Emergence and Operations of The Gentlemen Ransomware-as-a-Service Group
The Gentlemen ransomware group has rapidly established itself as a significant threat actor since its emergence around July 2025, leveraging a Ransomware-as-a-Service (RaaS) model and advanced dual-extortion tactics. The group has claimed at least 48 victims within a three-month period, utilizing the XChaCha20 encryption algorithm to lock files and exfiltrating sensitive business data to pressure organizations into paying ransoms. Their operations are characterized by a combination of established ransomware techniques and innovative strategies, including the development of their own RaaS platform after experimenting with various affiliate models, which has enabled them to quickly adapt to new attack vectors and maintain persistence against targeted organizations.
Threat intelligence reports highlight that The Gentlemen's data leak site is active, and the group has demonstrated a willingness to publish stolen data if ransom demands are not met. Their evolution from testing other ransomware platforms to building a proprietary service underscores their technical sophistication and intent to scale operations. Security professionals are advised to monitor for indicators of compromise related to The Gentlemen and to ensure robust data protection and incident response measures are in place to mitigate the risk posed by this rapidly evolving ransomware group.
Timeline
Apr 20, 2026
Check Point links Gentlemen affiliate attack to SystemBC botnet
While investigating a Gentlemen ransomware affiliate intrusion, Check Point identified a SystemBC proxy malware botnet with more than 1,570 infected hosts, largely affecting corporate and organizational environments. The researchers also disclosed new intrusion details and published indicators of compromise and a YARA rule for related activity.
Apr 20, 2026
The Gentlemen surpasses 320 claimed victims
Check Point Research reported that The Gentlemen had publicly claimed more than 320 victims, with most of the growth occurring in early 2026. The report characterized the group as a rapidly expanding ransomware-as-a-service operation with a broad, enterprise-focused intrusion ecosystem.
Nov 20, 2025
The Gentlemen reaches 48 reported victims in three months
By November 2025, reporting said the operation had accumulated 48 victims over roughly a three-month period, indicating rapid growth of the campaign.
Nov 18, 2025
Cybereason publishes technical analysis and IOCs
Cybereason released a detailed analysis of The Gentlemen’s Windows, Linux, and ESXi ransomware variants, describing persistence, lateral movement, defense evasion, encryption methods, and providing indicators of compromise and MITRE ATT&CK mappings.
Sep 1, 2025
The Gentlemen begins publishing victims on leak site
The group rapidly started naming victims on its dark web leak site during September and October 2025, marking the public operational phase of its dual-extortion campaign.
Jul 1, 2025
The Gentlemen ransomware group emerges
Cybereason assessed that the ransomware group known as “The Gentlemen” emerged around July 2025 and began operating as a Ransomware-as-a-Service with affiliate support and configurable builds.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
3 more from sources like security online info, cybereason blog and id ransomware blog
Related Stories
Gentlemen Ransomware Global Double Extortion Campaigns
A new ransomware group known as **Gentlemen** has launched a series of attacks targeting organizations in at least 17 countries, employing a double extortion model that involves both data exfiltration and encryption. The ransomware, developed in the Go programming language, leverages advanced techniques such as Group Policy Object (GPO) manipulation and Bring Your Own Vulnerable Driver (BYOVD) tactics to disable security defenses and propagate laterally within corporate networks. Industries affected include healthcare, manufacturing, and insurance, with the group specifically focusing on medium to large enterprises. The malware requires a specific `--password` argument to execute, serving as an anti-analysis measure, and offers operators various command-line options to control its behavior and evade detection. Analysts have identified Gentlemen as one of the most active emerging ransomware threats of 2025, with rapid expansion across North America, South America, and the Middle East. The group’s sophisticated evasion and propagation methods, combined with its aggressive targeting of sensitive data, underscore the urgent need for enhanced monitoring and defensive measures in enterprise environments. The campaign’s use of double extortion ensures that even organizations with robust backup strategies remain vulnerable to data leaks and reputational damage if ransoms are not paid.
1 months ago
Ransomware Ecosystem Updates: DragonForce, The Gentlemen, Gunra, and Reynolds BYOVD Evasion
Multiple reports detailed **emerging and evolving ransomware operations** and the tactics they use to scale. **DragonForce** has positioned itself as a “cartel”-style **Ransomware-as-a-Service (RaaS)** operation, using dark web forums (e.g., BreachForums, RAMP, Exploit) for recruitment and promotion, and advertising capabilities such as a payload builder (“RansomBay”) and victim-pressure services (including harassment calls). Separate profiling described **The Gentlemen** as an emerging double-extortion ransomware group first clearly observed in active campaigns in 2025, with a Go-based locker supporting **Windows, Linux, and ESXi**, and an operator-controlled execution model that requires a password parameter. Additional research reported **Gunra** as a RaaS operation with a newly launched affiliate program advertised on dark web forums in January 2026; researchers claimed access to affiliate-panel credentials and obtained a live sample for technical analysis, describing configurable attack parameters, selective encryption, and path exclusions to preserve system operability for payment. Separately, analysis of the **Reynolds** ransomware family highlighted built-in **BYOVD** defense evasion, bundling a vulnerable `NsecSoft NSecKrnl` driver within the ransomware payload to disable EDR—an approach that reduces the need for a separate pre-ransomware EDR-killer stage and reflects continued innovation in endpoint security bypass techniques.
1 months ago
Recent Ransomware Threats Targeting Organizations and Critical Sectors
Several new ransomware groups and campaigns have emerged, demonstrating increased sophistication and targeting a range of organizations globally. The SafePay group has established itself as a major threat by operating as a centralized, closed ransomware operation, eschewing the typical Ransomware-as-a-Service (RaaS) model. SafePay employs double extortion tactics, exfiltrating sensitive data before encrypting systems, and leverages rapid attack chains that often move from initial access to full encryption within 24 hours. Their methods include exploiting compromised credentials, misconfigured firewalls, and deploying backdoors for persistence, with a focus on operational security to avoid law enforcement detection. Other notable threats include the CrazyHunter ransomware, which has aggressively targeted healthcare organizations in Taiwan using advanced evasion techniques and multi-stage attacks that exploit Active Directory and propagate via Group Policy Objects. Meanwhile, the Ransomhouse group, operated by Jolly Scorpius, has upgraded its capabilities with a dual-key encryption system and automated attacks on VMware ESXi hypervisors, particularly focusing on German enterprises. These campaigns highlight a trend toward more targeted, technically advanced ransomware operations that prioritize both data theft and rapid system disruption, posing significant risks to critical infrastructure and sensitive industries.
1 months ago