Gentlemen Ransomware Claims 478 Victims in 66 Countries as Worm-Like Lateral Movement Capability Confirmed

Threat intelligence teams have published comprehensive analysis of the Gentlemen ransomware group, revealing a victim count of 478 organisations across 66 countries — significantly larger than the healthcare-focused campaign first reported in early June. The new analysis confirms a worm module embedded in the Gentlemen payload that autonomously propagates through enterprise networks via SMB exploitation and credential reuse, reducing the operator time required for lateral movement and accelerating the time-to-detonation in compromised environments.

Scale and Sector Distribution

Initial reporting in early June focused on Gentlemen’s healthcare and professional services targeting. The comprehensive analysis reveals a wider sector distribution:

• Healthcare: 31% of confirmed victims (largest single sector)
• Professional services (legal, accounting, consulting): 19%
• Manufacturing: 16%
• Financial services: 12%
• Education: 9%
• Other sectors: 13%

Geographic distribution spans 66 countries, with the highest concentration in North America (41%), Western Europe (28%), and Asia-Pacific (18%). The broad distribution is consistent with the worm module — opportunistic propagation from initial access footholds rather than targeted sector campaigns.

The Worm Module: Technical Analysis

The worm component is the most significant new finding. Previous ransomware groups have required human operator lateral movement — an attacker manually navigating from the initial access host to additional systems before deploying encryption payloads. The Gentlemen worm module automates this process:

SMB exploitation path: The worm module attempts exploitation of SMB vulnerabilities on adjacent systems, including EternalBlue (MS17-010) — which still finds unpatched Windows systems in enterprise networks nearly a decade after its disclosure. When SMB exploitation succeeds, the worm copies the Gentlemen payload to the remote system and executes it using the compromised SMB session.

Credential reuse propagation: The worm module harvests credentials from the current host (LSASS memory, Windows Credential Manager, browser credential stores) and attempts to authenticate to adjacent systems using the harvested credentials. Any system where the harvested credentials are valid receives the ransomware payload via legitimate administrative access (PsExec-style execution via SMB admin shares).

Propagation scope: The worm builds a list of target hosts by enumerating Active Directory (via LDAP queries when domain credentials are available) and by scanning the local network segment. It attempts propagation to all discovered hosts, making the worm’s spread potentially domain-wide from a single initial access point.

Detection and Containment Indicators

Network indicators:

• Mass SMB scanning (port 445/TCP) originating from a single host across multiple subnets — indicates worm propagation activity
• LDAP queries to domain controllers from workstation-class hosts that do not normally perform LDAP enumeration
• Rapid authentication attempts from a single source against multiple internal targets (credential reuse propagation)

Endpoint indicators:

• LSASS memory access from non-standard processes (credential harvesting prior to propagation)
• wmic or PowerShell remote execution commands originating from unexpected processes
• Unexpected creation of administrative shares or PsExec service registrations on target systems

Network segmentation effectiveness: Organisations with effective VLAN segmentation and SMB traffic blocked between user VLANs and server VLANs report contained infections — the worm cannot propagate across segmented boundaries it cannot reach. Flat networks (common in smaller organisations and older enterprise environments) show the widest propagation.

Ransomware Recovery Context

The 478 victim count is based on Gentlemen’s own data leak site disclosure — actual compromises may be higher, as some victims pay ransoms and are not listed publicly. The group’s data leak site lists victims, stolen data samples, and countdown timers for publication.

Gentlemen’s ransom demands are reported to range from $150,000 to $5.2 million depending on victim size and assessed revenue. Healthcare victims face the highest demands due to regulatory liability for data breach exposure (HIPAA in the US, GDPR in Europe, and equivalent regulations in 66 countries).

The worm capability significantly increases the expected recovery complexity for Gentlemen victims — the encryption scope typically extends beyond the initially targeted systems to encompass the majority of the enterprise network before detection and containment occur.