spot_img

Date:

Share:

Kaspersky warns of The Gentlemen ransomware group expanding operations with new malware

New Kaspersky GReAT (Global Research and Analysis Team) research into the rapidly growing ransomware group known as The Gentlemen has showed that the attackers have evolved their tactics through new custom-built tools – a backdoor designed to facilitate information gathering before ransomware deployment and control over compromised systems, and a ransomware executable file. The group has been active worldwide across industries including manufacturing, IT services, healthcare, financial services, construction, and logistics.

In its recent report Kaspersky shared an overview of ransomware trends: according to Kaspersky Security Network, in 2025 Latin America had the highest share of organisations with ransomware attacks detected (8.13%), followed by the Asia-Pacific region (7.89%), Africa (7.62%), Middle East (7.27%), the Commonwealth of Independent States (CIS, 5.91%) and Europe (3.82%).

The Gentlemen is a rapidly expanding Ransomware-as-a-Service (RaaS) operation believed to have emerged around mid-2025. The Gentlemen and its affiliates primarily gain initial access to victim systems through the exploitation of Internet-facing services and compromised credentials. The attackers may be seeking collaboration with Initial Access Brokers (IABs) to acquire access to organisations with valuable intellectual property with minimal effort. Kaspersky found that access to some victim systems, using techniques the group does not typically employ, occurred long before the ransomware infection. This may mean that the initial access was not carried out by The Gentlemen, but rather by another threat actor, possibly an IAB.

Unlike many RaaS groups, The Gentlemen demonstrates a high level of sophistication, employing custom tooling and flexible intrusion tactics. Kaspersky researchers identified a previously unknown, custom-developed backdoor written in Go deployed by the attackers one day before ransomware execution. The implant gathers host and network information and hides its console window to avoid detection. Its capabilities include bidirectional communications with the attackers, server-controlled command execution, and reconnaissance, enabling attackers to extend and adapt their activity within a compromised environment.

Kaspersky also found a new ransomware variant written in C affecting a limited number of corporate victims. While The Gentlemen has primarily used a ransomware implant written in Go that was designed for cross-platform use, the new C-based variant appears to be Windows-focused. The group may be testing the malware in real victim environments as it expands its technical arsenal.

Notably, in their attacks the Gentlemen attempted to remove the Kaspersky security solution by utilising kavrmvr.exe (a tool designed to remove Kaspersky products). However, the Kaspersky solution remained active, and the move by the attackers was blocked and flagged as malicious.

“Despite being a relatively recent entrant to the ransomware threat landscape, The Gentlemen group is rapidly gaining a reputation among threat actors, attracting affiliates and executing high-profile attacks. The testing of the new C-based ransomware variants suggests that the group is actively refining its capabilities, which may translate into more stable and scalable attack chains in the near future. Organisations should anticipate further malicious ransomware activity and are strongly advised to prioritise vulnerability management and system hardening processes to mitigate the risk of compromise,” said Fatih Sensoy, security expert at Kaspersky GReAT.

Kaspersky encourages organisations to follow these practices to safeguard from ransomware:

  • Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network.
  • Focus your defence strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency.
  • Companies can protect themselves by installing anti-APT and EDR solutions that enable capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents. Organisations can also provide their SOC teams with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Next

Detailed information is available in the report on Securelist.com.

spot_img
spot_img

━ More like this

More than half of local users encountered fraud or scams online, Kaspersky responds with AI-powered protection

More than half (61%) of Internet users in South Africa faced fraud over the past year, and 52% became victims of attacks on their...

AI, your virtual assistant on a photographic trip

For decades, photography tours have focused strictly on traditional fundamentals: chasing golden hour light, mastering manual exposure, and framing compelling compositions. However, the rise...

Visa Outlines AI, token, and stablecoin capabilities shaping the future of commerce

Visa today outlined a series of AI, stablecoin, and token capabilities designed to help clients across the Central and Eastern Europe, Middle East, and...

Santam-owned Kandua launches South Africa’s first Ai-powered home companion

Kandua, a wholly owned Santam subsidiary, has announced the launch of Jess, South Africa’s first Artificial Intelligence (AI) powered home companion, which is aimed at improving...

IITPSA ICT Skills Survey to delve into burning questions around AI’s impact on jobs

The Institute of Information Technology Professionals South Africa 2026 IITPSA Skills Survey has gone live, this year with a strong focus on the impact...
spot_img