The Massive Gentlemen Ransomware Threat Sweeping Global Networks

Microsoft Threat Intelligence reports a global ransomware-as-a-service operation tracked as Storm-2697 / "Gentlemen" that conducts double extortion against enterprises (encrypts files and exfiltrates data), impacts healthcare, transportation and education sectors, and scales via affiliate recruitment on BreachForums. The payload disables defenses (PowerShell to turn off Defender, adds exclusions), deletes Volume Shadow Copies and event logs, terminates security agents and critical services, uses Curve25519 + XChaCha20 cryptography and a .umc16h extension, implements chunked encryption for large files, can self-propagate as a worm via --spread using PsExec/WMIC/remote PowerShell, and performs post-encryption wiping to frustrate forensics.