New Kaspersky GReAT (Global Research and Analysis Team) research into the rapidly growing ransomware group known as The Gentlemen has showed that the attackers have evolved their tactics through new custom-built tools – a backdoor designed to facilitate information gathering before ransomware deployment and control over compromised systems, and a ransomware executable file. The group has been active worldwide across industries including manufacturing, IT services, healthcare, financial services, construction, and logistics.
The Gentlemen is a rapidly expanding Ransomware-as-a-Service (RaaS) operation believed to have emerged around mid-2025. The Gentlemen and its affiliates primarily gain initial access to victim systems through the exploitation of internet-facing services and compromised credentials. The attackers may be seeking collaboration with Initial Access Brokers (IABs) to acquire access to organizations with valuable intellectual property with minimal effort. Kaspersky found that access to some victim systems, using techniques the group does not typically employ, occurred long before the ransomware infection. This may mean that the initial access was not carried out by The Gentlemen, but rather by another threat actor, possibly an IAB.
Unlike many RaaS groups, The Gentlemen demonstrates a high level of sophistication, employing custom tooling and flexible intrusion tactics. Kaspersky researchers identified a previously unknown, custom-developed backdoor written in Go deployed by the attackers one day before ransomware execution. The implant gathers host and network information and hides its console window to avoid detection. Its capabilities include bidirectional communications with the attackers, server-controlled command execution, and reconnaissance, enabling attackers to extend and adapt their activity within a compromised environment.
Kaspersky also found a new ransomware variant written in C affecting a limited number of corporate victims. While The Gentlemen has primarily used a ransomware implant written in Go that was designed for cross-platform use, the new C-based variant appears to be Windows-focused. The group may be testing the malware in real victim environments as it expands its technical arsenal.
Notably, in their attacks the Gentlemen attempted to remove the Kaspersky security solution by utilizing kavrmvr.exe (a tool designed to remove Kaspersky products). However, the Kaspersky solution remained active, and the move by the attackers was blocked and flagged as malicious.
“Despite being a relatively recent entrant to the ransomware threat landscape, The Gentlemen group is rapidly gaining a reputation among threat actors, attracting affiliates and executing high-profile attacks. The testing of the new C-based ransomware variants suggests that the group is actively refining its capabilities, which may translate into more stable and scalable attack chains in the near future. Organizations should anticipate further malicious ransomware activity and are strongly advised to prioritize vulnerability management and system hardening processes to mitigate the risk of compromise,” said Fatih Sensoy, security expert at Kaspersky GReAT.
On International Anti-Ransomware Day, May 12, Kaspersky shared a report with an overview of recent ransomware trends. According to Kaspersky Security Network, in 2025 Latin America had the highest share of organizations with ransomware attacks detected (8.13%), followed by the Asia-Pacific region (7.89%), Africa (7.62%), Middle East (7.27%), the Commonwealth of Independent States (CIS, 5.91%) and Europe (3.82%).
