The Gentlemen Ransomware: A Self-Propagating Worm Your EDR Can't See

Ransomware groups have spent the last five years optimising for one thing: the gap between initial access and full encryption. Shrink that window and you outrun the defender's response. The Gentlemen — tracked by Microsoft as Storm-2697 — closed it the brute way. They bolted a worm onto the encryptor. Run the binary with a single --spread flag and it stops being a single-host locker and becomes a self-propagating agent that copies itself to every reachable machine it can find, by twenty-one different methods, in parallel. By June 11 the group had claimed 478 victims, and the propagation capability is what moved the story from "another RaaS" to "the thing your incident-response retainer is about to be tested against."

The reason this matters is not that worms are new — Conficker and WannaCry are on this blog's masthead of historical precedent. It's that the modern version is built to defeat the one control most organisations actually deployed after 2017: the endpoint agent. The Gentlemen's spreader disables Microsoft Defender on every host it reaches, before it does anything else. The detection surface your SOC is staring at goes dark host-by-host, in the order the worm arrives. This article is about why that design choice works, and what is left to see it with once it has.

Why self-propagating ransomware breaks the response timeline

The standard ransomware kill-chain has discrete, human-paced stages: phishing or edge exploit, credential theft, reconnaissance, lateral movement, privilege escalation, then deployment. Each stage is an opportunity to intervene. The economics of the annual pentest and the quarterly tabletop assume those stages take days.

A self-propagating encryptor collapses the back half of that chain into seconds of machine-paced fan-out. Once the operator has one foothold with sufficient privilege, --spread does the rest with no human in the loop. Microsoft's dissection of the Go-based encryptor describes a build that, per target, tries 21 distinct remote-execution techniques until one lands. It does not pick a method and move on; it sprays.

IR lead, hour two: "We isolated patient zero." Network engineer: "Patient zero pushed to forty-three hosts before you isolated it. Nineteen of them already pushed onward. Which one do you want to call patient zero now?"

That exchange is the whole problem. In a worm event there is no single index host to contain, because containment is racing replication, and replication does not sleep.

Inside The Gentlemen's worm: 21 ways to reach the next host

The spreader is methodical, and almost all of it rides on legitimate Windows administration primitives. From Microsoft's analysis, the per-target sequence is roughly:

• Local staging — copies itself to C:\Temp, creates a hidden SMB share share$ with anonymous access, and edits the registry to permit anonymous net-share access.
• Payload delivery — stages the binary onto the target through the administrative C$ share, or pulls an embedded PsExec (falling back to Microsoft's own Sysinternals Live service if the embedded copy is blocked).
• Remote execution — fired through whichever of these works: PsExec under SYSTEM, WMIC remote process creation, scheduled tasks (DefU, UpdateGU, UpdateGU2), Windows services (DefSvc, UpdateSvc, UpdateSvc2), PowerShell Invoke-Command over WinRM (TCP 5985/5986), and the PowerShell WMI class interface directly.
• Pre-deployment evasion blob — run on each target before the payload: disables Defender, disables the Windows Firewall across all profiles, re-enables SMB1, loosens LSA anonymous-access restrictions, and broadens NTFS permissions.

Read that last bullet again. The worm doesn't exploit a vulnerability to move — it uses the network the way a domain administrator would, and it turns off the defences on each machine as a setup step. That is why signature-based and even behaviour-based endpoint detection struggles: the moment the agent could raise an alert is the moment it has already been told to stop monitoring.

On arrival, the encryptor escalates by registering a gentlemen_system scheduled task running as SYSTEM, kills 50-plus processes to release file locks (SQL Server, Oracle, PostgreSQL, plus the backup stack — Veeam, Acronis — and EDR agents), deletes Volume Shadow Copies, and wipes event logs, prefetch, RDP logs and PowerShell history behind it. Files are encrypted per-file with an ephemeral Curve25519 key, an ECDH exchange against the operator's embedded public key, and an XChaCha20 stream cipher, then renamed with a .umc16h extension. Large files are only partially encrypted — 9% by default, dropping to 0.3% in "ultrafast" mode — because for a worm racing containment, speed beats thoroughness.

How The Gentlemen get in

The propagation is the back half. The front half is unglamorous and entirely familiar. Check Point Research's profile of the group — which counted 332 public victims in the first five months of 2026, ranking it the second most productive RaaS of the period — puts initial access squarely on internet-facing edge devices: Fortinet FortiGate VPNs, Cisco edge appliances, exposed management interfaces. The group has been observed tracking and weaponising CVE-2024-55591, the FortiOS management-interface authentication bypass that has long sat on the CISA Known Exploited Vulnerabilities catalog, alongside CVE-2025-32433 (Erlang/OTP SSH) and CVE-2025-33073 (NTLM relay). Where they can't exploit, they brute-force or buy access from brokers.

For command-and-control they lean on tooling that blends into normal traffic — Velociraptor, Cloudflare Zero Trust tunnels, a custom framework called ZeroPulse — and the operators have been seen experimenting with Chinese LLMs (DeepSeek, Qwen, Kimi) for code assistance. The takeaway for a defender: the edge is the door, and that door is a known, testable set of CVEs and exposed interfaces. The worm only gets to run if the door opened.

The blind spot: your EDR is the first casualty

Lay the two halves side by side and the detection problem becomes obvious. The controls most organisations rely on are exactly the ones the worm neutralises on its way through.

Control	What it should catch	Why it doesn't, against this worm
Endpoint EDR / Defender	Malicious process execution, encryption behaviour	Disabled by the evasion blob before the payload runs on each host
Host firewall	Inbound lateral-movement connections	Turned off across all profiles as a setup step
Backup / shadow copies	Recovery after encryption	Backup agents killed, VSS deleted, logs wiped
SIEM log correlation	Post-hoc reconstruction	Event logs cleared per host; the worm outruns the digest cycle
Annual / quarterly pentest	Validating the edge before attack	Wrong cadence — point-in-time, blind to the fan-out path

What survives this list has one thing in common: it does not live on the host being compromised. You cannot disable from inside a machine the thing watching the machine from the wire.

What a self-propagating worm looks like on the wire

Here is the asymmetry the attacker can't engineer away. The evasion blob can silence Defender, blank the event log and kill the backup agent — but every one of the 21 spread techniques is a network conversation, and those conversations have a shape that nothing normal produces. A single workstation does not, in the space of ninety seconds:

• open authenticated SMB sessions to dozens of internal hosts and write to their C$ and ADMIN$ shares;
• spray WinRM (5985/5986) Invoke-Command calls and DCOM/RPC WMI process-creation requests in a fan-out pattern from one source to many destinations;
• enumerate drive letters A–Z and CSV shares across a subnet;
• and then immediately exhibit the rapid, high-entropy sequential write pattern of mass file encryption against those same shares.

That sequence — privileged lateral fan-out immediately followed by in-progress encryption writes — is the canonical behavioural signature of a worm-capable ransomware mid-detonation. It is visible while the files are still being locked, not in the morning's SIEM digest, and crucially it is visible regardless of what the worm did to the endpoints, because the detector is not on the endpoints.

This is the exact scenario Zero Hunt's AI Traffic Analysis pillar was built for. A proprietary deep-learning model, trained on billions of PCAP sequences, runs four parallel inference heads — suspicious traffic, malware classification, attack-type identification, application fingerprinting — locally on the appliance GPU at 2.7+ Gbit/s, with no cloud callback. It does not need a signature for The Gentlemen specifically; it scores the behaviour: the one-to-many SMB/WinRM/DCOM fan-out and the encryption write-pattern that follows, while it is happening. When the endpoint agents are going dark host-by-host, the wire-side model is the witness that the worm cannot reach to silence — because it lives on the appliance, not on the victims.

The front half of the kill-chain belongs to the second pillar. The Gentlemen get in through a known, finite set of edge exposures — FortiGate, Cisco, management interfaces, the same CVEs they reuse across campaigns. Zero Hunt's 10-agent generative pentest validates that surface continuously rather than once a year: the Recon and Exploit agents test the perimeter for exactly the access conditions this group depends on, and the Pivot and Post-Exploit agents rehearse the assumed-breach lateral path — the same SMB, WinRM and WMI channels the worm sprays — so you find the open door and the reachable fan-out before an affiliate with a --spread flag does. Every chain is backtested in the AI Gym before it runs, and every finding is ECDSA-signed for the audit trail. A worm closes the response window to seconds; the only workable answer is to have already tested the path it takes and to be watching the wire it has to cross.

If your last validation of the FortiGate edge and the internal lateral path was a point-in-time exercise, that's the conversation to have. For how the on-prem appliance is architected, see the platform overview; for the broader shift away from after-the-fact ransomware discovery, the exfiltration-only ransomware analysis covers the adjacent detection gap.