The Gentlemen Are Coming for Your Files, and Then Your Network

The ransomware landscape has evolved from isolated file‑locking attacks to sophisticated, self‑propagating threats that can cripple entire networks. Gentlemen exemplifies this shift, leveraging a Go‑written encryptor that automatically discovers vulnerable hosts, harvests credentials, and copies itself over SMB. By embedding legitimate Windows administrative tools, the malware reduces the need for continuous operator oversight, allowing rapid expansion before any encryption activity is visible. This approach shortens the window for detection and forces defenders to rethink traditional, signature‑based defenses.

Technical analysis reveals that Gentlemen’s encryptor operates with a command‑line interface, requiring a specific password argument to unlock its payload. Options such as "–full" trigger SYSTEM‑level encryption of local disks and any network shares the compromised host can see, while "–spread" directs lateral movement. The ransomware’s RaaS incarnation, launched in September 2025, taps into BreachForums to enlist affiliates ranging from pen‑testers to initial‑access brokers, expanding its reach across education, transportation, healthcare, and financial sectors on every continent. The hard‑coded password check further thwarts unauthorized use, ensuring only vetted affiliates can deploy the payload.

For security teams, the priority is no longer merely spotting encrypted files but detecting the precursor behaviors that indicate network traversal. Monitoring for abnormal SMB traffic, credential‑spraying attempts, and remote execution commands can provide early warning before the encryptor activates. Deploying micro‑segmentation, enforcing least‑privilege access, and maintaining up‑to‑date endpoint detection and response (EDR) solutions are critical controls. As self‑propagating ransomware like Gentlemen gains traction, organizations must adopt an attack‑path mindset, continuously mapping potential lateral routes and hardening those vectors to mitigate the risk of a full‑scale network lockout.