‘The Gentlemen’: A Rising Ransomware Threat Moving Up the Ranks
More Than 320 Victims Already, With 240 Attacks Recorded in 2026 Alone
Most ransomware outfits that appear with noise vanish within months. “The Gentlemen” are breaking that mould.
Emerging in mid‑2025, they have scaled at a pace reminiscent of LockBit 3’s early years—widely regarded as the benchmark for RaaS operations. By April 2026, they had listed more than 320 victims on their leak site, 240 of them in the first few months of this year alone. Those figures only represent organisations that refused to pay; the true number of victims is almost certainly higher.
Check Point Research has tracked the group since its inception. Their latest analysis—including insights from an active incident response case and direct access to an attacker‑controlled server—explains why this operation is expanding so quickly and what it means for enterprise defenders.
Why They’re Growing: Economics That Appeal to Criminals
The RaaS model is straightforward: operators provide the tools and infrastructure, affiliates execute the attacks, and ransom proceeds are split.
“The Gentlemen” offer affiliates 90% of ransom payments, compared with the 80% typical elsewhere. In a criminal ecosystem driven by profit, that extra 10% is enough to attract experienced operators from established programmes. These affiliates bring with them proven skills, existing access to corporate networks, and a track record of successful breaches.
The group’s growth is not due to novel techniques. Their methods are familiar. What sets them apart is a more enticing business model and a platform capable of supporting a large, expanding affiliate base across Windows, Linux, and ESXi environments.
Who The Gentlemen Target
The Gentlemen’s attacks are opportunistic rather than highly targeted. They scan for organisations with exposed, vulnerable internet‑facing infrastructure—VPNs, remote access gateways, firewall portals—and exploit those weaknesses.
Manufacturing and technology companies dominate the victim list, consistent with broader ransomware trends. More striking is the rise of healthcare as their third most targeted sector. Unlike some groups that avoid hospitals, “The Gentlemen” show no sign of restraint.
Geographically, the United States accounts for the largest share of victims, followed by the UK and Germany. This pattern is confirmed both by the group’s leak site and independent telemetry from an affiliate’s server.
Inside an Attacker’s Server
During an incident response engagement, CPR investigators uncovered infrastructure linked to a far larger operation than a single case implied. Access to a command‑and‑control server revealed a botnet of more than 1,570 likely corporate victims—systems already compromised and awaiting further action.
This matters for two reasons. First, it surpasses the group’s own public victim count, suggesting their true scale is significantly greater. Second, the nature of the victims—enterprise systems, domain‑joined machines, corporate credentials—confirms this is not consumer‑level opportunism. These are organisations, and their data was likely already staged for exfiltration.
Speed as Their Defining Trait
In the incident CPR examined, the attacker already had domain‑level administrative access. From there, the intrusion escalated rapidly: credential validation across the environment, lateral movement to dozens of hosts, disabling of security tools, and finally a domain‑wide ransomware deployment via Group Policy, encrypting every connected machine simultaneously.
This speed and coordination reflect a refined playbook. Affiliates are not improvising; they are following a tested process designed to maximise damage before defenders can react.
Defensive Priorities for Security Leaders
“The Gentlemen” are not exploiting exotic zero‑days. Their entry points are overwhelmingly unpatched or misconfigured internet‑facing devices—vulnerabilities defenders have long been urged to prioritise.
The fundamentals remain critical:
- Patch internet‑facing infrastructure first. VPNs, firewalls, and remote access gateways must be treated with urgency.
- Assume credential compromise. Multi‑factor authentication and privileged access controls are essential.
- Test backup and recovery. Isolated, functioning backups are the most effective safeguard against ransomware impact.
- Monitor for lateral movement. Detection at this stage offers the best chance to disrupt an attack.
- Segment networks. Limiting domain controller reach reduces the blast radius of a successful intrusion.
The Bigger Picture
The rise of “The Gentlemen” underscores a structural shift in the ransomware ecosystem. Launching a professional RaaS operation no longer requires groundbreaking innovation. A compelling revenue split, a competent locker, and a leak site are enough to attract affiliates with their own access and expertise.
The operation’s success demonstrates that scale and economics—not technical novelty—are driving the next wave of ransomware.



