Full Report
Executive Summary The Gentlemen is an active ransomware and extortion operation that emerged publicly in the second half of 2025 and rapidly scaled into a high-volume threat actor. Rather than a fully new group, it seems to be a continuation or reorganization of prior ransomware affiliate activity, with links to the Qilin ecosystem and the Russian-speaking actor “hastalamuerte". Its growth likely reflects existing ransomware experience, affiliate relationships, and access to resources.
Analysis Summary
# Threat Actor: The Gentlemen
## Attribution & Identity
- **Identification:** An active ransomware-as-a-service (RaaS) and extortion operation.
- **Aliases/Associations:**
- Linked to the **Qilin** ransomware ecosystem (emerged from prior affiliate activity).
- Reportedly managed by a Russian-speaking actor known as **"hastalamuerte"**.
- **Status:** High-volume threat actor characterized by rapid scaling and operational maturity.
## Activity Summary
- **Emergence:** Publicly active in the second half of 2025.
- **Recent Campaigns:** Rapidly expanded in 2026, with telemetry showing presence in over 1,570 enterprise environments.
- **Incident Volume:** While 692 victims were publicly listed on their "shame site" in 2026, data suggests many more victims may have paid or remain undisclosed.
- **Current Trends:** Recent underground activity indicates attempts to sell data allegedly connected to The Gentlemen's operations (currently unverified).
## Tactics, Techniques & Procedures
- **Initial Access:** Abuse of exposed remote access infrastructure, compromised credentials (VPN/firewall abuse), and purchasing access from Initial Access Brokers (IABs) or stealer logs.
- **Reconnaissance & Lateral Movement:** Internal network reconnaissance, Active Directory mapping, and enumeration of reachable hosts.
- **Evasion:** Disabling of security tools and antivirus software.
- **Execution:** Use of a **Go-based** Windows locker requiring a password parameter for execution to prevent sandbox analysis.
- **Impact:** Use of **SystemBC** proxy infrastructure for command and control and persistence.
- **Extortion:** Double extortion model (encryption + data theft/leakage). Uses configurable encryption (full vs. partial/intermittent) to speed up the process.
- **Ransomware Flow:** Stops processes related to databases, backups, and virtualization (ESXi) before deployment.
## Targeting
- **Sectors:** Industrial and infrastructure-adjacent organizations are high-priority. General enterprise environments.
- **Geography:** Global footprint; high-volume reach across enterprise environments.
- **Victims:** Supports attacks against Windows, Linux, NAS, BSD, and VMware ESXi systems.
## Tools & Infrastructure
- **Malware:**
- The Gentlemen Ransomware (Go-based).
- Support for multiple OS architectures (Windows, Linux, BSD, ESXi, NAS).
- **Communication/C2:**
- **SystemBC** proxy infrastructure.
- Public leak portal/shame site.
- Social Media: Active account on X (formerly Twitter).
- **Ransom Notes:** `README-GENTLEMEN.txt`
- **File Extensions:** `.7mtzhh`, `.ojuopo`, and variable six-character extensions.
## Implications
- **High Volume:** The high victim count suggests a structural, well-resourced operation rather than episodic campaigns.
- **Strategic Continuity:** The evolution from the Qilin ecosystem implies the group has access to established playbooks and affiliate networks.
- **High Impact:** Targeting of ESXi and NAS environments enables the group to disrupt entire server estates with minimal lateral movement.
- **Data Risk:** Even with system restoration, the group's focus on data theft presents long-term regulatory and reputational risks.
## Mitigations
- **Identity Security:** Implement robust MFA and strict identity controls to mitigate credential-based access.
- **Infrastructure Hardening:** Secure and patch internet-facing remote access services (VPNs, firewalls).
- **Segmentation:** Improve network segmentation to limit lateral movement and protect Active Directory.
- **Backup Resilience:** Maintain immutable, offline backups specifically for virtualization platforms (ESXi).
- **Monitoring:** Implement dark web monitoring for credential leaks and early warning signs of data exposure.
- **Tool Logic:** Monitor for unauthorized use of administrative tools and the deployment of proxy tools like SystemBC.