New Kaspersky GReAT (Global Research and Analysis Team) research into the rapidly growing ransomware group known as The Gentlemen has showed that the attackers have evolved their tactics through new custom-built tools – a backdoor designed to facilitate information gathering before ransomware deployment and control over compromised systems, and a ransomware executable file. The group has been active worldwide across industries including manufacturing, IT services, healthcare, financial services, construction, and logistics.
The Gentlemen is a rapidly expanding Ransomware-as-a-Service (RaaS) operation believed to have emerged around mid-2025. The Gentlemen and its affiliates primarily gain initial access to victim systems through the exploitation of internet-facing services and compromised credentials. The attackers may be seeking collaboration with Initial Access Brokers (IABs) to acquire access to organizations with valuable intellectual property with minimal effort. Kaspersky found that access to some victim systems, using techniques the group does not typically employ, occurred long before the ransomware infection. This may mean that the initial access was not carried out by The Gentlemen, but rather by another threat actor, possibly an IAB.
Unlike many RaaS groups, The Gentlemen demonstrates a high level of sophistication, employing custom tooling and flexible intrusion tactics. Kaspersky researchers identified a previously unknown, custom-developed backdoor written in Go deployed by the attackers one day before ransomware execution. The implant gathers host and network information and hides its console window to avoid detection. Its capabilities include bidirectional communications with the attackers, server-controlled command execution, and reconnaissance, enabling attackers to extend and adapt their activity within a compromised environment.
Kaspersky also found a new ransomware variant written in C affecting a limited number of corporate victims. While The Gentlemen has primarily used a ransomware implant written in Go that was designed for cross-platform use, the new C-based variant appears to be Windows-focused. The group may be testing the malware in real victim environments as it expands its technical arsenal.
Notably, in their attacks the Gentlemen attempted to remove the Kaspersky security solution by utilizing kavrmvr.exe (a tool designed to remove Kaspersky products). However, the Kaspersky solution remained active, and the move by the attackers was blocked and flagged as malicious.
“Despite being a relatively recent entrant to the ransomware threat landscape, The Gentlemen group is rapidly gaining a reputation among threat actors, attracting affiliates and executing high-profile attacks. The testing of the new C-based ransomware variants suggests that the group is actively refining its capabilities, which may translate into more stable and scalable attack chains in the near future. Organizations should anticipate further malicious ransomware activity and are strongly advised to prioritize vulnerability management and system hardening processes to mitigate the risk of compromise,” said Fatih Sensoy, security expert at Kaspersky GReAT.
On International Anti-Ransomware Day, May 12, Kaspersky shared a report with an overview of recent ransomware trends. According to Kaspersky Security Network, in 2025 Latin America had the highest share of organizations with ransomware attacks detected (8.13%), followed by the Asia-Pacific region (7.89%), Africa (7.62%), Middle East (7.27%), the Commonwealth of Independent States (CIS, 5.91%) and Europe (3.82%).
Kaspersky encourages organizations to follow these practices to safeguard from ransomware:
- Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network.
- Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency.
- Companies can protect themselves by installing anti-APT and EDR solutions that enable capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents. Organizations can also provide their SOC teams with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Next.
Detailed information is available in the report on Securelist.com.
About the Global Research & Analysis Team
Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.
