Kaspersky uncovers new malware linked to Gentlemen ransomware

Kaspersky’s Global Research and Analysis Team (GReAT) has identified new malware and evolving attack techniques used by the rapidly growing ransomware group. The Gentlemen, indicating that the Ransomware-as-a-Service (RaaS) operation is expanding both its technical capabilities and global reach.

According to Kaspersky’s latest research, the group—believed to have emerged around mid-2025—has been targeting organisations across sectors including manufacturing, IT services, healthcare, financial services, construction and logistics. The ransomware operator has also broadened its toolkit with a newly discovered custom-built backdoor and a Windows-focused ransomware variant.

The research reveals that The Gentlemen typically gains initial access by exploiting internet-facing services and compromised credentials. However, investigators found evidence suggesting that some victim environments had been breached well before ransomware deployment using techniques not commonly associated with the group. This indicates the attackers may be working with Initial Access Brokers (IABs) that specialise in selling access to compromised corporate networks.

A key finding is the discovery of a previously unknown backdoor written in Go that is deployed shortly before ransomware execution. The malware collects host and network information, conceals its activity from users, enables remote command execution and facilitates reconnaissance, giving attackers greater control over compromised systems before launching ransomware.

Kaspersky researchers also identified a new ransomware variant written in C, marking a departure from the group’s earlier Go-based, cross-platform ransomware. The Windows-focused malware appears to be undergoing testing in real-world environments as the group refines its attack capabilities.

During its investigation, Kaspersky observed that The Gentlemen attempted to disable Kaspersky security software using kavrmvr.exe, a legitimate tool designed to remove Kaspersky products. The security solution, however, successfully detected and blocked the attempt, flagging it as malicious.

“Despite being a relatively recent entrant to the ransomware landscape, The Gentlemen has quickly established itself as a credible threat by attracting affiliates and carrying out high-profile attacks,” said Fatih Sensoy, security expert at Kaspersky GReAT. “The emergence of new C-based ransomware variants suggests the group is actively strengthening its technical capabilities. Organisations should expect further ransomware activity and prioritise vulnerability management and system hardening to reduce the risk of compromise.”

The findings coincide with broader ransomware trends highlighted by Kaspersky earlier this year. According to data from the Kaspersky Security Network, Latin America recorded the highest proportion of organisations affected by ransomware in 2025 at 8.13%, followed by Asia-Pacific (7.89%), Africa (7.62%), the Middle East (7.27%), the Commonwealth of Independent States (5.91%), and Europe (3.82%).

Kaspersky advises organisations to strengthen their ransomware defences by maintaining up-to-date software, monitoring lateral movement and data exfiltration, maintaining offline backups, and deploying advanced endpoint detection and response (EDR) and threat intelligence solutions to improve detection and incident response.

Comments (0)
Add Comment