HomeIntelligenceBrief
BREACH BRIEF🔴 Critical Ransomware

Self‑Propagating Go Ransomware “The Gentlemen” Encrypts Networks Across Multiple Sectors

The Gentlemen ransomware, linked to Storm‑2697, uses a per‑file ephemeral key encryption and a rapid self‑propagation engine to encrypt data across an entire corporate network. Its Go‑based binary evades many traditional defenses, making it a high‑impact threat for third‑party risk managers.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 microsoft.com
🔴
Severity
Critical
RW
Type
Ransomware
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
3 recommended
📰
Source
microsoft.com

Self‑Propagating Go Ransomware “The Gentlemen” Encrypts Networks Across Multiple Sectors

What Happened — The Gentlemen ransomware, written in Go and linked to Storm‑2697 affiliates, employs a per‑file ephemeral AES‑256 key encryption scheme and a self‑propagation module that spreads laterally across a victim’s network in parallel, encrypting data on hundreds of endpoints within minutes.

Why It Matters for TPRM

  • Self‑propagation magnifies the impact of any compromised third‑party, turning a single foothold into a full‑network outage.
  • Go‑based binaries often bypass traditional signature‑based defenses, raising detection challenges for vendors.
  • Lateral movement leverages trusted internal protocols (SMB, WMI, PowerShell Remoting), exposing supply‑chain and privileged‑access weaknesses.

Who Is Affected — Enterprises in finance, healthcare, manufacturing, SaaS, and any organization with Windows‑based endpoints and shared file systems.

Recommended Actions

  • Conduct a least‑privilege review of all third‑party access and enforce strict network segmentation.
  • Verify that vendors use behavior‑based detection capable of identifying unknown Go binaries.
  • Patch and harden Windows remote execution services (SMB, WMI, PowerShell Remoting) and monitor for anomalous lateral movement.

Technical Notes — The ransomware generates a unique encryption key per file, encrypts with AES‑256, then discards the key, rendering recovery impossible without backups. Propagation occurs via simultaneous SMB, WMI, and PowerShell Remoting sessions, without requiring stolen credentials. No specific CVE is referenced; the technique exploits built‑in Windows remote execution features. Source: Microsoft Security Blog

📰 Original Source
https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →