The Gentlemen’s Flaw: Bedrock Safeguard Discloses Public Decryption Method for “Hastalamuerte” Ransomware

Victims of The Gentlemen ransomware have been granted a fortuitous opportunity to reclaim their data without succumbing to extortionate demands. The Canadian firm Bedrock Safeguard has disclosed a viable method for decrypting files compromised by this lineage—also recognized as hastalamuerte—which has amassed over 320 confirmed victims by the inaugural quarter of 2026.

According to Bedrock Safeguard, The Gentlemen persists as a preeminent RaaS (Ransomware-as-a-Service) collective. Previously, industry titans such as Cybereason, Group-IB, Check Point, ASEC, and Trend Micro regarded the cryptographic architecture of this strain as virtually impenetrable. However, the authors of the nascent report clarify that while the core algorithm remains intact, its implementation harbors a critical vulnerability.

The Gentlemen utilizes XChaCha20 stream encryption and X25519 ECDH key exchange, generating a discrete ephemeral key pair for every file, rendered direct brute-force attacks futile. Nevertheless, because the malware is architected in Go, the language’s runtime environment fails to purge cryptographic artifacts from the goroutine stack and system memory upon the culmination of operations. Consequently, ephemeral private keys may reside within the process memory for the entire duration of the encryption cycle.

Bedrock Safeguard asserts that a solitary memory dump of the process suffices to extract the requisite decryption keys. In empirical trials, the team successfully restored 35 out of 35 files with absolute fidelity, locating the keys in a mere 0.6 seconds. Such dumps may be preserved within EDR or XDR systems, incident response captures, Windows Error Reporting, crash dumps, or hibernation files.

The firm has further delineated specific Indicators of Compromise (IoC), including the ransom note README-GENTLEMEN.txt, file trailers marked with the GENTLEMEN string, and the eradication of shadow copies via vssadmin and wmic. Additional behaviors involve manipulating Windows Defender exclusions, purging Prefetch files, terminating database and backup services, and altering desktop wallpapers to gentlemen.bmp.

The report draws parallels to the historic recovery of WannaCry keys articulated by Adrien Guinet in 2017. Bedrock Safeguard posits that this publication represents the inaugural public instance of extracting ephemeral X25519 keys from memory against a ransomware family. The findings have been relayed to the Canadian Centre for Cyber Security and the RCMP NC3. Furthermore, the company introduced Bedrock RansomGuard, an open-source utility designed to preemptively detect encryption activity and preserve process memory while keys remain retrievable—a methodology reminiscent of the public decryptor previously deployed against the FunkSec ransomware following similar cryptographic scrutiny.