Ransomware Analysis: Go Binary and Fast Encryption

Description

The Gentlemen is a Ransomware-as-a-Service operation, tracked as Storm-2697, that emerged in mid-2025 after splitting from Qilin ransomware following a payment dispute. Operating as a highly structured syndicate with at least 9 core operators, the group has compromised over 1,570 organizations across 70+ countries, with approximately 71-78% paying ransoms and never appearing on public leak sites. The operation uses custom Go and C-compiled cross-platform lockers featuring partial encryption modes (0.3%-9% per file), built-in lateral movement via WMI and PowerShell remoting, aggressive defense evasion including Windows Defender disabling and event log clearing, and self-propagation capabilities. A formal partnership with BreachForums in May 2026 expanded distribution through integrated affiliate onboarding. Despite sophisticated encryption using X25519 key exchange and XChaCha20, a critical CWE-244 implementation flaw allows key recovery from process memory dumps.