Ransomware operators have spent years refining the art of locking files. Now, some are working harder to get those lockers to every reachable system first.
Microsoft’s recent warning of the Gentlemen ransomware revealed its operators using a self-propagating Go-based encryptor capable of moving laterally through compromised environments and deploying itself across additional systems.
“Modern ransomware is no longer just about encrypting files,” said Paul Reid, vice president of Adversary Research at AttackIQ. “The bigger risk is how quickly a single compromised machine can become a broader business disruption.”
In a technical breakdown of its operations, Microsoft said the Gentlemen Ransomware was first observed in mid-2025 and remains highly active through 2026, impacting organizations across education, transportation, healthcare, and financial industries in North America, South America, Europe, Africa, and Asia.
Gentlemen began as a “closed ransomware,” turned into a ransomware-as-a-service (RaaS) offering in September 2025, and eventually partnered up with BreachForums to pick up affiliates, including pen-testers and initial access brokers, from the popular cybercriminal marketplace.
Built to move before it encrypts
Microsoft’s analysis specifically focused on the ransomware’s ability to propagate through a network without relying entirely on manual operator intervention.
The encryptor, written in Go, includes functionality designed to identify additional systems, authenticate using harvested credentials, and copy itself to remote machines over Server Message Block (SMB). Once deployed, it can execute remotely and continue spreading, creating a chain infection inside compromised environments.
According to Microsoft, the malware leverages legitimate administrative tools and Windows functionality to facilitate movement while reducing the need for attackers to remain actively engaged through the operation.
“The ransomware operator can control The Gentlemen encryptor through command-line arguments,” Microsoft said. “A password is required for execution, and optional arguments allow the operator to specify encryption scope, speed, lateral movement, and post-encryption behaviors.”
One of the command line arguments,“–full,” launches separate processes to encrypt local drives with SYSTEM privileges and network shares visible to the user, to maximize encryption coverage once the machine is compromised. Additionally, a “–spread” command is used for lateral propagation.
“Defenders should treat The Gentlemen as an attack-path problem, not just a patching or detection problem,” Reid said. “The priority is to understand where the ransomware could move, which controls would detect, contain, or disrupt it, and where gaps still exist before an incident occurs.”
Gentlemen performs a “password check” to validate the use of its RaaS by the affiliates, and blocks its usage from unwanted binary recovery or interception. “Before executing its primary functionality, the malware validates the –password argument against a hardcoded value embedded within the binary,” Microsoft noted. “For the sample analyzed in this blog, the expected password is ‘9VoAvR7G’.”
Detection windows are shrinking
Microsoft’s analysis highlights the defensive challenges posed by self-propagating ransomware. Once execution begins, the time available to detect, investigate, and contain malicious activity can shrink considerably as the malware spreads to additional systems.
“This is not the kind of threat where an organization can wait for a help desk ticket or a locked screen to realize something is wrong,” said John Joyner, Senior Director of Technology at Corsica Technologies. “Malware can move quickly through a network once it gets a foothold, which makes early detection the difference between a contained incident and a business-wide disruption.”
Microsoft emphasized the importance of monitoring lateral movement activity, credential abuse, remote execution attempts, and other behaviors associated with Gentlemen’s propagation rather than focusing solely on encryption events.
Additionally, it shared a list of indicators of compromise (IOCs) to support detection efforts. For those who don’t catch it on time, the ransomware leaves a note. “Your network is locked by the Gentlemen,” a desktop wallpaper reads on the victim’s machines.