← Back to Daily Briefing

The Gentlemen, a Ransomware-as-a-Service (RaaS) operation executed by the Storm-2697 affiliate group, has escalated attacks against high-value critical infrastructure, specifically targeting healthcare and water management districts. The group deploys a sophisticated, self-propagating encryptor written in Go (Golang) that utilizes per-file ephemeral key encryption to prevent unauthorized decryption. This malware features an aggressive lateral movement module designed for simultaneous, network-wide deployment to maximize operational paralysis before detection can occur. Confirmed victims include the St. Johns River Water Management District. Concurrently, a significant internal breach of The Gentlemen’s own infrastructure has leaked operational data, providing cybersecurity researchers with unprecedented technical intelligence regarding the group's internal structure and tactics.

  • Incident/Breach Overview: Critical Infrastructure Targeting
    • Pivoted operational focus toward high-impact sectors including healthcare and water management utilities.
    • Confirmed data exfiltration and encryption incidents affecting the St. Johns River Water Management District.
    • Dual-impact event involving both victim compromises and a significant internal breach of the ransomware group's own data.
  • Technical Deep Dive: Go-Based Malware Mechanics
    • Utilizes a Go (Golang) based encryptor to facilitate cross-platform efficiency and evasion of signature-based detection.
    • Employs a per-file ephemeral key encryption scheme to ensure high-speed, irreversible data locking.
    • Features an aggressive self-propagation module designed for rapid, simultaneous lateral movement across subnets.
    • Engineered to achieve maximum network saturation before typical EDR/NDR response cycles can intervene.
  • Threat Actor Profile: Storm-2697 and RaaS Scale
    • Attributed to the Storm-2697 affiliate group operating under The Gentlemen RaaS framework.
    • Focuses on maximizing operational disruption in industrial and management environments to increase extortion leverage.
    • Leverages high-velocity deployment models to overwhelm business continuity and incident response capabilities.
  • Intelligence & Defensive Implications
    • Leaked operational intelligence provides researchers with rare insights into the group's internal backend and communication protocols.
    • Microsoft and Checkpoint research offers deep technical visibility into the unique Go-based lateral movement signatures.
    • Recommended mitigation includes strict network segmentation and behavioral monitoring for high-frequency file I/O and anomalous Go-based processes.

Related posts

  1. Krebs on Security — Who Runs the Ransomware Group ‘The Gentlemen?’
  2. Cybereason
  3. Ransomlook
  4. Socradar
  5. Research
  6. Fortiguard
  7. S2w
  8. Krebsonsecurity
  9. Provendata
  10. Broadcom
  11. Dexpose
  12. microsoft.com — The Gentlemen ransomware: Dissecting a self-propagating Go encryptor
  13. Assets
  14. Fortiguard
  15. Industrialcyber
  16. Paubox
  17. Botcrawl
  18. techjacksolutions.com — RaaS Operator Exposed: OPSEC Failure Reveals 'The Gentlemen' Affiliate Model and Organizational Structure
  19. Darkatlas
  20. Blog
  21. Moxfive
  22. Trendmicro
  23. feeds.feedburner.com — The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm
  24. Trendmicro
  25. Techjacksolutions
  26. 2wtech
  27. Infosecurity-magazine
  28. Ransomware
  29. Blog
  30. Hivepro
  31. helpnetsecurity.com — GentleKiller targets more than 400 security processes across 48 products
  32. Ground
  33. Welivesecurity
  34. Microsoft
  35. Ransom-isac
  36. bleepingcomputer.com — Gentlemen ransomware uses multiple EDR killers to disable defenses
  37. feeds.feedburner.com — The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes
  38. Mallory
  39. Govinfosecurity
  40. gbhackers.com — Gentlemen RaaS Unifies HexKiller, ThrottleBlood, and HavocKiller in New Evasion Suite
  41. Dark Reading — Tables Turn on 'The Gentlemen' RaaS Gang With Data Leak

LINK COPIED TO CLIPBOARD