A new Kaspersky GReAT investigation reveals that the rapidly growing ransomware group 'The Gentlemen' has developed sophisticated custom malware, expanding its attack capabilities while targeting organizations worldwide across manufacturing, healthcare, IT, finance, logistics and construction sectors.
Cybersecurity firm Kaspersky has uncovered new tactics employed by the emerging ransomware group known as The Gentlemen, revealing that the threat actor has developed custom-built malware to strengthen its attacks against organizations across multiple industries worldwide.
According to researchers from Kaspersky's Global Research and Analysis Team (GReAT), the group has introduced a previously unseen backdoor for reconnaissance and system control, alongside a new ransomware executable, indicating a significant evolution in its technical capabilities.
Ransomware-as-a-service operation expands global reach
Believed to have emerged around mid-2025, The Gentlemen operates as a Ransomware-as-a-Service (RaaS) platform and has rapidly expanded its footprint across sectors including manufacturing, IT services, healthcare, financial services, construction and logistics.
Kaspersky said the attackers primarily gain initial access by exploiting internet-facing services and compromised credentials. However, investigators also observed instances where victim systems had been compromised long before ransomware deployment using techniques not typically associated with the group.
This has led researchers to believe that The Gentlemen may be collaborating with Initial Access Brokers (IABs), purchasing pre-compromised access to organizations possessing valuable intellectual property before launching ransomware attacks.
Custom malware enhances attack capabilities
Unlike many ransomware groups that rely on publicly available tools, The Gentlemen has invested in developing proprietary malware.
Kaspersky identified a previously unknown backdoor written in the Go programming language that was deployed one day before ransomware execution. The malware collects host and network information, conceals its activity by hiding its console window, and supports two-way communication with command-and-control servers, enabling remote command execution and reconnaissance within compromised environments.
Researchers also discovered a new ransomware variant written in the C programming language. While the group has traditionally relied on Go-based ransomware capable of operating across platforms, the latest variant appears to focus specifically on Windows systems.
According to Kaspersky, the limited deployment of the C-based malware suggests that the attackers may be testing it in live corporate environments before broader deployment.
Attackers attempted to disable Kaspersky protection
During one of the investigated attacks, researchers observed The Gentlemen attempting to remove Kaspersky's security software by using kavrmvr.exe, a legitimate utility designed to uninstall Kaspersky products.
However, Kaspersky said its security solution successfully detected and blocked the activity, preventing the attackers from disabling endpoint protection.
Experts warn of growing threat
"Despite being a relatively recent entrant to the ransomware threat landscape, The Gentlemen group is rapidly gaining a reputation among threat actors, attracting affiliates and executing high-profile attacks. The testing of the new C-based ransomware variants suggests that the group is actively refining its capabilities, which may translate into more stable and scalable attack chains in the near future. Organizations should anticipate further malicious ransomware activity and are strongly advised to prioritize vulnerability management and system hardening processes to mitigate the risk of compromise," said Fatih Sensoy, security expert at Kaspersky GReAT.
Ransomware continues to pose global challenge
The findings come as ransomware continues to remain one of the most significant cybersecurity threats globally.
Sharing broader ransomware trends on International Anti-Ransomware Day, Kaspersky reported that Latin America recorded the highest proportion of organizations affected by ransomware in 2025 at 8.13%, followed by Asia-Pacific (7.89%), Africa (7.62%), the Middle East (7.27%), the Commonwealth of Independent States (5.91%), and Europe (3.82%), according to data from the Kaspersky Security Network.
Kaspersky recommends proactive defence measures
To reduce ransomware risks, Kaspersky urged organizations to keep software updated to eliminate exploitable vulnerabilities, strengthen monitoring for lateral movement and data exfiltration, and maintain secure offline backups that cannot be modified by attackers.
The company also recommended deploying advanced Endpoint Detection and Response (EDR) and anti-APT solutions, equipping Security Operations Centre (SOC) teams with up-to-date threat intelligence, and regularly enhancing cybersecurity skills through professional training to improve preparedness against evolving ransomware threats.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.




