Threat ActorThe Gentlemen Ransomware
Description
Emerging in mid-2025, The Gentlemen is a cybercriminal group that breaks into company networks, steals sensitive data, and encrypts the victims’ files. The group then demands a ransom to recover the encrypted files, with the added threat that they will publish the stolen data online if the company refuses to pay-a strategy commonly known as the “double-extortion” tactic. The group is speculated to be working out of Russian-speaking regions due to a prohibition enforced by the operators against targeting organizations in Russia and other Commonwealth of Independent States (CIS) counties. As of early 2026, their data leak site lists more than 200 victim organizations in over 50 countries, spanning every major continent. These victims represent over 20 industries, including vital areas such as energy, government, and healthcare services. The Gentlemen publicly advertises its tools on underground criminal forums, operating what looks like a Ransomware-as-a-Service (RaaS) program and promising affiliates a generous 90% cut of the profits. However, there is mixed feedback regarding the reality of their business model. Given the high level of precision and operational discipline seen in their attacks, there are questions about whether the group runs a traditional RaaS mode. This has led to speculation that the group operates a small, highly coordinated team conducting the attacks directly.
Aliases
- The Gentlemen
- Gentlemen
Common Vulnerabilities and Exposures
Targeted Industries
- Agriculture
- Business Services
- Construction
- Consumer Services
- Education
- Energy
- Finance
- Government
- Healthcare Services
- Holding Companies & Conglomerates
- Hospitals & Physicians Clinics
- Hospitality
- Insurance
- Law Firms & Legal Services
- Manufacturing
- Media & Internet
- Organizations
- Real Estate
- Retail
- Software
- Telecommunications
- Transportation
Objectives
Financial Gain
Known Tools Used
- Advanced IP Scanner
- AnyDesk
- ICACLS
- Nmap
- PowerRun
- PowerShell
- PsExec
- PuTTY
- Windows Management Instrumentation (WMI)
- WinSCP
Known Infection Vectors
- Compromised Credentials
- Exploitation of Public-Facing Applications
- Phishing
- Remote Desktop Protocol (RDP) Access
- VPN Access Abuse
References
Global Gentlemen ransomware intrusions ramp up | SC Media
https://www.scworld.com/brief/global-gentlemen-ransomware-intrusions-ramp-up
Gentlemen ransomware compromises Romanian energy producer | SC Media
https://www.scworld.com/brief/gentlemen-ransomware-compromises-romanian-energy-producer
#StopRansomware Guide — CISA (ransomware prevention & response best practices)
