License to Encrypt: “The Gentlemen” Make Their Move

Cybereason assesses 'The Gentlemen' as an emergent (circa July 2025) and technically advanced ransomware RaaS operation that uses dual‑extortion, cross‑platform lockers (Windows/Linux/ESXi), robust encryption (XChaCha20/Curve25519), automated persistence and propagation mechanisms (WMI, PowerShell Remoting, schtasks, registry autoruns), and affiliate support; the report includes static/behavioral analysis of a Go-based Windows sample (SHA256 provided), PowerShell and anti-forensic activity, kill‑lists, registry usage, mapped IOCs, ATT&CK mappings, and defensive recommendations.