Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges
Cybersecurity NewsArchived May 29, 2026✓ Full text saved
A newly analyzed ransomware strain called The Gentlemen is raising serious alarms across the cybersecurity community. Built in the Go programming language and obfuscated with a tool called Garble, it combines powerful per-file encryption with an aggressive ability to spread itself silently across entire networks without any human intervention. Organizations in education, healthcare, transportation, and […] The post Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privi
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges
By Tushar Subhra Dutta
May 29, 2026
A newly analyzed ransomware strain called The Gentlemen is raising serious alarms across the cybersecurity community.
Built in the Go programming language and obfuscated with a tool called Garble, it combines powerful per-file encryption with an aggressive ability to spread itself silently across entire networks without any human intervention.
Organizations in education, healthcare, transportation, and finance across North America, South America, Europe, Africa, and Asia have already felt its damaging impact.
The Gentlemen operates as a ransomware-as-a-service (RaaS) platform, meaning its core developers rent access to the malware to other criminals known as affiliates.
It first emerged around mid-2025 as a closed group, then opened its doors to affiliates in September 2025.
More recently, its operators forged a formal partnership with BreachForums, a well-known cybercriminal marketplace, actively recruiting penetration testers and initial access brokers to carry out attacks on their behalf.
Microsoft Threat Intelligence, which tracks the group behind the malware as Storm-2697, noted that the operators use double extortion tactics.
Encryption mode command-line arguments (Source – Microsoft)
They encrypt a victim’s data and simultaneously steal sensitive files, threatening to release the stolen information publicly if the ransom is not paid.
Microsoft said in a report shared with Cyber Security News (CSN) that the threat is already widely adopted and this new partnership could attract an even broader pool of criminal actors going forward.
What sets The Gentlemen apart is its layered attack strategy. It disables antivirus tools, deletes backups, clears system logs, and wipes forensic traces before encryption even begins.
Once active, it can reach across a network and plant itself on other machines automatically, making containment far more difficult for incident responders and security teams.
The ransomware requires a build-specific password to execute, and operators can control nearly every aspect of its behavior through command-line arguments.
These options include setting encryption speed, enabling network spreading, and choosing how the malware persists after a reboot. That level of operational control makes it unusually flexible and customizable for a criminal tool deployed at scale.
Ransomware Uses SYSTEM Scheduled Task
One of the most technically notable behaviors in The Gentlemen is how it achieves the highest possible system privileges before encrypting local drives.
The Gentlemen ransomware’s persistence mechanism (Source – Microsoft)
When the ransomware receives the right command-line instruction, it creates a Windows scheduled task named gentlemen_system that runs the malware executable under the SYSTEM account, which is the most powerful level of access on a Windows machine.
To do this cleanly, it first deletes any existing task with that name, then registers and immediately triggers a fresh one. Once running under this elevated context, the malware sets an internal environment variable called LOCKER_BACKGROUND=1 to signal that it is operating as a background encryption process with full privileges.
This design allows the ransomware to reach and encrypt files that would otherwise be protected or inaccessible to standard user-level accounts.
Self-Propagation Across the Network
The Gentlemen does not stop at a single machine. When its spreading feature is activated, it transforms into a self-propagating worm capable of deploying itself to every system it can reach on the local network.
It stages its own binary in a shared folder, copies it across administrative network shares, and attempts to execute it on remote hosts using eight different methods simultaneously.
These methods include PsExec, Windows Management Instrumentation, scheduled tasks in both user and SYSTEM contexts, Windows services, and PowerShell remoting.
The Gentlemen ransomware’s file encryption mechanism (Source – Microsoft)
The malware attempts 21 separate remote execution operations per target host. This redundancy is central to its strategy because even if most methods are blocked, a single successful execution on one new host is enough to restart the entire propagation cycle.
Defenders can reduce exposure by enabling controlled folder access, turning on cloud-delivered antivirus protection, and blocking process creations originating from PsExec and WMI commands through attack surface reduction rules.
Running endpoint detection and response tools in block mode is also strongly recommended, as is configuring automatic attack disruption to contain active threats before they spread further across the environment.
Indicators of Compromise (IoCs):-
Type Indicator Description
SHA-256 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 The Gentlemen ransomware encryptor binary
File Name README-GENTLEMEN.txt Ransom note dropped in each encrypted directory
File Extension .umc16h Extension appended to all encrypted files
File Name gentlemen.bmp Desktop wallpaper bitmap dropped to %TEMP% after encryption
Scheduled Task Name gentlemen_system SYSTEM-privileged scheduled task created for elevated encryption
Scheduled Task Name UpdateSystem Persistence scheduled task running payload as SYSTEM at startup
Scheduled Task Name UpdateUser Persistence scheduled task running payload as current user at startup
Registry Key Value GupdateS (HKLM) System-wide autorun registry persistence key
Registry Key Value GupdateU (HKCU) User-scoped autorun registry persistence key
File Path C:\Temp\psexec.exe PsExec binary dropped for lateral movement
File Name wipefile.tmp Temporary file used for free disk space wiping
Environment Variable LOCKER_BACKGROUND=1 Internal flag indicating SYSTEM-context background encryption execution
Hardcoded Password 9VoAvR7G Build-specific operator authentication password embedded in analyzed sample
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Hackers Use Fake Video Player Updates to Deploy Miner and RAT Malware
PuTTY 0.84 Released With Fix for SSH KEX Crashes and Telnet Prompt Spoofing Flaw
Cybercriminals Use Telegram Channels to Sell Verified Bank and Fintech Mule Accounts
Microsoft Defender Now Automatically Isolates Compromised Devices to Stop Ransomware
Hackers Backdoor Popular art-template npm Package to Launch Watering-Hole Attacks
Latest News
Cyber Security News
Attackers Abuse Trusted Developer Tooling to Exfiltrate Source Code and Secrets
Cyber Security
From 200 CVEs to Actionable Fixes – DockSec Brings AI to Container Security
Cyber Attack News
Malicious NuGet Package as Sicoob SDK Exfiltrates Banking Passwords
Cyber Security News
Typosquatted npm Packages Steal Cloud and CI/CD Secrets From Developer Systems
Cyber Security
New ChatGPT Vulnerability Lets Attackers Turn Web Pages Into Phishing Payloads