The Gentlemen ransomware pairs encryption with aggressive propagation

Microsoft's write-up is vendor threat intelligence, so read the product references accordingly. The operational value is still real: The Gentlemen is not being described as a generic encryptor with a leak site attached. Microsoft says the ransomware combines per-file ephemeral Curve25519 keys, XChaCha20 encryption and simultaneous lateral movement methods, with command-line switches that let an operator set scope, delay encryption, choose local drives or network shares, and enable propagation.

That matters for defenders because the pre-encryption behavior is the part you can still do something about. Password-gated execution, Garble-obfuscated Go code, mapped share targeting and self-propagation are not compliance abstractions; they are telemetry questions. Do endpoint tools see suspicious argument patterns? Are domain credentials being used to spread a binary across shares? Are network drives suddenly becoming the blast radius instead of just storage?

Microsoft also says Storm-2697 moved The Gentlemen from a closed ransomware group into a ransomware-as-a-service program in September 2025 and has partnered with BreachForums to recruit affiliates, including penetration testers and initial access brokers. That is the quiet escalation in the post. More affiliates do not make the malware better, but they can make it show up in more ordinary environments, run by operators with uneven skill and the same destructive payload.