License to Encrypt: Make Their Move

SUMMARY :

'The Gentlemen' ransomware group emerged in July 2025, employing advanced dual-extortion tactics. They encrypt data and exfiltrate sensitive information, threatening to release it unless a ransom is paid. The group developed their own Ransomware-as-a-Service (RaaS) platform after experimenting with various affiliate models. Their latest update introduces automatic self-restart, run-on-boot functionality, and flexible encryption speeds. The ransomware targets both local disks and network-shared drives, supporting Windows, Linux, and ESXi platforms. Key features include reliable encryption using XChaCha20 and Curve25519, configurable attack methods, and persistent access capabilities. The group has published 47 victims on their dark web leak site within two months of operation.

OPENCTI LABELS :

persistence,encryption,esxi,raas,ransomware,linux,windows,dual-extortion,the gentlemen


AI COMMENTARY :

1. License to Encrypt: Make Their Move opens with the unsettling rise of ‘The Gentlemen’ ransomware group, which arrived on the threat landscape in July 2025 to redefine dual-extortion. This actor doesn’t just lock files with strong encryption; they also siphon sensitive data before triggering the ransom demand. The public face of their operation is a polished dark web leak site that already lists 47 victims in just two months, sending a clear message: pay up or watch data be auctioned to the highest bidder.

2. Born from the fragmented RaaS ecosystem, The Gentlemen initially tested various affiliate models before consolidating resources to build their own Ransomware-as-a-Service platform. This shift to an in-house model grants them tighter operational security and better control over affiliates’ activities, reducing the risk of leaks and errors that could expose the group’s infrastructure. It also streamlines payment processing, allowing them to rotate cryptocurrency wallets and obfuscate tracing efforts.

3. On the technical front, their latest variant boasts automatic self-restart and run-on-boot functionality. These features ensure that any attempt to disrupt the attack—whether by rebooting a system or terminating processes—will fail. Encryption speeds are adjustable, letting affiliates throttle impact to evade detection by network monitoring tools or accelerate damage once detection measures are neutralized. Every dimension of the attack is configurable through a modular control panel.

4. Support for Windows, Linux, and ESXi environments makes The Gentlemen a cross-platform menace. They can simultaneously encrypt local disks and network-shared drives to maximize impact. By leveraging XChaCha20 for file encryption and Curve25519 for key exchange, they combine industry-standard cryptographic strength with speed and stability, ensuring victims cannot recover data without the attacker’s private keys.

5. Persistence is built into the core of their operation. Once the ransomware gains initial foothold—often via phishing or exploiting public-facing servers—it deploys backdoors that allow persistent access. The run-on-boot routines reinsert the malicious payload if remnants are removed, while secondary tools maintain remote control for data exfiltration. This dual-layer approach ensures that even if encryption is undone with backups, the theft of sensitive information has already occurred.

6. The public pressure of dual-extortion amplifies the psychological toll on victims. The threat of brand damage or regulatory fines for leaked sensitive data forces many organizations to negotiate swiftly. The Gentlemen’s operators capitalize on this fear, tailoring ransom notes to reference stolen intellectual property or personally identifiable information, upping the ante on payment demands.

7. Defending against this sophisticated threat requires a combination of preventive and detective controls. Segmenting networks to limit lateral movement, hardening backup strategies with offline copies, and deploying behavior-based monitoring can all help detect early signs of compromise. Incident response plans must also account for data exfiltration scenarios, aligning legal, PR, and technical teams to navigate the worst-case dual-extortion scenario. As The Gentlemen continue to refine their tactics, resilience and preparation remain organizations’ best defense.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


License to Encrypt: Make Their Move