The Gentlemen Ransomware Gang Turns Your Own IT Tools Against You

A fast-spreading criminal group is using the software your IT team trusts every day to take over company networks. The real test is not whether they got in. It is what happens next.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial photograph, 16:9 framing, full-frame edge-to-edge
Share

Key points

  • The Gentlemen is a ransomware-as-a-service criminal operation, meaning it rents its attack tools to other criminals, first observed in mid-2025 and confirmed as attacking organisations across six continents.
  • The group uses at least 21 different methods to spread through a company's internal network before locking any files.
  • Before encrypting data, the malware disables backup systems and security software, making recovery much harder.
  • Microsoft Threat Intelligence published a technical breakdown of the group in late May 2025, followed by a detailed report from security firm Picus Security.
  • Sectors hit include healthcare, education, transportation, and financial services.

Some ransomware groups kick down the front door and make noise. The Gentlemen walk in through the staff entrance using a valid badge.

The criminals behind this operation do not rely on exotic tricks or newly discovered software flaws. They use the same Windows administration tools your IT team uses every single day: things like PsExec, which lets administrators run programs on remote machines; WMIC, a command-line tool for managing Windows systems; and PowerShell, the scripting language baked into almost every modern Windows computer. The malware tries up to 21 different methods to hop from one machine to another inside a network. If one fails, it tries the next.

How does this ransomware actually get around inside a company?

Once the criminals break into a single machine, the software scans the internal network for other computers it can reach, drops a copy of itself onto a shared folder (the kind any Windows network uses to move files around), and then tries to run that copy remotely. It keeps going until it has spread as far as it can.

Before locking any files, it does something arguably more damaging. It switches off Microsoft Defender (Windows's built-in antivirus), deletes shadow copies (the automatic backup snapshots Windows quietly keeps in the background), and stops services tied to databases, backup platforms, and security monitoring tools. By the time the actual file encryption starts, the organisation's ability to detect the attack or recover from it has already been stripped away.

The encryption itself uses a scheme called Curve25519 combined with XChaCha20, generating a unique key for each file. In practice, that means there is no single master key a researcher can extract and publish. Picus Security noted that encrypted files in one sample were tagged with the extension .umc16h, though other campaigns have used different labels.

The failure mode here is a common one. Organisations buy backup software and endpoint protection tools, tick the boxes in their audit, and assume they are covered. The Gentlemen specifically targets those tools first. If your backups sit on the same internal network and authenticate against the same directory your attackers have already broken into, they are not a safety net. They are part of the problem.

For ordinary people whose data sits inside hospitals, schools, or financial firms that could be targeted: watch for unexpected communications from these organisations about data breaches, and treat any follow-up emails claiming to be from them with extra suspicion. The group also steals data before locking it and threatens to publish it if the ransom goes unpaid.

If your organisation has not tested whether its backups actually work when the network around them is partially broken, today is a better day to find out than during an incident.

© 2026 Threat Vectr