519 and XChaCha20 encryption, selective file-segment encryption, and the README-GENTLEMEN.txt ransom note.
Dec 15, 2025
Gentlemen ransomware expands to organizations in 17 countries
Following its initial appearance, Gentlemen ransomware spread to medium and large organizations across at least 17 countries in North America, South America, and the Middle East. The campaign affected multiple industries and used double extortion, combining data theft with file encryption.
Aug 1, 2025
Gentlemen ransomware is first observed in the wild
Gentlemen ransomware was first observed in August 2025. Researchers identified it as a Go-based ransomware family designed for cross-platform attacks and protected by a required password argument for execution.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
Related Stories
Emergence and Operations of The Gentlemen Ransomware-as-a-Service Group
The Gentlemen ransomware group has rapidly established itself as a significant threat actor since its emergence around July 2025, leveraging a Ransomware-as-a-Service (RaaS) model and advanced dual-extortion tactics. The group has claimed at least 48 victims within a three-month period, utilizing the XChaCha20 encryption algorithm to lock files and exfiltrating sensitive business data to pressure organizations into paying ransoms. Their operations are characterized by a combination of established ransomware techniques and innovative strategies, including the development of their own RaaS platform after experimenting with various affiliate models, which has enabled them to quickly adapt to new attack vectors and maintain persistence against targeted organizations. Threat intelligence reports highlight that The Gentlemen's data leak site is active, and the group has demonstrated a willingness to publish stolen data if ransom demands are not met. Their evolution from testing other ransomware platforms to building a proprietary service underscores their technical sophistication and intent to scale operations. Security professionals are advised to monitor for indicators of compromise related to The Gentlemen and to ensure robust data protection and incident response measures are in place to mitigate the risk posed by this rapidly evolving ransomware group.
1 weeks ago
Recent Ransomware Threats Targeting Organizations and Critical Sectors
Several new ransomware groups and campaigns have emerged, demonstrating increased sophistication and targeting a range of organizations globally. The SafePay group has established itself as a major threat by operating as a centralized, closed ransomware operation, eschewing the typical Ransomware-as-a-Service (RaaS) model. SafePay employs double extortion tactics, exfiltrating sensitive data before encrypting systems, and leverages rapid attack chains that often move from initial access to full encryption within 24 hours. Their methods include exploiting compromised credentials, misconfigured firewalls, and deploying backdoors for persistence, with a focus on operational security to avoid law enforcement detection. Other notable threats include the CrazyHunter ransomware, which has aggressively targeted healthcare organizations in Taiwan using advanced evasion techniques and multi-stage attacks that exploit Active Directory and propagate via Group Policy Objects. Meanwhile, the Ransomhouse group, operated by Jolly Scorpius, has upgraded its capabilities with a dual-key encryption system and automated attacks on VMware ESXi hypervisors, particularly focusing on German enterprises. These campaigns highlight a trend toward more targeted, technically advanced ransomware operations that prioritize both data theft and rapid system disruption, posing significant risks to critical infrastructure and sensitive industries.
1 months ago
RansomHouse Ransomware Upgrades with Double Extortion and Advanced Encryption
RansomHouse, operated by the group known as Jolly Scorpius, has significantly evolved its ransomware-as-a-service (RaaS) platform by integrating a double extortion strategy that combines data theft with encryption. This approach increases pressure on victims by threatening both operational disruption and public data leaks. Since December 2021, RansomHouse has targeted at least 123 organizations across critical sectors such as healthcare, finance, transportation, and government, resulting in substantial financial losses and severe data breaches. The group employs a sophisticated attack chain, with roles divided among operators, attackers, and infrastructure providers, and often gains initial access through spear-phishing or exploiting vulnerable systems. Once inside, attackers use specialized tools to maximize impact, particularly targeting VMware ESXi hypervisors to encrypt large numbers of virtual machines simultaneously, amplifying operational disruption. Recent technical analysis reveals that RansomHouse has upgraded its encryption methods from a simple, linear approach to a more complex, multi-layered technique, making detection and recovery more challenging for defenders. The toolkit includes the 'MrAgent' management and deployment tool, which automates ransomware deployment and maintains persistent connections to command-and-control servers, and the 'Mario' encryptor, which represents the latest advancement in their arsenal. These upgrades, combined with the double extortion model, have made RansomHouse a formidable threat, prompting security vendors to enhance their protective measures and urging organizations to remain vigilant against this evolving ransomware operation.
1 months ago