License to Encrypt: Make Their Move

Nov. 19, 2025, 9:54 a.m.

Description

'The Gentlemen' ransomware group emerged in July 2025, employing advanced dual-extortion tactics. They encrypt data and exfiltrate sensitive information, threatening to release it unless a ransom is paid. The group developed their own Ransomware-as-a-Service (RaaS) platform after experimenting with various affiliate models. Their latest update introduces automatic self-restart, run-on-boot functionality, and flexible encryption speeds. The ransomware targets both local disks and network-shared drives, supporting Windows, Linux, and ESXi platforms. Key features include reliable encryption using XChaCha20 and Curve25519, configurable attack methods, and persistent access capabilities. The group has published 47 victims on their dark web leak site within two months of operation.

External References

https://www.cybereason.com/blog/the-gentlemen-ransomware
https://otx.alienvault.com/pulse/691d846bee2607ac565b349a
Tags
linux
ransomware
windows
persistence
encryption
esxi
raas
2025-11-19
the gentlemen
dual-extortion

Date

  • Created: Nov. 19, 2025, 8:48 a.m.
  • Published: Nov. 19, 2025, 8:48 a.m.
  • Modified: Nov. 19, 2025, 9:54 a.m.

Attack Patterns

  • The Gentlemen
  • The Gentlemen