TL;DR: On May 28, 2026, Microsoft Threat Intelligence published a deep analysis of The Gentlemen ransomware, tracked as Storm-2697. The operation runs a RaaS (ransomware-as-a-service) model launched in September 2025, recently partnered with BreachForums for affiliate recruitment, and uses a self-propagating Go-based encryptor that attempts 21 separate lateral movement techniques per host. Manufacturing is the second highest concentration industry targeted (about 17.9% of victims per SOCRadar), and a SystemBC C2 leak revealed 1,570+ victims tied to the operation. For NC manufacturers and small businesses, the defense is layered: hardened identity, segmented OT/IT, behavior-based EDR with tamper protection, and rehearsed incident response.
Key takeaway: Self-propagating ransomware that tries 21 lateral movement techniques per host turns one weak credential into a plant-wide outage. The defenders that win in 2026 are the ones with isolated backups, controlled folder access, MDR running in block mode, and a recovery plan they have actually rehearsed.
Run a Piedmont Triad plant or shop floor? Preferred Data Corporation will assess your OT/IT segmentation, EDR coverage, and recovery readiness for Gentlemen-class threats. Call (336) 886-3282 or request a manufacturing cybersecurity review.
What is The Gentlemen ransomware and Storm-2697?
The Gentlemen is a financially motivated ransomware operation that emerged in mid-2025, transitioned to a RaaS model in September 2025, and recently established a partnership with BreachForums to recruit affiliates, according to Microsoft Threat Intelligence and Dark Reading. Microsoft tracks the operators as Storm-2697. The group uses double extortion (encrypt and exfiltrate, then threaten to publish), and the encryptor is written in Go for cross-platform reach across Windows, Linux, NAS, BSD, and VMware ESXi systems, per GBHackers.
Three facts make this group a top-priority issue for SMBs:
- Self-propagation built in. Microsoft documented the malware attempts up to 21 remote execution operations per target host using PsExec, WMIC, scheduled tasks, services, and PowerShell remoting. One foothold becomes many.
- Cross-platform reach. Windows endpoints, Linux servers, NAS devices, and ESXi hypervisors are all in scope. A single compromised hypervisor can encrypt every guest VM at once.
- RaaS scale. A SystemBC C2 leak revealed 1,570+ victims tied to the operation, and the BreachForums affiliate partnership is designed to push that number higher.
For NC small businesses in manufacturing, professional services, healthcare, or technology, this is the kind of group most likely to land in your environment in 2026.
Why is manufacturing in the crosshairs?
Manufacturers carry the operational pain that ransomware operators monetize. SOCRadar's threat profile reports manufacturing represents about 17.9% of The Gentlemen's observed victims, second only to professional services. The reason is structural: shop-floor downtime is expensive per hour, OT environments often run unpatched legacy operating systems, and many manufacturers run flat networks where a single foothold can reach machine controllers, ERP, MES, and backups.
Microsoft observed impacts across "education, transportation, healthcare, and financial industries" globally, but the manufacturing concentration is consistent with broader 2026 ransomware data. The 2026 Verizon DBIR found that 96% of ransomware victims for which size was known were SMBs, and many of those were industrial, per BlackFog's State of Ransomware 2026 report.
| What attackers want | Why manufacturing pays | Defense pattern |
|---|---|---|
| Production outage leverage | Per-hour downtime is high and contractually painful | OT/IT segmentation, isolated backups |
| Intellectual property | Designs, BOMs, supplier pricing | DLP, mature access control, encryption at rest |
| Customer and supplier data | Drives downstream extortion | Vendor risk program, SaaS data inventory |
| Identity for lateral move | Flat networks reward one compromised account | MFA everywhere, privileged access management |
For Piedmont Triad furniture, textile, metals, plastics, and electronics manufacturers, the math is unforgiving. A two-day plant outage from a Gentlemen-class incident can exceed any plausible cybersecurity budget for the same year.
How does The Gentlemen encryptor actually work?
Technically and operationally, this is a modern, well-engineered ransomware family. Per Microsoft's analysis, the encryptor uses per-file ephemeral Curve25519 keys with the XChaCha20 stream cipher. For files larger than 1 MB it encrypts three distributed chunks rather than the entire file, which speeds the operation and still renders the file unusable. Encryption ratios scale from roughly 0.9% to 27% based on the affiliate-selected speed setting (ultrafast to default).
The self-propagation logic is what makes it especially destructive on flat SMB networks. The encryptor attempts up to 21 remote execution operations per target host, using multiple Windows administration channels in sequence so that any one method working is enough to spread. Common channels include PsExec, WMIC, scheduled task creation, Windows service creation, and PowerShell remoting. The pattern matches what defenders should hunt for as early indicators, not just at the moment of encryption.
Quotable definition: Storm-2697 is Microsoft's tracking designation for the operators of The Gentlemen ransomware, a financially motivated RaaS launched in September 2025 that uses a self-propagating Go encryptor, attempts up to 21 lateral movement techniques per host, and runs double-extortion campaigns against manufacturers, professional services firms, healthcare, and technology.
What should an NC manufacturer or SMB do this week?
Build a Gentlemen-class defense in six tracks, in order. Most can be executed inside 30 days with a managed partner.
- Harden identity first. Enforce MFA on every admin, RDP, VPN, email, and SaaS surface. Disable legacy authentication. Audit privileged accounts and dedicated admin workstations.
- Segment OT from IT. Plant floor and machine controllers belong on their own VLANs with strict east-west firewall policy. Treat ICS/MES as separate trust zones from corporate IT.
- Run EDR/MDR in block mode with tamper protection. Microsoft recommends enabling controlled folder access, running Defender or your EDR in block mode, deploying attack surface reduction rules, and turning on tamper protection so Storm-2697 affiliates cannot disable security agents during the dwell window.
- Isolate and test backups. Maintain offline or immutable backups for critical systems including ESXi hosts. Test restoration quarterly. A backup you have never restored is not a backup.
- Hunt for early-stage indicators. Look for unexpected PsExec, WMIC, scheduled task creation, service installs, and PowerShell remoting from unusual sources. These are not exotic, they are the earliest signs of a Gentlemen-class spread.
- Rehearse incident response. Tabletop a ransomware scenario with executives, IT, operations, and legal. Pre-stage decisions about payment, public communications, and customer notification before you are bleeding.
Need this assessed and executed? Call (336) 886-3282 or contact Preferred Data Corporation for a manufacturer-focused ransomware readiness review.
Why is this a managed security problem, not a one-and-done project?
Because RaaS operations evolve weekly, and SMBs in 2026 cannot match that cadence with a single in-house engineer or an annual vendor checkup. The 2026 BlackFog State of Ransomware report, the 2026 Verizon DBIR, and Microsoft's own threat intelligence all point to the same pattern: financially motivated groups iterate tooling continuously, partner aggressively for affiliate distribution, and target the underpatched, flat-network, identity-weak SMBs that lack 24/7 monitoring.
For a Piedmont Triad manufacturer or professional firm, a managed program that hardens identity, segments OT, runs MDR in block mode, validates backups, and rehearses recovery is a small fraction of a single ransomware event. Preferred Data Corporation has delivered that managed protection to North Carolina small businesses since 1987, from our High Point headquarters and on-site across the Piedmont Triad, Charlotte, Greensboro, Raleigh, and Winston-Salem.
PDC supports this work through managed cybersecurity, managed IT services, and OT/IT integration.
Frequently Asked Questions
Who is behind The Gentlemen ransomware?
Microsoft tracks the operators as Storm-2697, a financially motivated threat actor that runs the ransomware-as-a-service platform known as The Gentlemen. The operation emerged in mid-2025, opened its RaaS in September 2025, and recently partnered with BreachForums to recruit affiliates, per Microsoft Threat Intelligence and Dark Reading. Affiliates carry out the actual intrusions while the core operators provide tooling, infrastructure, and a leak site.
Is The Gentlemen targeting small or large organizations?
Both, but the practical victim base skews to mid-market and SMB. The 2026 Verizon DBIR reports SMBs account for 96% of ransomware victims for whom organization size was known, and SOCRadar places manufacturing as the second largest concentration of Gentlemen victims at approximately 17.9%. For NC, that translates to small and mid-sized manufacturers, professional service firms, healthcare practices, and technology providers as the realistic exposure surface.
Does EDR alone stop The Gentlemen?
A modern, behavior-based EDR or MDR running in block mode, with tamper protection enabled, controlled folder access turned on, and attack surface reduction rules deployed will catch most of the early-stage activity. Signature-only AV will frequently miss the Go-based encryptor and the LOLBin-driven lateral movement. The combination that works for SMBs is EDR/MDR with 24/7 monitoring, identity hardening, segmentation, and isolated backups.
What about our ESXi hosts and NAS?
Both are explicitly in scope. The Go encryptor is built for cross-platform deployment and can encrypt VMware ESXi datastores and NAS shares directly, per GBHackers and Cyberpress. Treat ESXi hosts as crown-jewel assets: dedicated management network, MFA on vCenter, immutable backups, regular snapshots, and EDR coverage where supported.
How fast do affiliates move once inside?
Faster than most SMBs can react manually. The self-propagation logic attempts up to 21 lateral movement techniques per host, and Microsoft has observed full domain compromise inside hours rather than days for victims without MDR coverage. The defender pattern that wins is preventing the early-stage activity from succeeding, not catching it at the encryption step.
Related Resources
- Managed Cybersecurity Services for NC Businesses - 24/7 MDR with tamper protection
- Managed IT Services for NC Businesses - Patch, segment, monitor, recover
- Network and Infrastructure Services - OT/IT segmentation and edge hardening
- Ransomware Targets Unexpected Businesses Defense Plan - Sector-by-sector exposure
- Triple Extortion Ransomware SMB Defense - Extortion evolution beyond encryption
- Contact Preferred Data Corporation - Manufacturer-focused ransomware readiness review