Go-Based Gentlemen Ransomware Uses PsExec, WMIC, and PowerShell Remoting for Network Propagation
ID: 036332fe-5daa-5f56-8f7b-460cc625e364
STIX ID: report--036332fe-5daa-5f56-8f7b-460cc625e364
Feed Name: GBHackers
**Executive summary:** 'Gentlemen' is a Go-based ransomware-as-a-service (RaaS) active since mid-2025 that employs per-file ephemeral Curve25519 and XChaCha20 encryption, aggressive defense-evasion (disabling Defender, deleting shadow copies and logs, terminating backup/EDR services), worm-like self-propagation across networks using up to 21 remote-execution vectors, and data exfiltration for double extortion; it targets Windows systems across education, transportation, healthcare, and financial sectors worldwide and is distributed via an affiliate program.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
