Full Report
A new analysis of The Gentlemen operation has revealed that the financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis). According to a detailed report
Analysis Summary
# Threat Actor: The Gentlemen
## Attribution & Identity
- **Primary Name:** The Gentlemen
- **Tracking Designations:** Phantom Mantis (PRODAFT), ArmCorp
- **Known Aliases (Leader):** LARVA-368, hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte.
- **Attribution:** Alexander Andreevich Yapaev (Япаев Алексанр Андреевич), a 36-year-old individual from Izhevsk, Russia.
- **Associated Groups:**
- **Former Affiliate of:** LockBit (Tenacious Mantis), Qilin (Pestilent Mantis), and Medusa (Venomous Mantis).
- **Historical Precursor:** Embargo (Primeval Mantis).
- **Sub-Personas:** **The Gentlemen Data** (technical support/communication) and **LARVA-367** (aka DevMan).
## Activity Summary
The Gentlemen operation has been active since at least March 2025. It initially operated as a high-volume affiliate group (Phantom Mantis) within major RaaS ecosystems. Following a payment dispute with the Qilin (Pestilent Mantis) group in mid-2025—where the leader accused Qilin of an "exit scam"—the group pivoted to become an independent "partnership program" (RaaS) in July 2025. By April 2026, the group accounted for approximately 10% of all recorded ransomware activity.
## Tactics, Techniques & Procedures
- **Double Extortion:** Exfiltrates sensitive data before encrypting systems to leverage against victims.
- **Worm-like Propagation:** Capabilities allow the ransomware to spread autonomously across networks.
- **AI-Driven Development:** Heavy reliance on Artificial Intelligence for developing/maintaining malware code and assisting in post-exploitation procedures.
- **Initial Access:** Exploitation of vulnerable internet-facing services (e.g., Fortigate flaws) and use of stolen credentials.
- **BYOVD (Bring Your Own Vulnerable Driver):** Utilizes vulnerable drivers to terminate security software and escalate privileges.
- **Cross-Platform:** Employs lockers capable of targeting multiple operating systems.
- **Disinformation:** Known to spread rumors about competitors to recruit affiliates and damage Rival RaaS reputations.
## Targeting
- **Sectors:** Enterprise-focused; targets various industries including high-value corporate targets and internet-facing infrastructure.
- **Geography:** Primarily international reach, originating from Russia.
- **Victims:** 478 confirmed victims since March 2025.
## Tools & Infrastructure
- **Malware:**
- The Gentlemen Ransomware (Independent locker)
- LockBit, Qilin, and Medusa variants (Historical)
- **Infrastructure:**
- Affiliate panels for tracking victims and managing negotiations.
- Premium accounts on underground forums for recruitment.
- Specialized communication channels managed by "The Gentlemen Data."
- **Defanged Links Mentioned:**
- hxxps[://]ransomware[.]live/group/thegentlemen
- hxxps[://]thehackernews[.]com/p/submit-news[.]html
## Implications
The group represents a significant evolution in the cybercrime landscape where a former high-performance affiliate successfully transitions into a standalone RaaS entity. Their use of AI for malware development suggests an increased tempo in code iteration and "bug-fixing," making them more adaptive than traditional actors. Their shift toward independence reduces their reliance on external infrastructure, making them harder to disrupt through third-party takedowns of larger RaaS brands.
## Mitigations
- **Vulnerability Management:** Prioritize patching of internet-facing services, particularly VPNs and firewalls (e.g., Fortigate).
- **Credential Hygiene:** Implement Multi-Factor Authentication (MFA) to mitigate access via stolen credentials.
- **EDR/XDR Hardening:** Monitor for the "Bring Your Own Vulnerable Driver" (BYOVD) technique by blocking known vulnerable drivers (e.g., via Microsoft's driver blocklist).
- **Network Segmentation:** Implement micro-segmentation to halt the "worm-like" lateral movement or propagation of the ransomware.
- **Offline Backups:** Maintain immutable, offline backups to recover from double-extortion and encryption events.