The Gentlemen

The Gentlemen is a ransomware-as-a-service (RaaS) and double-extortion operation that emerged publicly in mid-2025, with reporting placing its emergence in July-August 2025 and first observed victim postings in September 2025. Multiple sources assess it as a rapidly growing and highly active ransomware program in 2026, including reporting that it ranked among the top ransomware groups globally and was second only to Qilin in some datasets. Several reports assess The Gentlemen as linked to, or a continuation/reorganization of, prior affiliate activity from the Qilin ecosystem following an internal dispute; reporting also associates the operation with the Russian-speaking actor alias "hastalamuerte," also identified in leaked backend reporting as administrator "zeta88." No additional aliases for the group itself are provided beyond The Gentlemen. The group operates an affiliate model with aggressive revenue sharing, repeatedly reported as 90% to affiliates and 10% to the operator. Reporting on a leaked internal backend in 2026 described a coordinated core team and affiliate structure, exposed internal chats and victim-management tooling, and indicated the administrator may also directly participate in attacks. The same leak exposed operational channels, affiliate discussions about credential abuse and EDR-killer tools, and a much larger victim set than public leak-site disclosures, with reporting citing more than 1,570 linked victim environments. The Gentlemen targets organizations globally across at least 17 countries in one dataset and more than 70 countries in others. Victimology in the provided reporting spans manufacturing, professional services, technology, healthcare, business services, industrial organizations, IT, consumer-facing organizations, government, education, logistics, and transportation. Geographic reporting highlights broad international activity, with Europe frequently described as a primary focus in some reporting, especially the UK and Germany, while other datasets show substantial activity in APAC and note comparatively limited US targeting relative to ecosystem averages. Thailand, Brazil, India, France, the UK, and the United States all appear in victim-country reporting. The Gentlemen is reported to target Windows, Linux, VMware ESXi, NAS, and BSD systems. Its Windows locker is described as Go-based, requiring a password parameter at execution, dropping ransom notes including README-GENTLEMEN.txt and README-GENTLEMEN_2.txt, and using variable/random file extensions. Reporting also describes partial encryption of larger files to accelerate impact, service termination prior to encryption, and support for cross-platform deployment including virtualization environments. Initial access and intrusion tradecraft repeatedly center on valid accounts, stolen credentials, exposed remote services, and edge devices. Multiple sources specifically identify Fortinet FortiGate VPN appliances as a primary access vector, via brute force or exploitation of vulnerabilities, including repeated reporting on interest in CVE-2024-55591. Other reporting cites Cisco edge devices, purchased access from brokers, OWA/M365 credential logs, NTLM relay activity, and compromised credentials for remote access infrastructure. The group has also been associated with RDP-based access in incident reporting. Observed post-compromise behavior includes Active Directory reconnaissance, privilege escalation, credential harvesting, lateral movement, backup disruption, data theft, and domain-wide ransomware deployment. Reported techniques and tooling include PowerShell, Windows Management Instrumentation, SMB/Windows Admin Shares, SSH, Remote Services, RDP, Scheduled Tasks, Group Policy-based deployment, AnyDesk, PsExec, WinSCP, Advanced IP Scanner, Nmap, Cobalt Strike, SystemBC, ZeroPulse, NetExec, RelayKing, PrivHound, CertiHound, Velociraptor, PowerRun, and custom defense-evasion or EDR-kill tooling. Reporting also describes BYOVD-based defense evasion, aggressive log deletion, disabling of endpoint protection including Microsoft Defender, covert tunneling, SOCKS proxying, and anti-forensic activity. The group uses data theft as a core extortion mechanism in addition to encryption. Reporting describes threats to leak stolen data on its leak site, affiliate-controlled negotiation via Tox or Session identifiers, and ransom-note language emphasizing regulatory and reputational pressure. One report documented a negotiation reduced from USD 250,000 to about USD 190,000. Reporting also describes reuse of stolen data from one victim to pressure another victim. Public reporting and incident examples in the provided content include claims or observations involving Adaptavist, Synergy France, UK Electronics, Equity Life, and numerous other listed victims. Some reporting notes that The Gentlemen claimed responsibility for the Adaptavist incident, while the victim disputed the extent of compromise; those claims remain unverified in the source material. The group itself was reportedly compromised in May 2026, when its internal Rocket backend/database and chats were leaked or offered for sale. Reporting states the administrator acknowledged the leak on May 4, 2026. The exposed material provided insight into infrastructure, affiliates, tooling, tracked vulnerabilities, and victim management, and reinforced assessments that The Gentlemen remained active despite the breach. Overall, the provided content consistently characterizes The Gentlemen as a technically mature, fast-scaling RaaS operation with likely Russian-speaking ties, strong links to the Qilin affiliate ecosystem, heavy use of credential- and edge-device-based access, broad cross-platform encryption capability, and high operational tempo across global enterprise targets.