Kaspersky published its full technical analysis of The Gentlemen on June 29, 2026, a ransomware-as-a-service group that emerged in early 2026 and has already ranked among the top ten actors by victim announcements on its data leak sites. The report documents an attack architecture that goes beyond deploying an encrypting payload: the group installs a custom Go backdoor days in advance, turning ransomware from an isolated event into a multi-phase intelligence operation.
The analyzed campaigns, observed directly from February 2026, target large corporations and critical infrastructure. Initial access occurs through vulnerabilities in exposed online services and weak or stolen credentials, with a particular focus on VPN hardware and perimeter firewalls. In some cases Kaspersky detects pre-existing access prior to ransomware deployment, suggesting possible collaboration with Initial Access Brokers.
- The Gentlemen ranks among the top ten ransomware groups by victim announcements in H1 2026, targeting large corporations and critical infrastructure.
- The custom Go backdoor installs one day before the ransomware attack, using the Yamux library for persistent bidirectional TCP communication with the command-and-control server.
- The arsenal includes five specific vulnerable BYOVD drivers to disable EDR, alongside Windows Kernel Explorer and OpenArk64 for system call interception.
- SharpADWS bypasses standard Active Directory logging by encapsulating LDAP queries in SOAP messages, while netsh captures packets on administrative shares for cleartext credential extraction.
The Backdoor as a "Gentleman's Knock": Intelligence Before the Strike
The most disturbing finding in Kaspersky's analysis is the timing. The backdoor is deployed an average of one day before ransomware execution, not as a mere accessory but as a complete operational platform. Upon installation it gathers system information via WMI: hostname, domain, UUID, and IP address. This data does not serve immediate encryption but builds a network map the group uses to decide where to strike.
Communication with the C2 occurs via the Yamux library, which implements multiplexing over a single TCP connection. The identified address is 81.177.215[.]15 on port 9443. The backdoor interprets two command bytes: 'c' for command execution via cmd.exe /c, and 's' for establishing a SOCKS proxy. The latter enables pivoting to network segments not directly reachable from the initial compromise point.
According to Kaspersky, "given the backdoor implant's capabilities, such as establishing two-way communication, executing commands, setting up a SOCKS proxy, and gathering information, it's clear that it can also be used to expand the attack chain as needed." The distinction between initial access and deployment phase dissolves: the backdoor is a red team tool integrated red team tool in the crimeware infrastructure.
SharpADWS and netsh: When APT Tactics Become Commodity
After initial positioning, The Gentlemen conducts Active Directory reconnaissance via SharpADWS, a tool that encapsulates LDAP queries in SOAP messages to evade standard logging mechanisms. The technique is not new in advanced intrusions, but its systematic appearance in a RaaS operator indicates a cross-pollination of sophistication previously reserved for nation-state actors.
In parallel, the group uses netsh to capture network packets, saving data to administrative shares with random names. Subsequent analysis occurs with Wireshark to extract "sensitive information such as unencrypted network activity and potential passwords," as the source reports. The point is architectural: administrative shares, traditionally considered internal management infrastructure, become an active attack surface for harvesting credentials in transit.
Lateral movement confirms this approach. The Gentlemen distributes the ransomware payload via GPO using a custom PowerShell script named deploy_gpo.ps1, hosted on the NETLOGON share. Alternatively or in combination, it resorts to PsExec. The systematic use of legitimate administration tools renders detection based on known malicious tool signatures ineffective.
Five-Driver BYOVD: The Zero-Ring War
Endpoint defense evasion represents the most technical segment of the analysis. The Gentlemen employs five specific vulnerable drivers to gain kernel-mode execution: ProcessMonitorDriver.sys (Safetica, DLP/EDR solution), gamedriverx64.sys (Fedeen/Hotta, anti-cheat system), biontdrv.sys (Paragon, partition management), inpoutx64.sys (legacy for RGB hardware), and wsftprm.sys (Topaz, anti-fraud). The catalog covers diverse software categories, suggesting purchase or development of a ready-to-use BYOVD toolkit.
Alongside the drivers, the group uses Windows Kernel Explorer and OpenArk64 to intercept and block system calls, with the explicit goal of removing security product drivers. The attempt to uninstall Kaspersky via the kavrmvr.exe executable was blocked by behavioral detection, but the strategy is clear: do not evade the EDR, neutralize it before payload execution.
The ransomware itself is developed in Go and protected by a previously unknown obfuscator that renames symbols, source files, structures, and alters function signatures. The hardcoded execution password, CbdU8EgF, acts as an anti-sandbox barrier preventing automated analysis. It is unconfirmed whether the obfuscator was developed internally or acquired from a third-party supplier.
"We have been observing the activity of The Gentlemen since February 2026 and have discovered new tactics, techniques, and procedures (TTPs) as well as custom tool development efforts" — Kaspersky Securelist
What to Do Now
Organizations must assume that ransomware presence is the finale of an already successful compromise, not the initial event. The deployment of the Go backdoor one day before the payload offers a detection window: monitor persistent TCP connections to external IPs on port 9443 and the use of the Yamux library in undocumented processes.
To counter SharpADWS, it is necessary to inspect LDAP traffic encapsulated in SOAP rather than relying solely on standard query logs. Administrative shares must be subjected to anomalous access monitoring, with particular attention to capture files generated by netsh in folders with random names.
The five BYOVD drivers identified in the campaigns — ProcessMonitorDriver.sys, gamedriverx64.sys, biontdrv.sys, inpoutx64.sys, and wsftprm.sys — must be included in driver blocklists if not strictly required for business operations. The presence of Windows Kernel Explorer or OpenArk64 in production environments constitutes an indicator of compromise.
Lateral movement via NETLOGON and PowerShell scripts like deploy_gpo.ps1 requires control of GPO modifications and auditing of executions on the SYSVOL share. The anti-sandbox password CbdU8EgF can be used as an IoC in automated analysis environments.
Why It Matters
The brief does not document specific corrective measures released by vendors or authorities in response to The Gentlemen campaigns. The dossier does not specify the full nature of data exposed by victims, nor quantify the exact number of organizations hit or the volume of ransoms obtained. It is unclear whether collaboration with Initial Access Brokers is structural or occasional for specific campaigns, nor whether the five identified BYOVD drivers remain exploitable in their current state.
What the Kaspersky report documents precisely is an operational maturation. The Gentlemen does not present as an operator that buys access and deploys payloads, but as an organization that invests in custom tool development, vulnerable driver research, and integration of pre-ransomware persistence techniques. The backdoor with persistent C2 and SOCKS proxy is not optional: it is the element that turns every compromise into an intelligence platform, with ransomware as the epilogue rather than the main event.
The emergence of a proprietary Go obfuscator and the systematic combination of BYOVD, GPO abuse, and logging evasion techniques represents a raising of the sophistication bar in RaaS crimeware. For organizations still relying on perimeter defenses and known payload detection, the message is that the perimeter has already been breached by the time ransomware appears.
Source 2, ransomware.live, provides generic statistical context on 2026 ransomware victims but does not include The Gentlemen in its dataset, making independent corroboration of the "top 10" position declared by the primary source impossible.
Information is based on the cited source and current as of publication.