Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: storm-2697 (1 article)Clear

The Gentlemen ransomware adds worm-like spread, tops 478 victims

The Gentlemen, a ransomware-as-a-service operation tracked by Microsoft as Storm-2697, has been upgraded with a self-spreading mode and now claims 478 victims across dozens of countries and industries. Written in Go and obfuscated to evade analysis, its optional --spread switch turns a single-machine infection into a network worm that deploys the encryptor to every reachable system, using stolen or reused credentials to move laterally. A --wipe switch destroys recoverable data and forensic traces. On each host it disables Defender, weakens firewall and authentication settings, and adds scheduled tasks for persistence. Initial access often comes through compromised Fortinet edge-device credentials.

Check
Hunt for The Gentlemen's persistence markers (scheduled tasks named UpdateSystem or UpdateUser, Run keys GupdateS and GupdateU), and audit Fortinet edge devices for compromised or reused credentials.
Affected
Windows-based organizations, plus Linux, NAS, BSD, and ESXi systems; networks with flat segmentation and shared credentials are most exposed to the worm-like lateral spread.
Fix
Enforce unique credentials and phishing-resistant MFA, segment networks to limit lateral movement, keep offline tested backups, patch and monitor Fortinet edge devices, and harden Defender against tampering.