New Gentlemen’s RaaS Advertised on Hacking Forums Targeting Windows, Linux and ESXi Systems

A newly discovered ransomware-as-a-service platform called Gentlemen’s RaaS has recently emerged on underground hacking forums, offering threat actors a sophisticated cross-platform attack capability.

The service, advertised by the threat actor known as zeta88, represents a significant expansion in ransomware delivery models, targeting critical infrastructure across multiple operating systems.

This development signals an intensified threat landscape where organized cybercriminals are offering affiliate-based ransomware operations to lower-level attackers, democratizing access to enterprise-level encryption malware.

The service leverages a compelling business model that allocates ninety percent of ransom proceeds to affiliates while retaining just ten percent for the operator.

This generous revenue-sharing arrangement has proven highly attractive to potential partners within the cybercriminal ecosystem.

By offering this financial incentive structure, the platform encourages widespread adoption and rapid deployment across global organizations.

The architecture reflects a deliberate strategy to scale ransomware operations efficiently while maintaining operational control through centralized decryption infrastructure.

KrakenLabs researchers identified the malware following detailed analysis of its promotional materials circulating across hacking forums.

The platform exhibits sophisticated technical construction with separate lockers designed for specific platforms, indicating purpose-built infrastructure rather than generic variants.

Lateral movement

The most technically noteworthy aspect involves the malware’s persistence and lateral movement mechanisms.

Gentlemen’s RaaS deploys a Go-based locker targeting Windows, Linux, NAS, and BSD systems, while employing a separate C-coded ESXi locker approximately thirty-two kilobytes in size.

The encryption implementation utilizes XChaCha20 combined with Curve25519 cryptography, with per-file ephemeral keys providing granular encryption architecture.

Particularly concerning is the self-propagation capability through WMI, WMIC, SCHTASKS, SC, and PowerShell Remoting commands, enabling rapid network traversal.

The malware establishes persistence via schtasks registry modifications and run-on-boot routines, ensuring survival across system restarts and administrative interventions.

Additionally, the platform supports network share discovery and automated encryption, allowing the ransomware to identify and compromise adjacent systems seamlessly.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.