Researchers from ASEC detailed Gentlemen, a newly identified ransomware group, which first emerged around August 2025. Since then, it has quickly become one of the most active and concerning ransomware groups of the year, executing attacks across multiple regions and industries in a remarkably short span. Known for its targeted approach, sophisticated evasion tactics, and effective internal propagation methods, the Gentlemen ransomware group appears to largely focus on medium to large organizations. Given the growing threat posed by Gentlemen, continuous monitoring and analysis of their activities are crucial for effective defense strategies.
“The group operates a double extortion model that involves breaching corporate networks, exfiltrating data, encrypting the data, and then using the encrypted data to extort victims,” the researchers noted in a recent post. “During the breach, the group employs typical tactics seen in advanced ransomware groups, such as Group Policy Objects (GPO) manipulation and Bring Your Own Vulnerable Driver (BYOVD). As of now, there is no clear evidence that the group is operating on a Ransomware as a Service (RaaS) model.”
Additionally, it is yet to be confirmed whether the group is a rebranding of an existing ransomware group or a sub-group.
Explaining that the attack by Gentlemen quickly spread after its appearance, and there have been reports of damage in at least 17 countries, ASEC highlighted that the affected industries include manufacturing, construction, healthcare, and insurance. Attacks have been confirmed in multiple regions, including Asia-Pacific (APAC), North America, South America, and the Middle East, showing a wide range of activities that are not limited to a specific country or region.
Another interesting fact is that the Gentlemen ransomware strain is developed in Go. It restricts its normal operation to intended environments by performing a password check on its execution arguments. Its initial routine, performed before encryption, involves disabling Windows Defender, stopping backup services (Veeam) and database-related services (MSSQL, MongoDB), and deleting logs and system traces. For file encryption, it uses the X25519 and XChaCha20 encryption algorithms. If a file is large, it is designed to encrypt only select segments of the file.
The Gentlemen hackers perform a command-line argument parsing routine shortly after execution. “These arguments are used to provide detailed control over encryption targets, performance options, and operation modes. In particular, among the various parameters, the –password value is required. If this value does not exist or the password is incorrect, the ransomware immediately terminates. This is to ensure that the ransomware only operates in the environment intended by the threat actor, preventing it from being executed in unintended environments such as analysis environments.”
ASEC said that the threat actor’s public key, which is encoded within the ransomware, is decoded in the memory. This public key is used in the encryption process by generating a shared secret through a random number generated in the encryption process and X25519 operation, and then using this shared secret to derive the key for the final encryption.
Once the file to be encrypted is finally determined, the file encryption routine is executed. Gentlemen ransomware encrypts files using a stream cipher based on XChaCha20. A new key and nonce are generated for each file to be encrypted, and the creation process is as follows.
“First, the threat actor performs an X25519 (ECDH) operation using their public key and a randomly generated 32-byte value to create a shared secret. Based on this shared secret, an HChaCha20 operation is performed to generate a 32-byte subkey. This subkey is then used as the key for the XChaCha20 algorithm, which performs the file encryption,” according to the ASEC post. “Next, the same 32-byte value is used to perform an X25519 operation with a value of 0x9. This creates another 32-byte value, where the upper 16 bytes are used as the nonce for HChaCha20, and the lower portion (the last 8 bytes) is used to construct the nonce for XChaCha20.”
The X25519 result created at this time is stored in the encrypted file in a Base64-encoded format, but the random number used as a temporary key is not stored. This encryption structure is designed to prevent threat actors from recreating shared secrets without possessing the private key. As a result, victims are unable to obtain the decryption key without making a payment.
Additionally, ASEC said that by combining ECDH based on X25519 and XChaCha20 encryption, the structure ensures that the encryption key is not exposed in the data that is leaked externally, and the impossibility of decryption is maximized through the structure of generating temporary keys each time.
The ransom note claims that the threat actor has full control over the infected system’s network and informs the victim that all files are encrypted and inaccessible, placing psychological pressure on the victim.
Additionally, the threat actor claims to have stolen confidential information from the system and warns that if they are not contacted, the information will be leaked on the dark web and hacking forums. Furthermore, the threat actor attempts to gain the victim’s trust by offering to decrypt two sample files for free.
Last week, industrial cybersecurity firm Dragos reported in its third-quarter findings that between July and September this year, both Devman and Gentlemen were linked to 16 incidents each. Notably, Gentlemen stood out for having one of the highest concentrations of industrial victims among emerging ransomware groups during the period.
