Emergence and Operations of The Gentlemen Ransomware-as-a-Service Group
The Gentlemen ransomware group has rapidly established itself as a significant threat actor since its emergence around July 2025, leveraging a Ransomware-as-a-Service (RaaS) model and advanced dual-extortion tactics. The group has claimed at least 48 victims within a three-month period, utilizing the XChaCha20 encryption algorithm to lock files and exfiltrating sensitive business data to pressure organizations into paying ransoms. Their operations are characterized by a combination of established ransomware techniques and innovative strategies, including the development of their own RaaS platform after experimenting with various affiliate models, which has enabled them to quickly adapt to new attack vectors and maintain persistence against targeted organizations.
Threat intelligence reports highlight that The Gentlemen's data leak site is active, and the group has demonstrated a willingness to publish stolen data if ransom demands are not met. Their evolution from testing other ransomware platforms to building a proprietary service underscores their technical sophistication and intent to scale operations. Security professionals are advised to monitor for indicators of compromise related to The Gentlemen and to ensure robust data protection and incident response measures are in place to mitigate the risk posed by this rapidly evolving ransomware group.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
15 events from the most recent confirmed update back to the earliest known activity.
Complexul Energetic Oltenia reported as Gentlemen ransomware victim
The reference says The Gentlemen ransomware group carried out a ransomware attack on Romanian state energy operator Complexul Energetic Oltenia, adding a newly disclosed victim to the campaign. The article presents this as part of the group's documented incident activity in 2026.
Microsoft publishes analysis of The Gentlemen's self-propagating Go encryptor
On 2026-05-28, Microsoft published research on The Gentlemen ransomware, which it tracks as Storm-2697, detailing the malware's Go-based encryptor, hybrid Curve25519 and XChaCha20 encryption, and aggressive self-propagation across Windows networks using multiple lateral movement methods. The report also provided detections, hunting guidance, and mitigations including Defender protections, attack surface reduction rules, and EDR controls.
NTT says The Gentlemen accounts for 10% of ransomware attacks
NTT reported that The Gentlemen had become one of the most active ransomware operators, accounting for 10% of observed attacks and ranking second only to Qilin. The report said the group primarily targeted industrial and IT organizations, focused heavily on Europe including the UK and Germany, and named victims including Synergy France, UK Electronics, and Equity Life.
Huntress details Gentlemen defense-evasion tactics from two incidents
On 2026-05-21, Huntress published analysis of two post-incident The Gentlemen ransomware deployments affecting a shipping and transportation organization and a construction company. The report documented defense-evasion and execution tradecraft including scheduled tasks, PowerShell-based Microsoft Defender tampering, selective clearing of Windows logs, use of a SOCKS proxy beaconing to 193.233.202[.]17, and redeployment of the encryptor from a NETLOGON share after initial execution was blocked.
LevelBlue links The Gentlemen to Qilin affiliate lineage
On 2026-05-18, LevelBlue assessed that The Gentlemen was likely not a wholly new operation but a continuation or reorganization of prior affiliate activity associated with the Qilin ecosystem and the Russian-speaking actor "hastalamuerte." This represented a new attribution and lineage assessment for the ransomware group.
Data leak exposes The Gentlemen's internal operations
By 2026-05-11, stolen data from The Gentlemen ransomware group had been offered for sale on Breached and then released publicly, exposing internal chats, victim information, operational data, and a bitcoin wallet address. Analysis of the leak revealed details about the group's infrastructure management, targeting, OPSEC, use of compromised Fortinet credentials, and enterprise-focused intrusion tactics.
The Gentlemen claims 352 attacks across more than 70 countries
By 2026-05-10, The Gentlemen had publicly claimed 352 attacks in the first half of 2026, indicating continued growth beyond the previously reported 320-plus victims. The reported victims spanned more than 70 countries, with heavy impact on professional services, manufacturing, technology, and healthcare.
The Gentlemen administrator acknowledges internal leak
On 2026-05-04, the administrator of The Gentlemen ransomware operation reportedly acknowledged that the group’s internal Rocket backend and chats had been leaked. The acknowledgment preceded the broader public release and analysis of the stolen data that exposed the group’s structure, tooling, affiliates, and negotiations.
Check Point links Gentlemen affiliate attack to SystemBC botnet
While investigating a Gentlemen ransomware affiliate intrusion, Check Point identified a SystemBC proxy malware botnet with more than 1,570 infected hosts, largely affecting corporate and organizational environments. The researchers also disclosed new intrusion details and published indicators of compromise and a YARA rule for related activity.
The Gentlemen surpasses 320 claimed victims
Check Point Research reported that The Gentlemen had publicly claimed more than 320 victims, with most of the growth occurring in early 2026. The report characterized the group as a rapidly expanding ransomware-as-a-service operation with a broad, enterprise-focused intrusion ecosystem.
Group-IB links The Gentlemen to Qilin dispute and exposes operations
On 2026-03-19, Group-IB published research saying The Gentlemen emerged from a dispute within the Qilin ecosystem and was exposed in part by affiliate 'hastalamuerte.' The report detailed the group's use of FortiGate VPN access, automated lateral movement, credential theft, backup disruption, anti-forensics, and BYOVD-based defense evasion across Windows, Linux, and ESXi targets.
The Gentlemen reaches 48 reported victims in three months
By November 2025, reporting said the operation had accumulated 48 victims over roughly a three-month period, indicating rapid growth of the campaign.
Cybereason publishes technical analysis and IOCs
Cybereason released a detailed analysis of The Gentlemen’s Windows, Linux, and ESXi ransomware variants, describing persistence, lateral movement, defense evasion, encryption methods, and providing indicators of compromise and MITRE ATT&CK mappings.
The Gentlemen begins publishing victims on leak site
The group rapidly started naming victims on its dark web leak site during September and October 2025, marking the public operational phase of its dual-extortion campaign.
The Gentlemen ransomware group emerges
Cybereason assessed that the ransomware group known as “The Gentlemen” emerged around July 2025 and began operating as a Ransomware-as-a-Service with affiliate support and configurable builds.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
22 references tracked. Mallory keeps watching after this page renders.
Анализ ransomware The Gentlemen: реверс Go-бинарника Storm-2697
codeby.net
Open sourceThe Gentlemen Ransomware: Threat Profile | by privacyinsightsolutions.com | May, 2026 | OSINT Team
osintteam.blog
Open sourceGentlemen Ransomware Threat Exposed by Microsoft
securityonline.info
Open sourceThe Gentlemen ransomware: Dissecting a self-propagating Go encryptor | Microsoft Security Blog
microsoft.com
Open sourceRansomware Affiliate Exposes Details of 'The Gentlemen' Operation - Infosecurity Magazine
infosecurity-magazine.com
Open sourceSophisticated “The Gentlemen” Ransomware RaaS Emerges with XChaCha20 Encryption and 48 Victims in 3 Months
securityonline.info
Open sourceLicense to Encrypt: “The Gentlemen” Make Their Move
cybereason.com
Open sourceШифровальщики-вымогатели The Digest "Crypto-Ransomware": Gentlemen
id-ransomware.blogspot.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Gentlemen Ransomware Global Double Extortion Campaigns
A new ransomware group known as **Gentlemen** has launched a series of attacks targeting organizations in at least 17 countries, employing a double extortion model that involves both data exfiltration and encryption. The ransomware, developed in the Go programming language, leverages advanced techniques such as Group Policy Object (GPO) manipulation and Bring Your Own Vulnerable Driver (BYOVD) tactics to disable security defenses and propagate laterally within corporate networks. Industries affected include healthcare, manufacturing, and insurance, with the group specifically focusing on medium to large enterprises. The malware requires a specific `--password` argument to execute, serving as an anti-analysis measure, and offers operators various command-line options to control its behavior and evade detection. Analysts have identified Gentlemen as one of the most active emerging ransomware threats of 2025, with rapid expansion across North America, South America, and the Middle East. The group’s sophisticated evasion and propagation methods, combined with its aggressive targeting of sensitive data, underscore the urgent need for enhanced monitoring and defensive measures in enterprise environments. The campaign’s use of double extortion ensures that even organizations with robust backup strategies remain vulnerable to data leaks and reputational damage if ransoms are not paid.
Mar 21, 2026
Ransomware Ecosystem Updates: DragonForce, The Gentlemen, Gunra, and Reynolds BYOVD Evasion
Multiple reports detailed **emerging and evolving ransomware operations** and the tactics they use to scale. **DragonForce** has positioned itself as a “cartel”-style **Ransomware-as-a-Service (RaaS)** operation, using dark web forums (e.g., BreachForums, RAMP, Exploit) for recruitment and promotion, and advertising capabilities such as a payload builder (“RansomBay”) and victim-pressure services (including harassment calls). Separate profiling described **The Gentlemen** as an emerging double-extortion ransomware group first clearly observed in active campaigns in 2025, with a Go-based locker supporting **Windows, Linux, and ESXi**, and an operator-controlled execution model that requires a password parameter. Additional research reported **Gunra** as a RaaS operation with a newly launched affiliate program advertised on dark web forums in January 2026; researchers claimed access to affiliate-panel credentials and obtained a live sample for technical analysis, describing configurable attack parameters, selective encryption, and path exclusions to preserve system operability for payment. Separately, analysis of the **Reynolds** ransomware family highlighted built-in **BYOVD** defense evasion, bundling a vulnerable `NsecSoft NSecKrnl` driver within the ransomware payload to disable EDR—an approach that reduces the need for a separate pre-ransomware EDR-killer stage and reflects continued innovation in endpoint security bypass techniques.
Mar 21, 2026
Recent Ransomware Threats Targeting Organizations and Critical Sectors
Several new ransomware groups and campaigns have emerged, demonstrating increased sophistication and targeting a range of organizations globally. The SafePay group has established itself as a major threat by operating as a centralized, closed ransomware operation, eschewing the typical Ransomware-as-a-Service (RaaS) model. SafePay employs double extortion tactics, exfiltrating sensitive data before encrypting systems, and leverages rapid attack chains that often move from initial access to full encryption within 24 hours. Their methods include exploiting compromised credentials, misconfigured firewalls, and deploying backdoors for persistence, with a focus on operational security to avoid law enforcement detection. Other notable threats include the CrazyHunter ransomware, which has aggressively targeted healthcare organizations in Taiwan using advanced evasion techniques and multi-stage attacks that exploit Active Directory and propagate via Group Policy Objects. Meanwhile, the Ransomhouse group, operated by Jolly Scorpius, has upgraded its capabilities with a dual-key encryption system and automated attacks on VMware ESXi hypervisors, particularly focusing on German enterprises. These campaigns highlight a trend toward more targeted, technically advanced ransomware operations that prioritize both data theft and rapid system disruption, posing significant risks to critical infrastructure and sensitive industries.
Mar 21, 2026