CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 29, 2026

Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges

Cybersecurity News Archived May 29, 2026 ✓ Full text saved

A newly analyzed ransomware strain called The Gentlemen is raising serious alarms across the cybersecurity community. Built in the Go programming language and obfuscated with a tool called Garble, it combines powerful per-file encryption with an aggressive ability to spread itself silently across entire networks without any human intervention. Organizations in education, healthcare, transportation, and […] The post Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privi

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges By Tushar Subhra Dutta May 29, 2026 A newly analyzed ransomware strain called The Gentlemen is raising serious alarms across the cybersecurity community. Built in the Go programming language and obfuscated with a tool called Garble, it combines powerful per-file encryption with an aggressive ability to spread itself silently across entire networks without any human intervention. Organizations in education, healthcare, transportation, and finance across North America, South America, Europe, Africa, and Asia have already felt its damaging impact. The Gentlemen operates as a ransomware-as-a-service (RaaS) platform, meaning its core developers rent access to the malware to other criminals known as affiliates. It first emerged around mid-2025 as a closed group, then opened its doors to affiliates in September 2025. More recently, its operators forged a formal partnership with BreachForums, a well-known cybercriminal marketplace, actively recruiting penetration testers and initial access brokers to carry out attacks on their behalf. Microsoft Threat Intelligence, which tracks the group behind the malware as Storm-2697, noted that the operators use double extortion tactics. Encryption mode command-line arguments (Source – Microsoft) They encrypt a victim’s data and simultaneously steal sensitive files, threatening to release the stolen information publicly if the ransom is not paid. Microsoft said in a report shared with Cyber Security News (CSN) that the threat is already widely adopted and this new partnership could attract an even broader pool of criminal actors going forward. What sets The Gentlemen apart is its layered attack strategy. It disables antivirus tools, deletes backups, clears system logs, and wipes forensic traces before encryption even begins. Once active, it can reach across a network and plant itself on other machines automatically, making containment far more difficult for incident responders and security teams. The ransomware requires a build-specific password to execute, and operators can control nearly every aspect of its behavior through command-line arguments. These options include setting encryption speed, enabling network spreading, and choosing how the malware persists after a reboot. That level of operational control makes it unusually flexible and customizable for a criminal tool deployed at scale. Ransomware Uses SYSTEM Scheduled Task One of the most technically notable behaviors in The Gentlemen is how it achieves the highest possible system privileges before encrypting local drives. The Gentlemen ransomware’s persistence mechanism (Source – Microsoft) When the ransomware receives the right command-line instruction, it creates a Windows scheduled task named gentlemen_system that runs the malware executable under the SYSTEM account, which is the most powerful level of access on a Windows machine. To do this cleanly, it first deletes any existing task with that name, then registers and immediately triggers a fresh one. Once running under this elevated context, the malware sets an internal environment variable called LOCKER_BACKGROUND=1 to signal that it is operating as a background encryption process with full privileges. This design allows the ransomware to reach and encrypt files that would otherwise be protected or inaccessible to standard user-level accounts. Self-Propagation Across the Network The Gentlemen does not stop at a single machine. When its spreading feature is activated, it transforms into a self-propagating worm capable of deploying itself to every system it can reach on the local network. It stages its own binary in a shared folder, copies it across administrative network shares, and attempts to execute it on remote hosts using eight different methods simultaneously. These methods include PsExec, Windows Management Instrumentation, scheduled tasks in both user and SYSTEM contexts, Windows services, and PowerShell remoting. The Gentlemen ransomware’s file encryption mechanism (Source – Microsoft) The malware attempts 21 separate remote execution operations per target host. This redundancy is central to its strategy because even if most methods are blocked, a single successful execution on one new host is enough to restart the entire propagation cycle. Defenders can reduce exposure by enabling controlled folder access, turning on cloud-delivered antivirus protection, and blocking process creations originating from PsExec and WMI commands through attack surface reduction rules. Running endpoint detection and response tools in block mode is also strongly recommended, as is configuring automatic attack disruption to contain active threats before they spread further across the environment. Indicators of Compromise (IoCs):- Type Indicator Description SHA-256 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 The Gentlemen ransomware encryptor binary  File Name README-GENTLEMEN.txt Ransom note dropped in each encrypted directory  File Extension .umc16h Extension appended to all encrypted files  File Name gentlemen.bmp Desktop wallpaper bitmap dropped to %TEMP% after encryption  Scheduled Task Name gentlemen_system SYSTEM-privileged scheduled task created for elevated encryption  Scheduled Task Name UpdateSystem Persistence scheduled task running payload as SYSTEM at startup  Scheduled Task Name UpdateUser Persistence scheduled task running payload as current user at startup  Registry Key Value GupdateS (HKLM) System-wide autorun registry persistence key  Registry Key Value GupdateU (HKCU) User-scoped autorun registry persistence key  File Path C:\Temp\psexec.exe PsExec binary dropped for lateral movement  File Name wipefile.tmp Temporary file used for free disk space wiping  Environment Variable LOCKER_BACKGROUND=1 Internal flag indicating SYSTEM-context background encryption execution  Hardcoded Password 9VoAvR7G Build-specific operator authentication password embedded in analyzed sample  Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Use Fake Video Player Updates to Deploy Miner and RAT Malware PuTTY 0.84 Released With Fix for SSH KEX Crashes and Telnet Prompt Spoofing Flaw Cybercriminals Use Telegram Channels to Sell Verified Bank and Fintech Mule Accounts Microsoft Defender Now Automatically Isolates Compromised Devices to Stop Ransomware Hackers Backdoor Popular art-template npm Package to Launch Watering-Hole Attacks Latest News Cyber Security News Attackers Abuse Trusted Developer Tooling to Exfiltrate Source Code and Secrets Cyber Security From 200 CVEs to Actionable Fixes – DockSec Brings AI to Container Security Cyber Attack News Malicious NuGet Package as Sicoob SDK Exfiltrates Banking Passwords Cyber Security News Typosquatted npm Packages Steal Cloud and CI/CD Secrets From Developer Systems Cyber Security New ChatGPT Vulnerability Lets Attackers Turn Web Pages Into Phishing Payloads
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 29, 2026
    Archived
    May 29, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗