Microsoft Names Storm-2697 Behind The Gentlemen Ransomware: Go Encryptor, Ephemeral Keys

The story is no longer The Gentlemen as a single vendor's discovery — it is the analytical convergence of two major vendors, Check Point on initial access and Microsoft on the encryptor and self-propagation, on the same operation in the same six weeks. That convergence is how a ransomware program crosses from emerging to operationally mature.

REDMOND, WASHINGTON — On May 28, 2026, Microsoft Threat Intelligence published a deep technical analysis of The Gentlemen ransomware, identifying the operators behind the ransomware-as-a-service platform as a financially motivated group it tracks as Storm-2697. The analysis dissects a Go-based encryptor obfuscated with the Garble tool, a per-file ephemeral-key encryption scheme, and a self-propagation module that runs multiple simultaneous lateral-movement techniques against each target in a victim network.

Microsoft's writeup is the technical complement to The CyberSignal's April 21, 2026 coverage of Check Point Research's DFIR investigation, which exposed The Gentlemen's SystemBC-driven initial-access infrastructure and an active C2-server victim list exceeding 1,570 organisations. Read together, the two vendor disclosures are now the most detailed public picture of a ransomware operation that has reached operational maturity.

What Happened

Microsoft Threat Intelligence published a long-form technical analysis of The Gentlemen on May 28, 2026, under the title "The Gentlemen ransomware: Dissecting a self-propagating Go encryptor." In it, Microsoft identifies the operators behind the ransomware-as-a-service platform as Storm-2697 — a financially motivated group that manages the platform while affiliates carry out the intrusions — and traces the program's history from a closed group that emerged in mid-2025 to a public RaaS that began recruiting affiliates in September 2025 and, more recently, formalised a recruiting partnership with the BreachForums marketplace. The writeup covers the encryptor's execution flow, defence-evasion behaviours, encryption design, lateral-movement techniques and indicators of compromise, and Microsoft attaches Defender detections and hunting queries.

Two technical findings dominate the analysis. The first is that the encryptor is written in Go and obfuscated with the Garble compiler tool, designed to make static analysis and signature-based detection harder. The second is the encryption design itself. For every file, the malware generates a unique ephemeral Curve25519 key pair, computes an elliptic-curve Diffie-Hellman shared secret between that ephemeral private key and an operator-embedded public key, uses the shared secret as the XChaCha20 file key, encrypts the contents, and appends the Base64-encoded ephemeral public key to the file footer so the operator can later reconstruct the key on demand. Microsoft also documents an aggressive self-propagation module that runs multiple lateral-movement techniques simultaneously against each target endpoint inside a victim network.

Storm-2697 Is the Operator — "The Gentlemen" Is the Malware

The naming inside the Microsoft analysis is precise, and it matters. Microsoft tracks the operators behind the ransomware as Storm-2697 — a financially motivated group that runs the ransomware-as-a-service platform — while affiliates carry out the actual attacks. The ransomware family itself remains The Gentlemen. "Storm" is the prefix Microsoft uses for emerging or developing threat-actor groups that have not yet been graduated to a final taxonomy name, so the designation also signals that Microsoft considers Storm-2697 an active and still-developing operation rather than a settled one. The distinction between operator and malware family is the kind of detail that gets lost in headlines, but it is the framing the rest of Microsoft's analysis is built on, and it is the framing defenders should adopt when pivoting on the indicators.

The Encryption Design Removes Recovery as an Option

The per-file ephemeral-key scheme is the single most consequential technical detail in Microsoft's analysis, because it determines what a victim's recovery options look like. For each file, the encryptor generates a fresh Curve25519 key pair, derives an ECDH shared secret with the operator's embedded public key, uses that shared secret as the XChaCha20 file key, and stores the Base64-encoded ephemeral public key in the file footer. The operator can rebuild every file's key on demand using their own private key together with the ephemeral public key stored in the footer. A victim cannot. Without the operator's private key material, every file is a separate cryptographic problem with a distinct, unrecoverable key — there is no shared session key to attack, no nonce reuse to exploit, no shortcut. The operational consequence is blunt: decryption without paying is functionally impossible, and offline, immutable backups become the only recovery mechanism a defender can rely on.

Self-Propagation Is the Real Time-to-Encrypt Problem

Microsoft's writeup of the self-propagation module is the operational story most readers should care about. The encryptor includes a propagation component that does not pick a single lateral-movement technique against a given target — it runs multiple techniques simultaneously, in parallel, against each target endpoint inside the victim network. That changes the time scale a defender is operating on. Once a single endpoint runs the encryptor, the malware does not wait for a human operator to map the environment or pick the best next move; the parallel-technique design is built to convert the first compromise into fleet-wide encryption as quickly as the network allows. The defensive implication is that the meaningful detection window is not days or hours after the first encryption event but the minutes between initial code execution and the propagation module getting a foothold on the second endpoint. Behaviour-based detection on a single source endpoint attempting lateral movement to multiple targets at once is, by Microsoft's framing, the operational signature.

Scope and Impact

Microsoft's analysis is the technical complement to the operational picture Check Point Research published on April 21, 2026 and that The CyberSignal covered in detail in "The Gentlemen's Gambit: Systematic Scale Revealed as Ransomware Operation Integrates SystemBC." Check Point's contribution was the initial-access and infrastructure picture — SystemBC integration as a SOCKS5 proxy, an automated extortion pipeline and a C2-server victim list exceeding 1,570 organisations. Microsoft's contribution is the encryptor design (Go plus Garble obfuscation, per-file ephemeral Curve25519/ECDH/XChaCha20), the self-propagation module and the Storm-2697 operator designation. Neither analysis on its own would carry the same weight; the convergence is what makes it credible. Two major vendors, working independently, have now reached the same conclusion about the same operation — and have published complementary, non-overlapping evidence to support it.

The targeting picture in Microsoft's analysis is broad. The Gentlemen has been observed impacting organisations across education, transportation, healthcare and financial services, with observed activity in North America, South America, Europe, Africa and Asia. Microsoft also notes that the program is now in active affiliate-recruitment mode through its BreachForums partnership, which it warns may broaden the pool of operators using the platform — meaning the volume of intrusions running this encryptor is more likely to rise than to plateau in the months ahead. That growth runs in the opposite direction of recent ransomware-economy disruption: Europol's Operation Endgame 2.0 took down 300 servers and 20 operators across the ransomware supply chain, and Microsoft's takedown of a code-signing-as-a-service operation removed a piece of shared infrastructure used by five ransomware crews. The Gentlemen has so far been untouched by either action.

A few specifics are deliberately not in this account. Microsoft has not published a current global victim count alongside its analysis (the 1,570+ figure from the Check Point reporting predates the Microsoft writeup and is not re-stated by Microsoft), has not named individual affiliates within Storm-2697 and has not detailed every initial-access technique used across the affiliate base — those were the focus of Check Point's earlier work. The Microsoft analysis is intentionally encryptor- and propagation-focused. Readers who want the full picture should treat the Check Point disclosure and this Microsoft analysis as a single composite source. The CyberSignal's earlier coverage of Lazarus's RemotePE memory-only RAT and Verizon's DBIR 2026 finding that vulnerability exploitation has overtaken credential theft as the leading initial-access vector are useful neighbours: the threat economy is producing more tooling that is harder to detect statically and more programs that turn one foothold into many.

Response and Attribution

For SOC and incident-response teams, the immediate action is to update detection logic for Go-runtime ransomware binaries with self-propagation behaviour. Static signature detection alone is not sufficient — Go binaries are common in legitimate software, and Garble obfuscation is specifically designed to defeat static methods. The differentiator is behaviour-based detection on aggressive intra-network spread: hunt for simultaneous lateral-movement attempts from a single endpoint to multiple targets, which by Microsoft's framing is the operational signature of the propagation module. Pivot on Microsoft's published Storm-2697 indicators of compromise, sweep historical telemetry for prior activity, and treat any positive hit as an environment-wide event rather than a single-host one.

For ransomware-IR programme leadership, the per-file ephemeral-key encryption scheme should drive a hard reset on recovery assumptions. Decryption without paying is functionally impossible without the affiliate's private key material, which means offline and immutable backups are no longer one option among several but the only operational recovery mechanism. Brief the board on the two-vendor analytical convergence — Check Point on the initial-access infrastructure and Microsoft on the encryptor and self-propagation — as evidence that The Gentlemen has reached the operational maturity of programs like LockBit, Medusa and Akira, alongside the actor stable that has produced the recent Karakurt negotiator's 102-month sentence tied to Conti and Akira and the FBI's warning on Silent Ransom Group's in-person USB attacks on law firms, and budget the response programme accordingly.

For network defenders, segment networks under the assumption that any single endpoint compromise can produce fleet-wide encryption within hours via the self-propagation module. Restrict the lateral-movement paths the module is designed to exploit simultaneously — SMB, remote service creation, scheduled tasks, WMI and credential reuse — and enforce least-privilege on the service accounts that allow propagation to succeed. The Gentlemen now joins the cluster of operationally mature, multi-affiliate ransomware programs; it should be treated with the same patch, segmentation and IR-readiness priority that the rest of that cluster already carries.

The CyberSignal Analysis

Signal 01 — The Two-Vendor Convergence Is the Story

The headline is not that Microsoft has published another ransomware analysis — Microsoft publishes those regularly. The headline is that two of the largest threat-intelligence operations in the industry have now independently arrived at deep, complementary technical pictures of the same operation within six weeks of each other. Check Point landed the operational picture in April: SystemBC initial access, an automated extortion pipeline, a C2-server victim list. Microsoft has now landed the encryptor and propagation picture: Go plus Garble obfuscation, per-file ephemeral keys, simultaneous-lateral-movement self-propagation, and a named operator group in Storm-2697. Neither is the complete account on its own; together they are. That kind of multi-vendor analytical convergence is, historically, how a ransomware program crosses from emerging to operationally mature in the public record — and the response posture defenders carry should follow that crossing.

Signal 02 — Per-File Ephemeral Keys Reframe the Recovery Conversation

There is a particular kind of design choice in the Microsoft writeup that deserves to be pulled out of the technical detail and put in front of the board. Per-file ephemeral Curve25519 key pairs, combined with an ECDH shared secret derived from the operator's embedded public key, mean that every encrypted file holds an independent cryptographic problem. There is no master session key for defenders to attack, no nonce reuse to exploit, no flawed key-derivation routine to reverse-engineer. The operator has the only key material capable of reconstructing the per-file XChaCha20 keys, and a victim does not. Most well-engineered modern ransomware has converged on schemes with this property, but it remains genuinely underweighted in tabletop exercises and incident plans. The takeaway is narrow: any recovery plan that assumes a future decryptor or a cryptographic break is, against this design, not a plan. Offline, immutable backups are the only recovery primitive left.

Signal 03 — Self-Propagation Compresses the Defender's Window to Minutes

The single defensive shift that Microsoft's self-propagation finding should drive is in the assumed time budget. Traditional ransomware response models still implicitly assume a window measured in hours between initial code execution and fleet-wide impact — enough time for an alert to surface, a SOC analyst to triage it and an isolation decision to be made. A propagation module that fires multiple lateral-movement techniques in parallel against every reachable target does not respect that window. The realistic time between first execution and second-endpoint compromise is minutes, not hours, and the detection signal that matters most is not the encryption event itself but the burst of simultaneous lateral-movement attempts from a single source. Defenders who tune their SOC and their EDR posture for that specific behaviour — and who segment networks so the propagation module cannot find as many simultaneous targets — will catch this. Defenders who do not will see the encryption event first, and at that point the window has already closed.

Sources