The Gentlemen Ransomware: Rapid Evolution and Dual-Extortion

Cybereason Threat Intelligence Team has analyzed the rapidly evolving ransomware group known as The Gentlemen, which surfaced in mid-2025. The group employs a dual-extortion strategy, encrypting sensitive files and exfiltrating critical business data, threatening to publish it unless a ransom is paid. The ransomware combines advanced encryption techniques with dynamic propagation options, including WMI, PowerShell remoting, and ESXi capabilities. It features enhanced automation, stealth, and performance improvements across Windows, Linux, and ESXi variants. The ransomware is promoted as a Ransomware-as-a-Service (RaaS) on cybercrime forums, offering configurable modes, dual-extortion tactics, and strong affiliate support. The group has published 48 victims on their dark web leak site within a short period, highlighting their aggressive pace and technical sophistication.

Latest mentioned: 11-20

Earliest mentioned: 11-18

Sources

securityonline.info cybereason.com

Also Read

Sturnus: New Android Banking Trojan Targets WhatsApp, Telegram, Signal

The Android trojan Sturnus targets secure messaging apps like WhatsApp, Telegram, and Signal. It can steal banking credentials, remotely control devices, and bypass encrypted messaging by capturing on-screen content. The malware is still under development but is already targeting financial institutions in certain regions, indicating preparation for a broader campaign. Sturnus uses HTML overlays and accessibility-based keylogging to steal data and monitor user actions in real-time. It also employs screen mirroring and a fallback system for screen capture, ensuring full remote control of infected devices. The malware's sophisticated tactics include device administrator abuse and comprehensive environmental monitoring, making it a significant threat to financial security and privacy.

11-21Read more →