Gentlemen RaaS Uses SYSTEM Scheduled Task to Encrypt Drives

by

The Gentlemen Ransomware Abuses Windows SYSTEM Tasks to Encrypt Entire Networks

The Gentlemen ransomware is a growing and technically sophisticated threat that Canadian organizations in healthcare, finance, education, and transportation cannot afford to overlook. Published in a new analysis by Microsoft Threat Intelligence, this ransomware-as-a-service (RaaS) platform combines self-propagation, SYSTEM-level privilege abuse, and double extortion into one tightly engineered attack chain. The group behind it, tracked by Microsoft as Storm-2697, recently cemented a formal recruitment partnership with BreachForums, a prominent criminal marketplace, significantly broadening its potential affiliate base.

Storm-2697 and the Evolution of The Gentlemen RaaS

The Gentlemen first surfaced around mid-2025 as a closed criminal operation before opening access to affiliates in September 2025. Confirmed victims span North America, South America, Europe, Africa, and Asia, with targeted sectors including healthcare, education, transportation, and finance.

What separates this malware from older ransomware families is the investment behind its core binary. It is written in Go (Golang) and obfuscated using Garble, a Go-specific tool that strips symbol names and applies code transformations that make static analysis significantly harder for defenders. Each build requires a unique password to execute, and operators can configure almost every aspect of the malware’s behaviour through command-line arguments, including encryption speed, network spreading, and post-reboot persistence.

Double extortion is standard practice. Files are encrypted and simultaneously stolen, with operators threatening to publish the exfiltrated data on a leak site if the victim declines to pay. Microsoft noted that the new BreachForums alliance could draw in a substantially wider pool of criminal operators going forward, increasing both the volume and geographic spread of attacks.

SYSTEM-Level Privilege Escalation: The Technical Mechanism

One of the most significant technical characteristics of this threat is how it obtains the highest possible Windows privileges before it begins encrypting local drives.

Hijacking the Windows Task Scheduler

When The Gentlemen receives the appropriate command-line flag, it registers a Windows scheduled task named “The Gentlemen,” configured to execute the ransomware binary under the SYSTEM account, which is the highest privilege level on any Windows machine. To avoid conflicts, the malware first removes any previously existing task sharing that name, then creates and immediately triggers a fresh one. Once the elevated context is confirmed, it sets an internal environment variable, LOCKER_BACKGROUND=1, to signal that the encryption engine is now running with unrestricted system access.

This approach is a deliberate bypass of standard user-account access controls. Files normally protected from modification by user-level processes, including security-sensitive directories, restricted profiles, and operating system components, become fully exposed once the malware is running as SYSTEM. The scope of what can be encrypted is therefore significantly wider than what most user-facing encryption tools can reach.

For persistence across reboots, the malware registers two additional scheduled tasks, which re-execute the payload under SYSTEM on startup, and UpdateUser, do the same under the logged-in user context. It also writes registry autorun entries under both HKLM (as GupdateS) and HKCU (as GupdateU) to ensure the payload reactivates even if the scheduled tasks are removed manually.

Self-Propagation: From One Machine to the Whole Network

The Gentleman is not a contained single-device threat. Once its spreading feature is active, it functions as a self-propagating worm.

The malware stages its binary in a shared folder, copies it across every accessible administrative network share, and then attempts execution on each remote host using eight distinct techniques fired simultaneously. These include PsExec (dropped to C:\Temp\psexec.exe), Windows Management Instrumentation (WMI), scheduled tasks in both user and SYSTEM contexts, Windows services, and PowerShell remoting. Across all methods, the ransomware fires 21 separate remote execution attempts per target machine.

The logic here is adversarial by design. If even one of those 21 attempts succeeds on a single new host, that machine becomes a fresh propagation origin, and the entire cycle begins again from there. Defenders who detect and block one execution method, such as PsExec, remain exposed to the other seven. Treating any single block as complete protection is a mistake.

Before encryption begins, The Gentlemen clear their own path: they disable antivirus tools, delete volume shadow copies and backup mechanisms, purge Windows event logs, and overwrite free disk space using wipefile.tmp to obstruct forensic recovery.

Indicators of Compromise

Security teams should immediately search for the following artifacts across endpoints and SIEM platforms.

File-Based:

  • Encryptor binary SHA-256: 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67
  • Ransom note: README-GENTLEMEN.txt (deposited in each encrypted directory)
  • Encrypted file extension: .umc16h
  • Post-encryption wallpaper: gentlemen.bmp (dropped to %TEMP%)
  • PsExec binary: C:\Temp\psexec.exe

Scheduled Tasks: gentlemen_system, UpdateSystem, UpdateUser

Registry Autorun Keys: GupdateS under HKLM\...\Run, GupdateU under HKCU\...\Run

Canadian Impact: Regulated Sectors, Backup Gaps, and PIPEDA Obligations

Storm-2697’s confirmed target sectors map directly onto some of Canada’s most regulated and most frequently attacked industries. Regional hospitals, school boards, municipal transit authorities, and credit unions all fall within the profile of organizations. that The Gentlemen has already struck internationally. The Canadian Centre for Cyber Security (CCCS), in its National Cyber Threat Assessment 2025-2026, identifies ransomware as the most disruptive cybercrime threat facing Canadian organizations, with double extortion specifically called out as the dominant pressure tactic used by active threat groups.

The data theft element of this attack carries serious regulatory weight under Canadian law. PIPEDA requires mandatory notification to the Office of the Privacy Commissioner, and in many cases, to affected individuals directly when a breach creates a real risk of significant harm. The Gentlemen’s exfiltration step, which occurs before encryption, means that a successful attack is simultaneously a data breach and an encryption event, triggering reporting obligations on a compressed timeline. Ontario healthcare organizations subject to PHIPA and Alberta health sector entities governed by HIA face additional notification requirements if patient data is captured during the theft phase.

Smaller and mid-sized Canadian organizations with limited IT staff are disproportionately at risk. The ransomware’s ability to eliminate shadow copies while spreading laterally means that network-connected or locally attached backups offer no meaningful protection. Recovery depends entirely on an offline or immutable backup infrastructure that the malware cannot reach.

Key Takeaways

  • The Gentlemen is a Go-based, Garble-obfuscated RaaS platform operated by Storm-2697, with active affiliates targeting organizations across multiple continents.
  • The malware registers a Windows scheduled task (gentlemen_system) to run its encryption engine under the highest-privilege SYSTEM account, bypassing standard user-level file protections.
  • Its lateral movement engine fires 21 execution attempts per remote host across 8 simultaneous methods, including PsExec, WMI, PowerShell remoting, Windows services, and scheduled tasks.
  • Before encrypting, the ransomware disables antivirus, deletes backups, clears event logs, and wipes free disk space, making forensic recovery extremely difficult.
  • Double extortion is standard: file theft occurs before encryption, and non-payment leads to public data release, triggering both recovery and regulatory breach notification obligations under PIPEDA.
  • Canadian healthcare, finance, education, and transportation sectors are directly in scope based on Storm-2697’s confirmed targeting patterns.
  • A new formal partnership between Storm-2697 and BreachForums increases the likelihood of broader affiliate recruitment and an expanding volume of attacks in the near term.

What You Should Do Now

  1. Hunt for IoCs in your environment now. Search across your SIEM, EDR, and endpoint inventory for the scheduled task names gentlemen_system, UpdateSystem, and UpdateUser, the registry keys GupdateS and GupdateU, and the binary hash 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67. Any match requires immediate incident response escalation.
  2. Enable ASR rules to block PsExec and WMI-initiated process creation. Microsoft Defender for Endpoint attack surface reduction rules can prevent process launches originating from PsExec and WMI commands. This is a necessary layer, not a complete defense, but it removes two of the eight lateral movement vectors in a single configuration change.
  3. Audit and restrict administrative share access. The gentlemen spread by writing to the admin shares. Review which systems expose administrative shares across the network and restrict lateral SMB access between workstations using host-based firewall rules.
  4. Move critical backups fully offline or to immutable storage. Any backup accessible through a network share or mapped drive can be deleted by this ransomware. Ensure at least one copy exists on write-once or physically offline media and verify recovery from it before an incident forces the test.
  5. Switch EDR to block mode, not detection-only. Defenders that are configured only to alert will receive a notification after the damage is done. Enable automatic attack disruption features to interrupt lateral movement in progress before containment windows close.
  6. Enable Windows Controlled Folder Access. This built-in Windows Defender feature restricts which processes can write to protected directories, directly impeding the encryption engine even when it is running under elevated privileges.
  7. Activate your PIPEDA breach response process before you need it. If your organization holds personal information and a ransomware attack occurs, legal and privacy team involvement must begin at the start of incident response, not after containment. Ensure your IR plan includes breach notification timelines, escalation contacts, and clear documentation requirements.

Leave a Comment