Skip to main content
Published Oct 06, 2025 | Updated Apr 07, 2026

Ransom:Win64/Gentlemen.A

Detected by Microsoft Defender Antivirus

Aliases: No associated aliases

Summary

Ransom:Win64/Gentlemen.A is a sophisticated ransomware payload first observed in mid 2025. It operates as part of a Ransomware-as-a-Service (RaaS) platform that previously worked under another ransomware brand before becoming independent. The threat actors behind this malware use a double extortion model. They encrypt files on a target network and steal sensitive data before encrypting. The stolen data is published on a Tor-based leak site if the target does not pay. This approach gives the threat actors more leverage during negotiations. They do not rely on broad phishing campaigns. Instead, they invest time in reconnaissance and exploit critical vulnerabilities in perimeter security appliances, especially firewalls and VPN gateways.

The technical architecture of Ransom:Win64/Gentlemen.A shows a high level of maturity. The core payload is cross platform, written mostly in Go (Golang) with supporting tools in C. It targets Windows workstations, Linux servers, network attached storage devices, and VMware ESXi hypervisors. A unique anti analysis feature forces the binary to accept a mandatory 8-byte password as a command line argument. Without the correct password, the ransomware will not run. This defeats automated sandboxes and dynamic analysis tools. The attack chain also includes Bring Your Own Vulnerable Driver (BYOVD) techniques to deactivate endpoint security at the kernel level. The threat actors manipulate Group Policy Objects to push the ransomware across an entire domain.

  • Isolate affected devices immediately by disconnecting infected devices from the network and deactivating compromised administrative accounts.
  • Identify and secure backup infrastructure. Threat actors often target backups during early intrusion phases.
  • Capture forensic evidence before wiping or restoring storage devices. Preserve memory dumps and logs from the initial entry point, such as firewall logs.
  • Restore only from verified, offline, or immutable backups that were not accessible to the ransomware during the attack.
  • Patch the vulnerabilities used for initial access (for example, CVE-2024-55591 on FortiGate appliances) before bringing systems back online.
  • Perform a full domain-wide password reset and enforce Multi-Factor Authentication (MFA) for all remote access points.
  • Consult legal counsel and a professional incident response firm before contacting the threat actors. Engaging with the group carries risks of future extortion and financing criminal activity.

Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

Follow us