Who Are The Gentlemen?
Despite the impeccably polite name, there is nothing polite or refined about this particular gang of cybercriminals.
In little more than a year, The Gentlemen has gone from relative obscurity to becoming one of the most active ransomware operations on the planet.
First surfacing in mid-2025, The Gentlemen is a ransomware-as-a-service (RaaS) operation that appears to have splintered away from the notorious Qilin ransomware group.
How Come They Broke Away from Oilin?
It seems that the founders of The Gentlemen previously operated as a Qilin affiliate known as ArmCorp, but split from them in July 2025, accusing Qilin's operators of withholding approximately US $48,000 in unpaid commission.
How Concerned Should I be About The Gentlemen?
What is clear is that The Gentlemen ransomware group is an active cybercriminal gang that has grown alarmingly fast. In the first half of 2026 alone, The Gentlemen claimed more than 300 victims — accounting for roughly one in ten of all ransomware claims worldwide during that period, and placing the group second only to Qilin, and ahead of long-established names like Cl0p, LockBit and RansomHub.
This week The Gentlemen gang has threatened to leak sensitive data from Indra, a NATO defence contractor, which it claims to have compromised.
Are There Any Particular Industry Sectors or Countries Being Hit by The Gentlemen?
More than 60 countries across every continent have seen attacks from the group, and over 20 industries - including healthcare, energy, government, manufacturing, transportation, education and financial services.
Interestingly and unusually, the single most-targeted country is Thailand, followed by the USA, France, and Brazil.
Okay, So It's a Worldwide Problem. How Do the Attackers Break In?
The Gentlemen group's favoured method gaining access to corporate networks is through exposed edge devices (Fortinet and Cisco appliances have been popular targets), unpatched VPNs, internet-facing RDP, and remote management tools.
The attackers lean heavily on login credentials harvested by info-stealing malware or purchased from initial access brokers. This means they can log into systems using valid usernames and passwords rather than having to exploit zero-day vulnerabilities.
Once they have gained access, the hackers use "living off the land" (LOTL) techniques to blend in with normal network traffic, including using legitimate administrative tools such as AnyDesk and PsExec.
Is There Anything Which Makes The Gentlemen's Ransomware Particularly Notable?
Several things set The Gentlemen's malware apart./security/research
It is cross-platform, capable of working on Windows, Linux, ESXi, NAS and BSD environments.
It spreads quickly, self-propagating aggressively across networks in an attempt to compromise as much as possible before the IT teams of corporate victims notice.
One of the ways that you will know that it is The Gentlemen group which has compromised your network is that they will leave a ransom note called README-GENTLEMEN.txt and change your desktop wallpaper.
And I Presume It's the Usual Deal? They Steal Your Data, and Then Threaten to Publish It If a Ransom Goes Unpaid?
Yup. It's a familiar story.
It's not just The Gentlemen's ransomware victims who have suffered leaks, though...
What Do You Mean?
In May 2026, the group's own internal chats were leaked, exposing some of The Gentlemen's negotiation tactics.
The leaked chats also showed the gang turning one victim against another. Data stolen from a UK software consultancy was used to attack one of its clients in Turkey. The Gentlemen then offered the Turkish company "proof" that the breach had originated with the consultancy, and encouraged it to take legal action against them.
Charming. How Do I Protect My Business?
There is no single silver bullet, but the fundamentals go a long way in protecting against attacks that rely so heavily on well-known weaknesses:
- Assume your firm's login credentials may already be for sale - monitor for and reset exposed passwords.
- Ensure that your VPNs, firewalls, and other internet-facing appliances are configured properly and fully updated with the latest security patches.
- Take RDP off the public internet, and lock down remote management tools.
- Enforce multi-factor authentication everywhere, especially on VPNs and remote access.
- Watch for the legitimate tools attackers like The Gentlemen commonly use — AnyDesk, PsExec, WinSCP and unexpected Group Policy changes can all be early warning signs.
- Keep secure, offline, tested backups which can help you get back up and running without having to pay a ransom.
- Have an incident response plan ready, and ensure you have rehearsed it in advance.
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
Sentinel — Human
The text displays strong indicators of human journalistic writing, characterized by specific narrative details and a focused tone, rather than the uniform rhythm or pattern matching typical of machine generation.
