{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/storm-2697/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Storm-2697"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Defender"],"_cs_severities":["critical"],"_cs_tags":["ransomware","raas","lateral-movement","encryption"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Gentlemen ransomware is a ransomware-as-a-service (RaaS) operated by the financially motivated threat actor Storm-2697, which emerged around mid-2025 and began offering its RaaS to affiliates in September 2025. This ransomware is written in Go and obfuscated with Garble, targeting Windows environments. The operators behind the ransomware use double extortion tactics, encrypting data while also exfiltrating sensitive information. The Gentlemen ransomware combines strong per-file encryption with an aggressive self-propagation capability, using a series of simultaneous lateral movement methods to spread across an environment after initial access is achieved. Microsoft has observed this ransomware impacting organizations across education, transportation, healthcare, and financial industries globally. More recently, The Gentlemen operators have partnered with BreachForums to recruit affiliates.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through unspecified means, potentially leveraging initial access brokers recruited via BreachForums.\u003c/li\u003e\n\u003cli\u003eThe Gentlemen ransomware is executed on the target system, requiring a password via the \u003ccode\u003e--password\u003c/code\u003e command-line argument.\u003c/li\u003e\n\u003cli\u003eThe ransomware parses command-line arguments to determine encryption scope, speed, and lateral movement options.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003e--full\u003c/code\u003e argument is provided, the malware spawns two child processes: one with \u003ccode\u003e--system\u003c/code\u003e to encrypt local drives under SYSTEM privileges, and another with \u003ccode\u003e--shares\u003c/code\u003e to encrypt network shares.\u003c/li\u003e\n\u003cli\u003eThe ransomware uses per-file ephemeral Curve25519 keys with XChaCha20 stream cipher to encrypt files. The speed of encryption is determined by arguments like \u003ccode\u003e--fast\u003c/code\u003e, \u003ccode\u003e--superfast\u003c/code\u003e, or \u003ccode\u003e--ultrafast\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFor lateral movement, the \u003ccode\u003e--spread\u003c/code\u003e argument is used to propagate to other systems, accepting credentials or using the current session token.\u003c/li\u003e\n\u003cli\u003eAfter encryption, the ransomware may delete itself unless the \u003ccode\u003e--keep\u003c/code\u003e argument is provided. It may also wipe free disk space if the \u003ccode\u003e--wipe\u003c/code\u003e argument is used.\u003c/li\u003e\n\u003cli\u003eVictims are presented with a ransom note, and sensitive data is exfiltrated to pressure victims to pay the ransom.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Gentlemen ransomware has impacted organizations across various industries including education, transportation, healthcare, and financial services in North America, South America, Europe, Africa, and Asia. A successful attack results in data encryption, exfiltration of sensitive information, and significant operational disruption. Victims are pressured to pay a ransom to regain access to their data and prevent the public release of stolen information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for execution of binaries with command-line arguments specifying encryption scope, speed, and lateral movement options, especially the \u003ccode\u003e--full\u003c/code\u003e, \u003ccode\u003e--system\u003c/code\u003e, and \u003ccode\u003e--shares\u003c/code\u003e arguments (see Sigma rule \u0026ldquo;Detect The Gentlemen Ransomware Execution with Full Argument\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eEnable Microsoft Defender and review detections related to The Gentlemen ransomware. Use the provided hunting queries to proactively search for related activity in your environment.\u003c/li\u003e\n\u003cli\u003eImplement strict password policies and multi-factor authentication to reduce the risk of credential compromise and lateral movement.\u003c/li\u003e\n\u003cli\u003eRegularly back up critical data to an offsite location to ensure recoverability in the event of a ransomware attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T15:40:43Z","date_published":"2026-05-28T15:40:43Z","id":"https://feed.craftedsignal.io/briefs/2026-05-the-gentlemen-ransomware/","summary":"The Gentlemen ransomware, operated by Storm-2697 as a RaaS, employs a combination of strong per-file encryption with aggressive self-propagation to achieve broad network compromise, targeting Windows environments and using double extortion tactics.","title":"The Gentlemen Ransomware: Self-Propagating Go Encryptor","url":"https://feed.craftedsignal.io/briefs/2026-05-the-gentlemen-ransomware/"}],"language":"en","title":"CraftedSignal Threat Feed — Storm-2697","version":"https://jsonfeed.org/version/1.1"}