The Gentlemen Are at Your Door and BitLocker Won't Save You: This Week's Threats Explained
478 victims. Worm-like propagation. AI-assisted targeting. The Gentlemen ransomware operation is not a theoretical future threat. It is active, it is scaling, and it does not need a sophisticated attacker on the keyboard once it is inside your network.
This week also produced a working, published exploit that bypasses Windows BitLocker. Not a proof of concept sitting in a researcher’s notebook. A public release.
These are the two stories that matter for UK small businesses this week. Everything else is noise.
Story One: The Gentlemen Ransomware and What “Worm-Like Spread” Actually Means
The Gentlemen operation began as a ransomware affiliate, running double extortion attacks on behalf of a larger group. Analysis published this week by The Hacker News confirms it has since evolved into an independent Ransomware-as-a-Service (RaaS) operation.
The headline figure is 478 claimed victims. That number matters less than the capability behind it: the malware can propagate through a network autonomously, without requiring an operator to manually move from machine to machine.
Let that land for a moment. One infected endpoint, one employee who clicked something they should not have, and the ransomware can traverse your network and encrypt everything it can reach. No second human action required.
The operation also incorporates AI-assisted targeting, which in practical terms means the tooling can identify high-value files and systems faster than a human operator working manually. The double extortion model is standard at this point: encrypt the data, exfiltrate a copy, threaten to publish unless payment is made.
What this means for a 20-person business in Leeds or Bristol or Edinburgh: the assumption that you are too small to be targeted by a sophisticated group is operationally meaningless when the attack is automated. Automated attacks do not evaluate your annual revenue before proceeding.
Story Two: GreatXML Bypasses BitLocker, and the Patch Status Does Not Fully Help You
Security researcher Chaotic Eclipse published GreatXML this week: a working exploit that bypasses Windows BitLocker encryption via recovery partition XML files.
BitLocker is the encryption built into Windows that most organisations and individuals rely on to protect data on laptops. The assumption is straightforward: if the device is stolen, the data is encrypted and therefore unreadable.
GreatXML undermines that assumption on systems where Windows Defender Offline Scan has previously been used. The exploit works through the recovery partition, not the main operating system, which means it can operate outside the normal Windows security context.
The technical detail matters here because it affects the remediation. Patching Windows helps, but the exposure exists on machines where Defender Offline Scan has already run. If you are managing a fleet of Windows devices, you cannot simply point to your patch status and consider this closed.
The same researcher published a separate Microsoft Defender exploit the previous day. The pace of publication is notable. This is not a single researcher finding a single edge case. It is a pattern.
What this means practically: BitLocker is not a substitute for a data protection strategy. It is one layer. If that layer is bypassed, what is underneath it? If you do not have a clear answer to that question, you have a problem.
The Third Story Worth a Sentence: CVE-2026-49973 and the Hermes WebUI Flaw
CVSS 9.4. Unauthenticated remote access. An attacker on any reachable network can send a single POST request to the Hermes WebUI settings endpoint during first-run setup, set their own password hash, obtain a valid session cookie, and lock the legitimate operator out of their own instance permanently.
Hermes WebUI is a network management interface. If anyone in your organisation uses it, or if your MSP uses it to manage your infrastructure, confirm they are running version 0.51.358 or later. If they cannot confirm that immediately, ask why not.
How This Gives Your Business an Edge
Most small businesses in the UK are operating on the assumption that their security posture is broadly adequate. They have antivirus, they probably have some form of backup, they might have Cyber Essentials. The Gentlemen and GreatXML expose specific gaps in that assumption.
Knowing about these threats before they hit your sector means you can act proactively rather than reactively. Proactive action costs a fraction of incident response. The average ransomware recovery for a small business in the UK runs into tens of thousands of pounds when you factor in downtime, recovery costs, and any regulatory obligations under GDPR.
Being able to demonstrate to clients, insurers, and procurement teams that your business monitors active threat intelligence and responds to it is increasingly a commercial differentiator. It is also increasingly a requirement in supplier due diligence questionnaires.
Making the Business Case
If you need to take any of the actions below to a budget holder or board, here are the arguments that will land:
Ransomware recovery costs are not hypothetical. The Gentlemen’s 478 victims each faced a recovery scenario. For a small business without tested offline backups and a recovery plan, that scenario typically involves choosing between paying a ransom or losing data. Neither outcome is cheap, and neither is insurable under most standard policies without specific cyber cover.
Encryption is not a complete data protection strategy. GreatXML demonstrates that BitLocker can be bypassed on certain Windows configurations. If your data protection argument to clients or to the ICO relies primarily on device encryption, that argument just became weaker. Layered protection, including access controls and offline backups, is the defensible position.
The worm propagation capability changes the risk model. One compromised endpoint used to mean one compromised endpoint. With self-propagating ransomware, it means your entire accessible network. The business case for network segmentation, which limits what any single infected machine can reach, is now straightforward.
Cyber insurance premiums reflect this. Underwriters are pricing ransomware risk based on whether organisations have tested offline backups, MFA, and network segmentation. If you do not have those controls, you are either paying more than you should be, or you are about to find out your policy will not pay out when you need it to.
What to Do This Week
-
Test your backups. Today, not next quarter. Specifically, verify that at least one backup copy is offline: not connected to your network, not accessible to a logged-in user, not reachable by ransomware that has compromised your credentials. If your MSP cannot demonstrate this to you within 24 hours, that is a conversation you need to have.
-
Audit your BitLocker deployment. Identify which machines have had Windows Defender Offline Scan run on them. Check whether your organisation’s data protection assumptions rely on BitLocker as a primary or sole control. If so, layer additional controls: strong access management, application controls, and clear data classification so you know what is actually at risk.
-
Ask your MSP about network segmentation. In plain terms: if one machine on your network is compromised by ransomware, what can it reach? Can it reach your file server? Your accounting software? Your email archive? If the answer is yes to all of those, you have a flat network and a worm-capable ransomware family is your worst-case scenario. Segmentation changes that calculus.
-
Check Hermes WebUI version numbers. If your infrastructure management includes Hermes WebUI, confirm with your IT support that it is running version 0.51.358 or later. If you do not know whether you use it, find out. “I don’t know what software is managing my network” is not an acceptable position.
-
Review your cyber insurance policy. Specifically: does it cover ransomware? Does it require you to have MFA, offline backups, and patch management in place? If you cannot answer those questions, read the policy or ask your broker. Finding out your policy excludes ransomware after an incident is a uniquely unpleasant experience.