What Happened
Two ransomware stories broke this week that deserve your attention at the same time, because together they paint a picture of where ransomware is headed. Neither of these are new. Rather, we’re seeing an uptick in activity from both actors.
The first is The Gentlemen, a newly identified ransomware family written in Go that combines fast, robust file encryption with self-propagating lateral movement across networks. Microsoft published a detailed technical breakdown on May 28 showing that The Gentlemen can spread without any human interaction once it’s inside a network, encrypting files across systems before most detection tools have time to fire an alert.
The second is Qilin, a ransomware group that has been running systematic campaigns across Italy since the start of 2026, hitting small and mid-sized businesses and cloud service providers. Italy's national Computer Security Incident Response Team (CSIRT) documented the campaign this week. That matters to US organizations because Qilin's targeting profile—cloud-hosted small business infrastructure and under-resourced IT teams--maps almost exactly to the SLED sector and mid-market clients that NuHarbor serves. When a group demonstrates a successful playbook in Europe, they will usually carry it across the Atlantic.
Who is Affected
The Gentlemen ransomware targets Windows environments and spreads laterally using standard Windows networking protocols. Any organization running Windows file servers, shared drives, or domain-joined workstations is in scope, across any industry. Schools, municipalities, utilities, and healthcare organizations running on-premises Windows infrastructure face the same exposure as enterprise commercial customers.
Qilin's targeting in Europe has focused on organizations that rely on third-party cloud providers for their core infrastructure, specifically smaller managed service providers and cloud hosting companies that serve multiple downstream clients. A single compromise of a cloud provider can cascade to dozens of their customers. For state and local government organizations that have moved workloads to regional MSPs or cloud providers without strong segmentation, this is the threat model that should concern leadership right now.
What NuHarbor is Seeing
Across our SOC telemetry, lateral movement attempts using Windows file-sharing protocols remain one of the most consistent signals we track.
The behavioral pattern that The Gentlemen uses, rapid SMB-based propagation combined with shadow copy deletion before encryption completes, is not new. What is new is the speed. Go-compiled ransomware executables are significantly faster to execute than older .NET or PowerShell-based variants, and they are harder to catch with signature-based detections. By the time a traditional anti-virus product fires on an encrypted file, a fast Go encryptor has already moved to the next host.
The Qilin pattern we are watching is slightly different. This group tends to spend time in the environment before encrypting, exfiltrating data first to maximize leverage. The combination of data theft and encryption means that paying the ransom does not solve the problem because the data is already gone. Our telemetry shows that dwell times before encryption, the window when defenders have the best chance to detect and respond, are compressing. Six months ago the median dwell time before encryption was several days. We are seeing that window shrink, particularly in smaller environments with limited monitoring.
What To Do Now
For detection, the key behavioral signals to hunt for right now are the following:
- Rapid enumeration of network shares followed by file access spikes across multiple hosts within a short window. In Splunk, this looks like a single source IP touching dozens of UNC paths in under five minutes.
- Volume Shadow Copy deletion commands (vssadmin delete shadows, wmic shadowcopy delete) executed outside of backup windows. This is one of the most reliable pre-encryption signals and should trigger an immediate SOAR response.
- New Go-compiled executables appearing in unusual paths such as temp directories, ProgramData, or user profile folders. Go binaries have a distinctive PE header signature that Splunk and EDR tools can be tuned to flag.
- Outbound connections to unfamiliar cloud storage endpoints during off-hours, which is consistent with Qilin-style exfiltration before encryption.
For SOAR automation, two playbooks should be active or reviewed this week. First, a shadow copy deletion playbook that automatically isolates the triggering host from the network and pages the on-call analyst when the command is detected. Second, a lateral movement containment playbook that can block SMB traffic from a suspected source host at the network level without requiring manual approval, because the window to act is measured in minutes, not hours.
On the Qilin side, any organization using a third-party cloud provider should verify that their provider has segmented multi-tenant environments so that a single customer compromise cannot traverse to neighboring tenants. Ask your provider directly. If they cannot answer the question clearly, that is the answer.
Backup integrity is non-negotiable right now. Offline or immutable backups that are not accessible from the production network are the single most effective control against ransomware encryption. If your backups are accessible from domain-joined systems, a ransomware actor who has domain admin can reach them.
Sources
Microsoft Security Blog: The Gentlemen ransomware: https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/
CSIRT Italia: Qilin Ransomware Campaign: https://www.acn.gov.it/portale/w/qilin-campagne-di-sfruttamento-sistematico-e-diffusione-del-ransomware-sul-territorio-nazionale
