UPDATE: The Gentlemen ransomware — Microsoft publishes full technical dissection of the Storm-2697 Go-encryptor

UPDATE (originally covered 2026-05-20; consolidated in weekly W21): Microsoft Threat Intelligence published a full dissection of The Gentlemen ransomware on 2026-05-28, giving Storm-2697 a much sharper technical profile than the victim-list reporting available in week 21. The encryptor is a single-binary Go executable (obfuscated through Garble to strip symbol tables), uses Curve25519 + XChaCha20 with per-file ephemeral keys (no bulk-decryption shortcut), and ships a self-propagation module that executes a series of lateral-movement techniques in parallel per host — PsExec, WMIC, scheduled tasks, services, PowerShell remoting — maximising the probability that at least one pivot path succeeds in any AD-joined environment.

Check Point Research's 2026-05-13 writeup adds the actor-side context that Microsoft's dissection does not — Check Point counts approximately 332 victim organisations on the operator's leak site, and documents that on Domain Admin compromise The Gentlemen deploys itself across the estate through a Group Policy Object linked at all relevant OUs. Huntress Labs' 2026-05-21 IR report corroborates the defense-evasion playbook: PowerShell disables Microsoft Defender real-time monitoring (Set-MpPreference -DisableRealtimeMonitoring), stops WinDefend, adds broad Add-MpPreference -ExclusionProcess and drive-level exclusions, disables Controlled Folder Access, and clears Security / System / Application event logs (EID 104, EID 1102). Huntress documented two April / May 2026 incidents whose entry vector was RDP with compromised credentials, lateral movement reached domain controllers via the NETLOGON share and SCCM's CcmExec.exe, and process names were masqueraded as svchost32.exe. The DFIR Report's 2026-05-11 alert confirmed a related chain in which EtherRAT (delivered via a malicious Sysinternals MSI) and TukTuk C2 preceded Gentleman deployment. Microsoft's Defender detection name is Ransom:Win64/Gentlemen.A; recommended Attack Surface Reduction posture per Microsoft's ASR rules reference is Block process creations originating from PsExec and WMI commands combined with EDR-in-block-mode enforcement.

Material new development vs. last coverage: full encryption + propagation mechanism, named-cluster identity (Storm-2697), the GPO-spread pathway documented by Check Point Research, and Check Point's count of approximately 332 victims. Detection focus: hunt for wevtutil cl Security|System|Application chained with sc stop WinDefend or msconfig; flag svchost32.exe spawned outside %SystemRoot%\System32; alert on CcmExec.exe launching non-SCCM payloads. Hardening: enforce SMB signing GPO, restrict GPO-creation rights to a hardened OU, enable Credential Guard, monitor Event ID 5136 for GPO modifications and 5140 for the hidden share SMB share.