The Gentlemen, a Ransomware-as-a-Service (RaaS) operation executed by the Storm-2697 affiliate group, has escalated attacks against high-value critical infrastructure, specifically targeting healthcare and water management districts. The group deploys a sophisticated, self-propagating encryptor written in Go (Golang) that utilizes per-file ephemeral key encryption to prevent unauthorized decryption. This malware features an aggressive lateral movement module designed for simultaneous, network-wide deployment to maximize operational paralysis before detection can occur. Confirmed victims include the St. Johns River Water Management District. Concurrently, a significant internal breach of The Gentlemen’s own infrastructure has leaked operational data, providing cybersecurity researchers with unprecedented technical intelligence regarding the group's internal structure and tactics.
- Incident/Breach Overview: Critical Infrastructure Targeting
- Pivoted operational focus toward high-impact sectors including healthcare and water management utilities.
- Confirmed data exfiltration and encryption incidents affecting the St. Johns River Water Management District.
- Dual-impact event involving both victim compromises and a significant internal breach of the ransomware group's own data.
- Technical Deep Dive: Go-Based Malware Mechanics
- Utilizes a Go (Golang) based encryptor to facilitate cross-platform efficiency and evasion of signature-based detection.
- Employs a per-file ephemeral key encryption scheme to ensure high-speed, irreversible data locking.
- Features an aggressive self-propagation module designed for rapid, simultaneous lateral movement across subnets.
- Engineered to achieve maximum network saturation before typical EDR/NDR response cycles can intervene.
- Threat Actor Profile: Storm-2697 and RaaS Scale
- Attributed to the Storm-2697 affiliate group operating under The Gentlemen RaaS framework.
- Focuses on maximizing operational disruption in industrial and management environments to increase extortion leverage.
- Leverages high-velocity deployment models to overwhelm business continuity and incident response capabilities.
- Intelligence & Defensive Implications
- Leaked operational intelligence provides researchers with rare insights into the group's internal backend and communication protocols.
- Microsoft and Checkpoint research offers deep technical visibility into the unique Go-based lateral movement signatures.
- Recommended mitigation includes strict network segmentation and behavioral monitoring for high-frequency file I/O and anomalous Go-based processes.
Related posts
- Krebs on Security — Who Runs the Ransomware Group ‘The Gentlemen?’
- Cybereason
- Ransomlook
- Socradar
- Research
- Fortiguard
- S2w
- Krebsonsecurity
- Provendata
- Broadcom
- Dexpose
- microsoft.com — The Gentlemen ransomware: Dissecting a self-propagating Go encryptor
- Assets
- Fortiguard
- Industrialcyber
- Paubox
- Botcrawl
- techjacksolutions.com — RaaS Operator Exposed: OPSEC Failure Reveals 'The Gentlemen' Affiliate Model and Organizational Structure
- Darkatlas
- Blog
- Moxfive
- Trendmicro
- feeds.feedburner.com — The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm
- Trendmicro
- Techjacksolutions
- 2wtech
- Infosecurity-magazine
- Ransomware
- Blog
- Hivepro
- helpnetsecurity.com — GentleKiller targets more than 400 security processes across 48 products
- Ground
- Welivesecurity
- Microsoft
- Ransom-isac
- bleepingcomputer.com — Gentlemen ransomware uses multiple EDR killers to disable defenses
- feeds.feedburner.com — The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes
- Mallory
- Govinfosecurity
- gbhackers.com — Gentlemen RaaS Unifies HexKiller, ThrottleBlood, and HavocKiller in New Evasion Suite
- Dark Reading — Tables Turn on 'The Gentlemen' RaaS Gang With Data Leak