Not exactly chivalrous, a newly identified ransomware group called Gentlemen has been gaining prominence since August. Researchers say the gang’s technical sophistication suggests a coordinated team with extensive experience in enterprise-focused attacks.
According to ASEC, South Korean cybersecurity firm AhnLab’s threat intelligence and research division, the Gentlemen ransomware campaign has been confirmed in at least 17 countries, striking manufacturing, construction, healthcare, and insurance companies.
The scope of the cyberattacks encompasses the Asia-Pacific, North America, South America, and the Middle East regions. To the researchers, this breadth of activities indicates an organized and well-resourced operation.
“The group operates a double extortion model that involves breaching corporate networks, exfiltrating data, encrypting the data, and then using the encrypted data to extort victims,” said ASEC researchers, adding that the group was first identified in August 2025.
Gentlemen seems to be one of the most active emerging ransomware threats this year, having attacked multiple regions and industries in a short span of just a few months.
Not a lot is actually known about the group, though. According to ASEC, as of now, there is no clear evidence that the group is operating on a ransomware-as-a-service model.
Besides, it’s yet to be confirmed whether the group is a rebranding of an existing ransomware group or a sub-group.
Security analysts believe the group primarily targets medium to large enterprises, employing advanced techniques to evade detection and spread within corporate networks.
More specifically, Gentlemen is a ransomware strain developed in Go, which incorporates multiple evasion tactics during execution. Before encryption, its routine involves disabling Windows Defender, stopping backup services such as Veeam and database-related services (MSSQL, MongoDB), and deleting logs and system traces.
Security analysts believe the group primarily targets medium to large enterprises, employing advanced techniques to evade detection and spread within corporate networks.
The ransomware restricts execution to intended environments through a mandatory password parameter (–password). Without the correct password, the malware terminates instantly, preventing unintentional activation or analysis by researchers.
Each file is encrypted with a unique key and nonce, generated dynamically to prevent decryption without the private key. Files smaller than 1MB are fully encrypted, while larger files have selected segments encrypted to strike a balance between speed and impact.
After encryption, the malware drops a ransom note labeled README-GENTLEMEN.txt in all affected directories.
The note claims to have exfiltrated data and threatens public disclosure if ransom demands are not met. At the same time, the group offers to decrypt two sample files as proof of its decryption capability.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked