Gentlemen is a new ransomware group first identified around August 2025. The group operates a double extortion model that involves breaching corporate networks, exfiltrating data, encrypting the data, and then using the encrypted data to extort victims. During the breach, the group employs typical tactics seen in advanced ransomware groups, such as Group Policy Objects (GPO) manipulation and Bring Your Own Vulnerable Driver (BYOVD). As of now, there is no clear evidence that the group is operating on a Ransomware as a Service (RaaS) model. Additionally, it is yet to be confirmed whether the group is a rebranding of an existing ransomware group or a sub-group.

 

The attack by Gentlemen quickly spread after its appearance, and there have been reports of damage in at least 17 countries. The affected industries are diverse and include manufacturing, construction, healthcare, and insurance. Attacks have been confirmed in multiple regions including Asia-Pacific (APAC), North America, South America, and the Middle East, showing a wide range of activities that are not limited to a specific country or region.

 

Since its emergence, Gentlemen has been evaluated as one of the most active emerging ransomware groups in 2025, having attacked multiple regions and industries in a relatively short period. Considering their targeted attacks, detection evasion techniques, and sophisticated internal propagation procedures, it appears that the group mainly targets medium to large organizations. Continuous monitoring of this group is necessary.

 

Figure 1. Gentlemen data leak site (DLS)

 

Analysis Details

 

Gentlemen is a ransomware strain developed in Go. It restricts its normal operation to intended environments by performing a password check on its execution arguments. Its initial routine, performed before encryption, involves disabling Windows Defender, stopping backup services (Veeam) and database-related services (MSSQL, MongoDB), and deleting logs and system traces. For file encryption, it uses the X25519 and XChaCha20 encryption algorithms. If a file is large, it is designed to encrypt only select segments of the file.

Initial Routine

 

Execution Arguments

 

Gentlemen performs a command-line argument parsing routine shortly after execution. These arguments are used to provide detailed control over encryption targets, performance options, and operation modes.

 

Figure 2. Gentlemen executable arguments

Argument	Description
–password PASS	Password (required) to execute ransomware
–path DIRS	Directories and disks to encrypt
–T MIN	Delay before encryption
–silent	Do not rename file after encryption
–system	Encrypt local drive only
–shares	Encrypt only the mapped network and available UNC shares
–full	Include –system and –shares
–fast	Encrypt 9%
–superfast	Encrypt 3%
–ultrafast	Encrypt 1%

Table 1. Description of execution parameters

 

In particular, among the various parameters, the –password value is required. If this value does not exist or the password is incorrect, the ransomware immediately terminates. This is to ensure that the ransomware only operates in the environment intended by the threat actor, preventing it from being executed in unintended environments such as analysis environments.

 

Encryption Preparation

 

The threat actor’s public key, which is encoded within the ransomware, is decoded in the memory. This public key is used in the encryption process by generating a shared secret through a random number generated in the encryption process and X25519 operation, and then using this shared secret to derive the key for the final encryption.

Figure 3. Public Key in encoded form

 

PowerShell commands are used to collect information on all volumes accessible within the system in order to identify the drive to be encrypted. This shows that the Gentlemen ransomware has been designed to target not only single PC environments, but also enterprise clusters and shared storage environments.

Encrypting Files

 

Once the file to be encrypted is finally determined, the file encryption routine is executed. Gentlemen ransomware encrypts files using a stream cipher based on XChaCha20. A new key and nonce are generated for each file to be encrypted, and the creation process is as follows.

 

First, the threat actor performs an X25519 (ECDH) operation using their public key and a randomly generated 32-byte value to create a shared secret. Based on this shared secret, an HChaCha20 operation is performed to generate a 32-byte subkey. This subkey is then used as the key for the XChaCha20 algorithm, which performs the file encryption. Next, the same 32-byte value is used to perform an X25519 operation with a value of 0x9. This creates another 32-byte value, where the upper 16 bytes are used as the nonce for HChaCha20 and the lower portion (the last 8 bytes) is used to construct the nonce for XChaCha20.

 

The X25519 result created at this time is stored in the encrypted file in a Base64-encoded format, but the random number used as a temporary key is not stored. This encryption structure is designed to prevent threat actors from recreating shared secrets without possessing the private key. As a result, victims are unable to obtain the decryption key without making a payment. Additionally, by combining ECDH based on X25519 and XChaCha20 encryption, the structure ensures that the encryption key is not exposed in the data that is leaked externally, and the impossibility of decryption is maximized through the structure of generating temporary keys each time.

 

Furthermore, the Gentlemen ransomware changes its encryption target based on the file size. If the file size is less than 0x100000 bytes (about 1 MB), the entire file is encrypted. If the file size is larger than 0x100000 bytes, a specific range is selectively encrypted. This method aims to improve the encryption speed for large files while making file recovery more difficult.

 

Figure 4. Calculating the scope of encryption

 

Changing Desktop Background and Ransom Note
 

The following Figure 5 shows the screen that was infected with the Gentlemen ransomware. The ransom note is named ‘README-GENTLEMEN.txt’ and is created in all directories where the encryption process is complete.

 

Figure 5. Desktop after encryption

 

The ransom note claims that the threat actor has full control over the infected system’s network and informs the victim that all files are encrypted and inaccessible, placing psychological pressure on the victim. Additionally, the threat actor claims to have stolen confidential information from the system and warns that if they are not contacted, the information will be leaked on the dark web and hacking forums. Furthermore, the threat actor attempts to gain the victim’s trust by offering to decrypt two sample files for free.

Figure 6. Ransom note (README-GENTLEMEN.txt)

AhnLab’s Response Status

 

The diagnostic name and engine date information of the AhnLab product groups are as follows.

 

V3

Ransomware/Win.GentlemenCrypt.C5799091 (2025.09.18.03)
Ransomware/Win.GentlemenCrypt.C5825597 (2025.12.11.03)
Ransom/MDP.Decoy.M961 (2016.03.19.00)
Ransom/MDP.Delete.M1105 (2016.05.18.02)
Ransom/MDP.Event.M1784 (2017.11.23.00)
Ransom/MDP.Command.M2255 (2019.06.19.00)
 

EDR

SystemManipulation/EDR.Event.M2486 (2022.03.31.00)
SystemManipulation/DETECT.T1564.M3965 (2022.04.07.00)
SystemManipulation/EDR.Event.M2506 (2022.09.24.00)
Impact/DETECT.Event.M11078 (2023.05.11.03)
DefenseEvasion/DETECT.T1070.001.M11430 (2023.11.23.02)
 

※ Please refer to the attachment for details.

MD5

adf675ffc1acb357f2d9f1a94e016f52

de1a114a2c5552387a1bbb61501bf129