Ransomware in focus: The Gentlemen

'Ransomware in focus' is our series unravelling the complexities of ransomware groups active in today’s threat landscape. By detailing their business strategies, target victims, and the tactics, techniques, and procedures (TTPs) behind their operations, we hope to arm businesses with essential knowledge required to confront and overcome the challenges posed by ransomware. In this instalment, Aditya Ganjam Mahesh examines the operations of The Gentlemen.

Introduction

The Gentlemen is a financially motivated threat actor group that employs ransomware attacks for financial gain. First observed in August 2025, and therefore one of the newer sophisticated ransomware groups, The Gentlemen has disproportionately targeted victims in Asia compared to other threat actors. They made their mark globally by quickly gaining several victims within weeks of first being active and were the second most active threat actor in April 2026 based on the number of victims claimed on their leak site. The group operates on a double extortion strategy where they exfiltrate sensitive data from the victim's environment and encrypt the systems with ransomware. The victims are then extorted for both non-publication of the data and the decryptions keys.

Background

The Gentlemen operate under a Ransomware‑as‑a‑Service (RaaS) model, advertising ransomware payloads compatible with a wide range of operating systems, including Windows, Linux, NAS, BSD, and ESXi. Affiliates are required to exfiltrate victim data and submit it to the operators, who then provide a customised ransomware binary. In exceptional cases where data exfiltration is not possible, affiliates must supply a valid justification and place a refundable deposit, which is returned after receipt of the initial ransom payment.

The group follows a straightforward revenue‑sharing model, retaining 10 percent of ransom proceeds while affiliates keep the remainder. Operators explicitly prohibit attacks against targets in Russia and CIS countries, suggesting regional operational ties. The Gentlemen market their ransomware as a sophisticated toolset, highlighting features such as self‑deletion, log wiping, and concurrent execution capabilities. In addition, affiliates are granted access to supplementary tools, including EDR bypass mechanisms and custom utilities for lateral movement.

Victimology

As of April 2026, The Gentlemen ransomware group has claimed over 340 victims on its dark web leak site. Their affiliates primarily targeted small to medium sized organisations, with relatively limited activity against large enterprises (figure 1). While the United States and Thailand recorded the highest number of individual victims (figure 2), Asia emerged as the most affected region overall, accounting for nearly 46% of all cases, placing The Gentlemen among the few prolific ransomware groups with a strong regional focus on Asia (figure 3)*.

Organisations targeted by size

Figure 1

Top countries targeted

Figure 2 

Organisations targeted by geography

Figure 3

The group's targeting by sector shows a clear emphasis on critical infrastructure, particularly in manufacturing, construction, healthcare, and financial services. IT consulting and services were the most frequently targeted individual sector (figure 4).

Companies targeted by sector

Initial access

In most cases, the Gentlemen group has infiltrated networks by exploiting the FortiGate VPN, either by obtaining valid credentials or by taking advantage of vulnerabilities. We have observed this threat actor brute forcing valid credentials where MFA wasn’t enabled on the VPN. Our threat intelligence also suggests that the Gentlemen group mostly exploited a public facing infrastructure for initial access. Gentlemen Ransomware Group also likely purchases or uses access sold by initial access brokers (IABs) when direct exploitation proves slower than buying entry.

Propagation

Following initial access, The Gentlemen affiliates typically conduct internal network discovery using tools such as Advanced IP Scanner and Nmap, supplemented by custom scripts for account and Active Directory enumeration. For lateral movement, the group relies on legitimate administrative utilities, including PsExec for privileged execution and PowerRun.exe for privilege escalation. Credential access is achieved through dumping the LSASS process memory, enabling compromise of additional accounts, while Windows Remote Desktop Protocol (‘RDP’) is frequently used for interactive lateral movement.

For defence evasion, the group has leveraged a vulnerable driver, ThrottleBlood.sys, to obtain kernel‑level access and terminate security processes. Persistence is commonly maintained through deployment of the AnyDesk remote access tool.

In parallel with ransomware execution, The Gentlemen routinely exfiltrate victim data prior to encryption, staging it in directories such as C:\ProgramData\data before transferring it externally via WinSCP using SFTP or WebDAV protocols.

Finally, in May 2026, we have also observed the affiliates substitute this pattern with MSP360 (CloudBerry) Backup - a legitimate cloud backup agent rebranded during installation as "Microsoft Online Backup". The agent is typically deployed to file servers under the path 'C:\Program Files\Microsoft\Online Backup\' to mimic native Microsoft tooling.

Encryption

The Gentlemen group deploy ransomware through a Group Policy Object (‘GPO’). They first place the ransomware binary in network shares such as NETLOGON share, and then execute it through a scheduled task or script initiated by the GPO. The ransomware binary encrypts targeted files with either ‘.7mtzhh’ or a random 6 character extension, and drops ransom notes named “README_GENTLEMEN.txt” in affected directories. As a post encryption step, the ransomware binary deletes volume shadow copies to hinder recovery and also deletes windows event logs and RDP logs, among other forensic artefacts. The ransomware also forcibly stops several services running in the background such as backups solutions (VEEAM, Oracle, Acronis, etc), databases and mail systems. As the last step, the ransomware binary also deletes itself from the host to avoid recovery of the sample for analysis.

In late April 2026 a Canadian security firm published a decryptor for The Gentlemen ransomware. In response, The Gentlemen stated they had already applied a patch to their ransomware binary. The speed of their response highlighting the efforts RaaS groups put into monitoring cyber security research as a way to protect their revenue. Publicly available decryption keys are often very shorty lived as a result.

Extortion

The Gentlemen ransomware group publishes victim details on its dark web leak site as part of a dual‑extortion strategy, applying pressure through the threat of data exposure alongside demands for a decryption tool. Victims are instructed to communicate with the group via the Tox messaging platform, which is commonly used by threat actors for secure communications. Our threat intelligence indicates that the group reviews sensitive financial data contained within the exfiltrated material to inform and tailor the ransom demands.

*All data courtesy of e.crime.ch Data is from the period Sept 2025 to April 2026 and based on victims posted to the threat actor’s leak site, and is therefore unlikely to be comprehensive of all victims.