INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
ATTENTION: This report is based on previous data. New intelligence sources have been linked and the Executive Summary and Mitigations need to be re-synthesized.
The Gentlemen
| 2026-05-11 09:59 CRITICAL HIGHExecutive Summary AI-generated
The Gentlemen, a notorious ransomware-as-a-service (RaaS) group, has been linked to multiple high-profile attacks in recent months. Their tactics involve exploiting vulnerabilities in software companies from the UK and Turkey, using stolen data as leverage to extort victims into payingransom demands. The group's operators have also advertised their services on underground forums, recruiting other actors to join as affiliates. With over 332 published victims in just five months of 2026, The Gentlemen appears to be one of the most active RaaS programs in recent history.
Technical Mitigations AI-generated
* Implement a secure communication protocol: Use end-to-end encryption and secure communication channels to protect sensitive information exchanged between the RaaS administrator, affiliates, and victims. Consider using protocols like Signal or Wire for secure messaging.
* Use robust password management: Implement strong password policies and use multi-factor authentication (MFA) whenever possible to prevent unauthorized access to backend databases and other sensitive systems.
* Regularly update and patch infrastructure components: Ensure that the RaaS administrator's internal database, locker, and ransomware panel are regularly updated with the latest security patches and updates to prevent exploitation of known vulnerabilities.
* Implement a secure data storage solution: Use encrypted or isolated storage solutions for sensitive information such as victim data, payment records, and other confidential details. Consider using cloud-based services like AWS S3 or Google Cloud Storage with encryption.
* Monitor and respond to potential security threats: Establish incident response procedures to quickly identify and contain any potential security breaches or ransomware attacks on the RaaS administrator's systems or infrastructure components.
These technical mitigations can help protect against various types of cyber threats, including ransomware attacks.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation CronosOperation Cronos
EmbargoEmbargoContiContiSystemBCSystemBCQilinQilinBlack BastaBlack Basta
CVE-2025-32433CVE-2025-32433
CVE-2025-33073CVE-2025-33073
CVE-2024-55591CVE-2024-55591
CVE-2025-61882CVE-2025-61882
Target & Sectors
ASEAN
ASEAN
NORTH_AMERICA
NORTH_AMERICA
FIVE_EYES
FIVE_EYES
DACH
DACH
healthcarehealthcare
manufacturingmanufacturing
legallegal
Incident Timeline
Q1 2023
Threat actors used LockBit to target victims of DLS (Dark Web Service) platforms.
Q1 2024
Threat actors used the Top-10 groups to target victims in Q1 2026.
Click on any entity below to view its context and source!
general_metric
10 %
In Q1 2026, the top 10 groups accounted for 71.1% of all DLS-posted victims, which is the highest concentration since Q1 2024 when the ecosystem was far smaller.
general_metric
71.1 %
In Q1 2026, the top 10 groups accounted for 71.1% of all DLS-posted victims, which is the highest concentration since Q1 2024 when the ecosystem was far smaller.
general_metric
12.2 %
This figure represents a 12.2% decline from the Q4 2025 all-time record of 2,416 victims but remains the second-highest Q1 on record at 117% above Q1 2024 (977 victims) and is keeping in line with the elevated baseline established through 2025.
victims
2,416 victims
This figure represents a 12.2% decline from the Q4 2025 all-time record of 2,416 victims but remains the second-highest Q1 on record at 117% above Q1 2024 (977 victims) and is keeping in line with the elevated baseline established through 2025.
general_metric
117 %
This figure represents a 12.2% decline from the Q4 2025 all-time record of 2,416 victims but remains the second-highest Q1 on record at 117% above Q1 2024 (977 victims) and is keeping in line with the elevated baseline established through 2025.
victims
977 victims
This figure represents a 12.2% decline from the Q4 2025 all-time record of 2,416 victims but remains the second-highest Q1 on record at 117% above Q1 2024 (977 victims) and is keeping in line with the elevated baseline established through 2025.
general_metric
68 %
After two years of steady fragmentation, during which the number of active groups grew from 51 in Q1 2024 to a peak of 85 in Q3 2025 and the Top-10 share of victims fell from 68% to 57%, the ecosystem has decisively reversed course.
general_metric
57 %
After two years of steady fragmentation, during which the number of active groups grew from 51 in Q1 2024 to a peak of 85 in Q3 2025 and the Top-10 share of victims fell from 68% to 57%, the ecosystem has decisively reversed course.
early 2024
LockBit was the most dominant ransomware-as-a-service (RaaS) operation globally until its takedown in early 2024.
Q1 2025
Threat actors used Cl0p's Cleo mass-exploitation campaign to target approximately 1,894 victims in Q1 2025.
Click on any entity below to view its context and source!
victims
1,894 victims
If we exclude Cl0p from both periods, there were 1,894 victims in Q1 2025 versus 1,995 in Q1 2026, an actual YoY increase of 5.3%.
general_metric
5.3 %
If we exclude Cl0p from both periods, there were 1,894 victims in Q1 2025 versus 1,995 in Q1 2026, an actual YoY increase of 5.3%.
organisation
YoY
The headline year-over-year (YoY) comparison shows a 7.1% decline from the 2,285 victims in Q1 2025.
general_metric
7.1 %
The headline year-over-year (YoY) comparison shows a 7.1% decline from the 2,285 victims in Q1 2025.
victims
2,285 victims
The headline year-over-year (YoY) comparison shows a 7.1% decline from the 2,285 victims in Q1 2025.
victims
390 victims
However, this comparison is misleading as the Q1 2025 numbers were heavily inflated by
Cl0p’s Cleo mass-exploitation campaign
which contributed approximately 390 victims in a single burst.
Q3 2025
Threat actors used the Top-10 ransomware groups to target 30 South Korean organizations.
Click on any entity below to view its context and source!
tactic
Ransomware
Key Findings
Consolidation after peak fragmentation:
The top 10 ransomware groups accounted for 71% of all Q1 2026 victims, a sharp reversal from the fragmentation seen in Q3 2025.
financial
10 top ransomware groups
Key Findings
Consolidation after peak fragmentation:
The top 10 ransomware groups accounted for 71% of all Q1 2026 victims, a sharp reversal from the fragmentation seen in Q3 2025.
general_metric
71 %
Key Findings
Consolidation after peak fragmentation:
The top 10 ransomware groups accounted for 71% of all Q1 2026 victims, a sharp reversal from the fragmentation seen in Q3 2025.
general_metric
68 %
After two years of steady fragmentation, during which the number of active groups grew from 51 in Q1 2024 to a peak of 85 in Q3 2025 and the Top-10 share of victims fell from 68% to 57%, the ecosystem has decisively reversed course.
general_metric
57 %
After two years of steady fragmentation, during which the number of active groups grew from 51 in Q1 2024 to a peak of 85 in Q3 2025 and the Top-10 share of victims fell from 68% to 57%, the ecosystem has decisively reversed course.
target_region
Korea, Republic of
This confirms that Qilin’s Q3 2025 financial sector campaign
targeting
30 South Korean organizations was a one-off event rather than a sustained targeting shift.
malware
Qilin
This confirms that Qilin’s Q3 2025 financial sector campaign
targeting
30 South Korean organizations was a one-off event rather than a sustained targeting shift.
victims
30 Korean organizations
This confirms that Qilin’s Q3 2025 financial sector campaign
targeting
30 South Korean organizations was a one-off event rather than a sustained targeting shift.
Q4 2025
LockBit 5.0 made a comeback in Q1 2026, posting 163 victims globally and climbing from outside the top 10 to fourth place after an increase of 106% compared to Q4 2025.
Click on any entity below to view its context and source!
tactic
Ransomware
The Gentlemen is the breakout story of Q1 2026
reaching the third place on the global ransomware list, increasing their victim count from 40 victims in Q4 2025 to 166 in Q1 2026.
general_metric
2026 Q1
The Gentlemen is the breakout story of Q1 2026
reaching the third place on the global ransomware list, increasing their victim count from 40 victims in Q4 2025 to 166 in Q1 2026.
victims
40 victims
The Gentlemen is the breakout story of Q1 2026
reaching the third place on the global ransomware list, increasing their victim count from 40 victims in Q4 2025 to 166 in Q1 2026.
general_metric
10 %
LockBit 5.0: Making a Comeback
LockBit posted 163 victims in Q1 2026 (an increase of 106% compared to Q4 2025), climbing from outside the top 10 to fourth place globally.
general_metric
106 %
LockBit 5.0: Making a Comeback
LockBit posted 163 victims in Q1 2026 (an increase of 106% compared to Q4 2025), climbing from outside the top 10 to fourth place globally.
The result is a nearly 30-percentage-point (pp) drop in US-based victims, despite an overall 106% increase in victims compared to Q4 2025.
general_metric
5.0 comeback
LockBit 5.0: Making a Comeback
LockBit posted 163 victims in Q1 2026 (an increase of 106% compared to Q4 2025), climbing from outside the top 10 to fourth place globally.
victims
163 victims
LockBit 5.0: Making a Comeback
LockBit posted 163 victims in Q1 2026 (an increase of 106% compared to Q4 2025), climbing from outside the top 10 to fourth place globally.
general_metric
29 unique campaigns
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
organisation
DragonForce
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
victims
101 victims
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
victims
10 victims
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
data_breach
56 steep climb
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
target_region
United States
The result is a nearly 30-percentage-point (pp) drop in US-based victims, despite an overall 106% increase in victims compared to Q4 2025.
general_metric
30 percentage point
The result is a nearly 30-percentage-point (pp) drop in US-based victims, despite an overall 106% increase in victims compared to Q4 2025.
general_metric
12.2 %
This figure represents a 12.2% decline from the Q4 2025 all-time record of 2,416 victims but remains the second-highest Q1 on record at 117% above Q1 2024 (977 victims) and is keeping in line with the elevated baseline established through 2025.
victims
2,416 victims
This figure represents a 12.2% decline from the Q4 2025 all-time record of 2,416 victims but remains the second-highest Q1 on record at 117% above Q1 2024 (977 victims) and is keeping in line with the elevated baseline established through 2025.
general_metric
117 %
This figure represents a 12.2% decline from the Q4 2025 all-time record of 2,416 victims but remains the second-highest Q1 on record at 117% above Q1 2024 (977 victims) and is keeping in line with the elevated baseline established through 2025.
victims
977 victims
This figure represents a 12.2% decline from the Q4 2025 all-time record of 2,416 victims but remains the second-highest Q1 on record at 117% above Q1 2024 (977 victims) and is keeping in line with the elevated baseline established through 2025.
general_metric
21 new names
Fourteen groups that were active in Q4 2025 disappeared entirely, while 21 new names appeared.
July 2025
Threat actors used the cartel model to target Devman.
August 2025
Threat actors used pre-existing access stockpiles to target the United States.
Click on any entity below to view its context and source!
target_region
United States
Going from zero victims in August 2025 to 166 in Q1 2026, the group achieved third place globally through a combination of pre-existing access stockpiles, aggressive geographic diversification, and a deliberate rejection of the traditional US-centric targeting model.
September 2025
The ransomware group, The Gentlemen, used the TOX ID 98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3 to advertise and promote their RaaS program.
Click on any entity below to view its context and source!
infrastructure
14,700 device
The 14,700-device inventory likely predates the group’s September 2025 launch.
general_metric
5.0 comeback
The new LockBit 5.0 was officially launched on the RAMP underground forum in September 2025, coinciding with the sixth anniversary of the operation.
organisation
RAMP
The new LockBit 5.0 was officially launched on the RAMP underground forum in September 2025, coinciding with the sixth anniversary of the operation.
organisation
VirusTotal
Based on the current
412 public victims
listed on the data leak site (DLS), and considering that there are likely additional victims who paid and therefore were not published, we identified
29 unique campaigns
in public sources such as VirusTotal.
victims
412 current public victims
Based on the current
412 public victims
listed on the data leak site (DLS), and considering that there are likely additional victims who paid and therefore were not published, we identified
29 unique campaigns
in public sources such as VirusTotal.
Q1 2026
LockBit 5.0 posted 163 victims in Q1 2026, climbing from outside the top 10 to fourth place globally.
Click on any entity below to view its context and source!
target_region
United States
Going from zero victims in August 2025 to 166 in Q1 2026, the group achieved third place globally through a combination of pre-existing access stockpiles, aggressive geographic diversification, and a deliberate rejection of the traditional US-centric targeting model.
In Q1 2026, US victims represented just 21.2% of LockBit’s total, with Italy (8.6%), Brazil (8.6%), and Turkey (5.1%) picking up the slack.
The geographic distribution of ransomware victims in Q1 2026 maintains the fundamental pattern established over previous quarters: the United States accounts for just under half of all reported cases (49.6%), with Western developed economies making up the clear majority of targets.
target_region
Brazil
In Q1 2026, US victims represented just 21.2% of LockBit’s total, with Italy (8.6%), Brazil (8.6%), and Turkey (5.1%) picking up the slack.
target_region
Italy
In Q1 2026, US victims represented just 21.2% of LockBit’s total, with Italy (8.6%), Brazil (8.6%), and Turkey (5.1%) picking up the slack.
general_metric
21.2 %
In Q1 2026, US victims represented just 21.2% of LockBit’s total, with Italy (8.6%), Brazil (8.6%), and Turkey (5.1%) picking up the slack.
general_metric
8.6 %
In Q1 2026, US victims represented just 21.2% of LockBit’s total, with Italy (8.6%), Brazil (8.6%), and Turkey (5.1%) picking up the slack.
general_metric
5.1 %
In Q1 2026, US victims represented just 21.2% of LockBit’s total, with Italy (8.6%), Brazil (8.6%), and Turkey (5.1%) picking up the slack.
tactic
Ransomware
The geographic distribution of ransomware victims in Q1 2026 maintains the fundamental pattern established over previous quarters: the United States accounts for just under half of all reported cases (49.6%), with Western developed economies making up the clear majority of targets.
The State of Ransomware – Q1 2026.
Key Findings
Consolidation after peak fragmentation:
The top 10 ransomware groups accounted for 71% of all Q1 2026 victims, a sharp reversal from the fragmentation seen in Q3 2025.
The Gentlemen is the breakout story of Q1 2026
reaching the third place on the global ransomware list, increasing their victim count from 40 victims in Q4 2025 to 166 in Q1 2026.
LockBit 5.0 comeback confirmed:
LockBit posted 163 victims in Q1 2026, climbing to fourth place.
Ransomware in Q1 2026:
Figure 2 – Top 10 ransomware groups by number of publicly claimed victims – Q1 2026.
The industry distribution of ransomware victims in Q1 2026 shows continued cross-sector impact, with a few notable concentrations.
Figure 7 – Ransomware victims by industry, Q1 2026.
Conclusion
In Q1 2026, the ransomware ecosystem entered a new phase.
general_metric
49.6 %
The geographic distribution of ransomware victims in Q1 2026 maintains the fundamental pattern established over previous quarters: the United States accounts for just under half of all reported cases (49.6%), with Western developed economies making up the clear majority of targets.
organisation
The State of Ransomware
The State of Ransomware – Q1 2026.
financial
10 top ransomware groups
Key Findings
Consolidation after peak fragmentation:
The top 10 ransomware groups accounted for 71% of all Q1 2026 victims, a sharp reversal from the fragmentation seen in Q3 2025.
Figure 2 – Top 10 ransomware groups by number of publicly claimed victims – Q1 2026.
general_metric
71 %
Key Findings
Consolidation after peak fragmentation:
The top 10 ransomware groups accounted for 71% of all Q1 2026 victims, a sharp reversal from the fragmentation seen in Q3 2025.
general_metric
2026 Q1
The Gentlemen is the breakout story of Q1 2026
reaching the third place on the global ransomware list, increasing their victim count from 40 victims in Q4 2025 to 166 in Q1 2026.
victims
40 victims
The Gentlemen is the breakout story of Q1 2026
reaching the third place on the global ransomware list, increasing their victim count from 40 victims in Q4 2025 to 166 in Q1 2026.
organisation
LockBit
LockBit 5.0 comeback confirmed:
LockBit posted 163 victims in Q1 2026, climbing to fourth place.
Ransomware in Q1 2026:
general_metric
5.0 comeback
LockBit 5.0 comeback confirmed:
LockBit posted 163 victims in Q1 2026, climbing to fourth place.
Ransomware in Q1 2026:
LockBit 5.0: Making a Comeback
LockBit posted 163 victims in Q1 2026 (an increase of 106% compared to Q4 2025), climbing from outside the top 10 to fourth place globally.
victims
163 victims
LockBit 5.0 comeback confirmed:
LockBit posted 163 victims in Q1 2026, climbing to fourth place.
Ransomware in Q1 2026:
LockBit 5.0: Making a Comeback
LockBit posted 163 victims in Q1 2026 (an increase of 106% compared to Q4 2025), climbing from outside the top 10 to fourth place globally.
organisation
Conclusion
In
Conclusion
In Q1 2026, the ransomware ecosystem entered a new phase.
victims
707 victims
This reflects a sustained operating rate of an average of 707 victims per month in Q1 2026.
victims
1,894 victims
If we exclude Cl0p from both periods, there were 1,894 victims in Q1 2025 versus 1,995 in Q1 2026, an actual YoY increase of 5.3%.
general_metric
5.3 %
If we exclude Cl0p from both periods, there were 1,894 victims in Q1 2025 versus 1,995 in Q1 2026, an actual YoY increase of 5.3%.
general_metric
10 %
In Q1 2026, the top 10 groups accounted for 71.1% of all DLS-posted victims, which is the highest concentration since Q1 2024 when the ecosystem was far smaller.
LockBit 5.0: Making a Comeback
LockBit posted 163 victims in Q1 2026 (an increase of 106% compared to Q4 2025), climbing from outside the top 10 to fourth place globally.
general_metric
71.1 %
In Q1 2026, the top 10 groups accounted for 71.1% of all DLS-posted victims, which is the highest concentration since Q1 2024 when the ecosystem was far smaller.
general_metric
50 %
In Q1 2026, Qilin alone posted more victims than the combined output of the bottom 50 groups.
malware
Qilin
In Q1 2026, Qilin alone posted more victims than the combined output of the bottom 50 groups.
general_metric
2025 Q4
Notable surges and declines
Comparing the data between Q4 2025 and Q1 2026 reveals which groups are absorbing the affiliate talent pool, and which are failing to take advantage of it.
general_metric
315 %
Surges:
The Gentlemen grew by 315%, going from 40 claimed victims to 166, making them the biggest story of Q1 2026, covered in detail below.
general_metric
106 %
LockBit 5.0: Making a Comeback
LockBit posted 163 victims in Q1 2026 (an increase of 106% compared to Q4 2025), climbing from outside the top 10 to fourth place globally.
general_metric
29 unique campaigns
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
organisation
DragonForce
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
victims
101 victims
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
victims
10 victims
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
Figure 6 – Top 10 targeted countries, Q1 2026.
data_breach
56 steep climb
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
organisation
Oracle EBS
It reflects the user base of Oracle EBS, the enterprise application exploited in the Q1 2026 campaign.
January 2026
The ransomware operator "Tramp", a former Conti and Black Basta affiliate, was added to Interpol's wanted list in January 2026.
Click on any entity below to view its context and source!
tactic
Ransomware
The ransomware’s operator “Tramp”, a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026.
malware
Black Basta
The ransomware’s operator “Tramp”, a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026.
malware
Conti
The ransomware’s operator “Tramp”, a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026.
organisation
Interpol
The ransomware’s operator “Tramp”, a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026.
mid-March 2026
Threat actors used a compromised payment processing system to target the SafePay centralized, non-RaaS operation.
April 2026
The Gentlemen ransomware operation used a compromised consultancy from the United Kingdom to exfiltrate data and published it on their DLS.
Click on any entity below to view its context and source!
target_region
United Kingdom
Interesting Negotiation Case
In a high‑profile attack in April 2026, a
software consultancy company from United Kingdom
publicly reported a breach.
organisation
OAuth
From what appears to be a personal channel used by
zeta88
, he drafts a ransom demand letter addressed to the UK company, detailing what The Gentlemen claim to have exfiltrated, including customer infrastructure data, secrets, OAuth credentials, and more.
infrastructure
Linux
Indicators of Compromise
Description
Value
The Gentlemen Windows
025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a
1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436f
1af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2
22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67
24ac3588fb8cfbff63b7fdfcbc7dec1f3c60e54e6f949dd69d68e89e0c89d966
2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d
3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235
3c2182cb0bc7528829ef03f1b1745a92bcc47d917eb8870862488f21fdf1a6d6
48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd
4a175eed927c0a477eafb8aa35a93c191748acaa78ac7aecd8ea3c4cd868887c
51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2
62c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8
6a3ab9e984a759d55af4e84487d1fc44683065cc9a1089d5aa4ad1c0e4e84a63
860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923
87d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c
8aa0cb69ca2777001e0f4ba0eaab0841592710e4cc5ccd6b0b526d78bbd8bfba
8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892db
91415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1
994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3
9f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454
a7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0ad
b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6
c46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8
c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73
dce2e5cc00eff2493f8ced546dc51f9d5ef78c5ee56805906ec642dfa77a1c70
dfe696ff713318c53fb17731bd4a6585a02c085b590149b19847990b324a0be6
ec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd2
efaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108f
f736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12
fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958
The Gentlemen Linux
1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c
5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca
788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19
Yara Rule
rule thegentlemen_ransomware
{
meta:
author = "@Tera0017/Check Point Research"
description = "The Gentlemen Ransomware written in GO.
infrastructure
Windows
Indicators of Compromise
Description
Value
The Gentlemen Windows
025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a
1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436f
1af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2
22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67
24ac3588fb8cfbff63b7fdfcbc7dec1f3c60e54e6f949dd69d68e89e0c89d966
2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d
3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235
3c2182cb0bc7528829ef03f1b1745a92bcc47d917eb8870862488f21fdf1a6d6
48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd
4a175eed927c0a477eafb8aa35a93c191748acaa78ac7aecd8ea3c4cd868887c
51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2
62c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8
6a3ab9e984a759d55af4e84487d1fc44683065cc9a1089d5aa4ad1c0e4e84a63
860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923
87d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c
8aa0cb69ca2777001e0f4ba0eaab0841592710e4cc5ccd6b0b526d78bbd8bfba
8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892db
91415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1
994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3
9f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454
a7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0ad
b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6
c46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8
c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73
dce2e5cc00eff2493f8ced546dc51f9d5ef78c5ee56805906ec642dfa77a1c70
dfe696ff713318c53fb17731bd4a6585a02c085b590149b19847990b324a0be6
ec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd2
efaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108f
f736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12
fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958
The Gentlemen Linux
1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c
5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca
788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19
Yara Rule
rule thegentlemen_ransomware
{
meta:
author = "@Tera0017/Check Point Research"
description = "The Gentlemen Ransomware written in GO.
organisation
UNC
"
strings:
$string1 = "Silent mode (don't rename files)" ascii
$string2 = "Encrypt only mapped and UNC network shares" ascii
$string3 = "README-GENTLEMEN.txt" ascii
$string4 = "gentlemen.bmp" ascii
$string5 = "gentlemen_system" ascii
$string6 = "[+] Encryption started.
organisation
Okta
zeta88
ran this operation alongside
Protagor
, creating a backdoor
Okta
service account himself—typical of his intensive, hands‑on involvement in many of the intrusions documented in the leaked discussions.
organisation
Program / Group
Program / Group
Things Discussed
Subjective Sentiment (Their View)
HelloKitty
Name/brand as something they’d like to use; jokes about linking to the real Hello Kitty site and putting
(R)
everywhere; described explicitly as a “мощный бренд”.
organisation
Hello Kitty
Program / Group
Things Discussed
Subjective Sentiment (Their View)
HelloKitty
Name/brand as something they’d like to use; jokes about linking to the real Hello Kitty site and putting
(R)
everywhere; described explicitly as a “мощный бренд”.
organisation
Kraken
Mention
Kraken
Mention that “товарищи кракен” wrote to
qbit
;
qbit
later says their team might “move” over to
zeta88
’s side.
organisation
PPs
Gunra
Listed among candidate PPs for a supplier;
zeta88
says “че эт ваще такое…”, and lumps it with
Hyflock
; calls the operator “этот мудень”.
organisation
Neutral
Neutral; no formed opinion, neither trust nor distrust expressed.
organisation
LockBit
Curious but cautious; tooling is not trusted or fully understood yet; no explicit sentiment on
LockBit
group.
victims
320 public victims
With over
320 public victims
in 2026 and hundreds more systems visible through related infrastructure, it stands among the most productive RaaS operations that maintain a public data‑leak presence.
May 4th, 2026
The RaaS administrator of The Gentlemen used SystemBC to target victims and exploited vulnerabilities in Windows systems.
Click on any entity below to view its context and source!
organisation
Rocket
RaaS Leak
On May 4th, 2026, on an underground forum, the RaaS administrator published a post acknowledging the claims of an internal leak involving their so‑called
Rocket
database, an internal backend system used to store operational data, and addressed his affiliates directly about the incident.
organisation
Check Point Research
By collecting all available ransomware samples, Check Point Research identified
8 distinct affiliate TOX IDs
, including the administrator’s TOX ID.
organisation
TOX
By collecting all available ransomware samples, Check Point Research identified
8 distinct affiliate TOX IDs
, including the administrator’s TOX ID.
organisation
affiliates
Its operators advertise the service across multiple underground forums, promoting their ransomware platform and inviting penetration testers and other technically skilled actors to join as affiliates.
infrastructure
Windows
These include a full overhaul of the communication structure, the deployment of a new NAS with unlimited storage, and several technical upgrades to the locker, such as removing hardware breakpoints, performing NTDLL unhooking, and patching ETW to suppress Event Tracing for Windows.
organisation
NTDLL
These include a full overhaul of the communication structure, the deployment of a new NAS with unlimited storage, and several technical upgrades to the locker, such as removing hardware breakpoints, performing NTDLL unhooking, and patching ETW to suppress Event Tracing for Windows.
organisation
ETW
These include a full overhaul of the communication structure, the deployment of a new NAS with unlimited storage, and several technical upgrades to the locker, such as removing hardware breakpoints, performing NTDLL unhooking, and patching ETW to suppress Event Tracing for Windows.
organisation
Fortinet
The internal discussions provide a rare
end‑to‑end view
of the operation: they detail initial access paths (Fortinet and Cisco edge appliances, NTLM relay, OWA/M365 credential logs), the division of roles, the shared toolsets, and the group’s active tracking and evaluation of modern CVEs such as
CVE-2024-55591
,
CVE-2025-32433
, and
CVE-2025-33073
.
organisation
NTLM
The internal discussions provide a rare
end‑to‑end view
of the operation: they detail initial access paths (Fortinet and Cisco edge appliances, NTLM relay, OWA/M365 credential logs), the division of roles, the shared toolsets, and the group’s active tracking and evaluation of modern CVEs such as
CVE-2024-55591
,
CVE-2025-32433
, and
CVE-2025-33073
.
organisation
OWA
The internal discussions provide a rare
end‑to‑end view
of the operation: they detail initial access paths (Fortinet and Cisco edge appliances, NTLM relay, OWA/M365 credential logs), the division of roles, the shared toolsets, and the group’s active tracking and evaluation of modern CVEs such as
CVE-2024-55591
,
CVE-2025-32433
, and
CVE-2025-33073
.
organisation
CVE-2025
The internal discussions provide a rare
end‑to‑end view
of the operation: they detail initial access paths (Fortinet and Cisco edge appliances, NTLM relay, OWA/M365 credential logs), the division of roles, the shared toolsets, and the group’s active tracking and evaluation of modern CVEs such as
CVE-2024-55591
,
CVE-2025-32433
, and
CVE-2025-33073
.
organisation
Screenshots
Screenshots from ransom negotiations were also leaked, showing a successful case where the group received
190,000 USD
, after starting with an initial demand (anchor) of
250,000 USD
.
organisation
C&C
In that case, the affiliate used
SystemBC
, and the associated command‑and‑control (C&C) server revealed more than
1,570 victims
.
victims
1,570 victims
In that case, the affiliate used
SystemBC
, and the associated command‑and‑control (C&C) server revealed more than
1,570 victims
.
organisation
NAS
In these chats, they coordinate ongoing intrusions, exchange toolsets and EDR‑kill packages, discuss infrastructure and backend components (including the
Rocket
database and NAS storage), review CVEs and exploit paths (for example Fortinet, Cisco, and NTLM relay issues), and talk about specific victims, campaigns, and payouts.
May 5th, 2026
The Gentlemen RaaS operators used the FortiGate management interface to exploit CVE-2025-33073, a vulnerability that fits into their broader focus on high-value initial access points.
Click on any entity below to view its context and source!
general_metric
10,000 USD
Demanding ransom from a RaaS
On May 5th, 2026, the account
n7778
with TOX ID
7862AE03A73AAC2994A61DF1F635347F2D1731A77CACC155594C6B681D201F7AD6817AD3AB0A
advertised the sale of The Gentlemen’s hacked data on underground forums for 10,000 USD, payable in Bitcoin.
organisation
LLM
Local, self-hosted LLM.
Screenshot shared in the chats shows an LLM response on how to send an email to all users via the Jira admin interface, in
Russian
.
infrastructure
Linux
At the core, the main operator and developer,
zeta88
(most likely
hastalamuerte
), runs the infrastructure and builds and maintains the custom ransomware locker, the RaaS panel and builder (Linux with containers and a TOR front), as well as the GPO‑based spread mechanism and the locker’s “spread” module.
organisation
TOR
At the core, the main operator and developer,
zeta88
(most likely
hastalamuerte
), runs the infrastructure and builds and maintains the custom ransomware locker, the RaaS panel and builder (Linux with containers and a TOR front), as well as the GPO‑based spread mechanism and the locker’s “spread” module.
organisation
OSINT
Finally, they support these activities with infrastructure and helper tools like port scanners (
gogo.exe
), usage guides, OSINT extensions, and password‑cracking services, which together give them a reusable framework for running repeated intrusions and ransomware deployments.
organisation
Cloudflare
qbit
is a practical operator on many cases, responsible for scanning and filtering Fortinet VPNs and other edge devices, performing reconnaissance and persistence (including “крепиться клаудом” (English:
“to establish persistence via the cloud”
) through Cloudflare tunnels or Zero Trust solutions), and using tools such as NetExec (
NXC
), RelayKing, PrivHound, and NTLM relay scanning.
organisation
Zero Trust
qbit
is a practical operator on many cases, responsible for scanning and filtering Fortinet VPNs and other edge devices, performing reconnaissance and persistence (including “крепиться клаудом” (English:
“to establish persistence via the cloud”
) through Cloudflare tunnels or Zero Trust solutions), and using tools such as NetExec (
NXC
), RelayKing, PrivHound, and NTLM relay scanning.
organisation
NetExec
qbit
is a practical operator on many cases, responsible for scanning and filtering Fortinet VPNs and other edge devices, performing reconnaissance and persistence (including “крепиться клаудом” (English:
“to establish persistence via the cloud”
) through Cloudflare tunnels or Zero Trust solutions), and using tools such as NetExec (
NXC
), RelayKing, PrivHound, and NTLM relay scanning.
organisation
PrivHound
qbit
is a practical operator on many cases, responsible for scanning and filtering Fortinet VPNs and other edge devices, performing reconnaissance and persistence (including “крепиться клаудом” (English:
“to establish persistence via the cloud”
) through Cloudflare tunnels or Zero Trust solutions), and using tools such as NetExec (
NXC
), RelayKing, PrivHound, and NTLM relay scanning.
organisation
Active Directory
They rely on a mixture of Active Directory discovery, certificate abuse, and various local privilege escalation techniques.
organisation
TaskHound
For offensive operations, they use a range of red‑team utilities such as
NetExec
,
RelayKing
,
TaskHound
,
PrivHound
,
CertiHound
, and others to perform Active Directory discovery, certificate abuse, privilege escalation, and file share discovery.
infrastructure
Windows
A separate group of tools is dedicated to EDR and AV evasion, including
EDRStartupHinder
,
gfreeze
,
glinker
, and
DumpBrowserSecrets
, as well as techniques inspired by public research on abusing Windows logging and Event Tracing for Windows (ETW).
Offensive / Red‑Team
Titanis
Offensive tooling for Windows logging / ETW manipulation.
organisation
AV
A separate group of tools is dedicated to EDR and AV evasion, including
EDRStartupHinder
,
gfreeze
,
glinker
, and
DumpBrowserSecrets
, as well as techniques inspired by public research on abusing Windows logging and Event Tracing for Windows (ETW).
organisation
Erlang SSH
CVE-2025-32433
– Erlang SSH vulnerability (Cisco context)
organisation
CVE-2025-33073
In other words,
CVE-2025-33073
is a vulnerability they actively scan for and intend to exploit as part of broader NTLM relay workflows.
infrastructure
Fortigate
The group claims to usually gain initial access through exposed edge devices such as VPN appliances, firewalls, and other internet-facing systems, with a particular focus on platforms like Fortinet FortiGate and Cisco.
Figure 21 — Qwen 3.5 post.
zeta88
directs affiliates to use AI as a quick reference—for example, to look up FortiGate internals—rather than asking in the channel.
While the chats do not show detailed exploitation steps, the presence of this CVE alongside their FortiGate targeting suggests it is part of the set of vulnerabilities they track for potential use against exposed management interfaces.
organisation
Fortinet FortiGate
The group claims to usually gain initial access through exposed edge devices such as VPN appliances, firewalls, and other internet-facing systems, with a particular focus on platforms like Fortinet FortiGate and Cisco.
organisation
FortiGate
Figure 21 — Qwen 3.5 post.
zeta88
directs affiliates to use AI as a quick reference—for example, to look up FortiGate internals—rather than asking in the channel.
organisation
CVE
While the chats do not show detailed exploitation steps, the presence of this CVE alongside their FortiGate targeting suggests it is part of the set of vulnerabilities they track for potential use against exposed management interfaces.
organisation
BloodHound
Integrates with BloodHound data.
organisation
OSINT / Helper Tools
OSINT / Helper Tools
chamd5.org
Online password hash cracking service.
organisation
The Gentlemen RaaS Data
Figure 7 — Account selling The Gentlemen RaaS Data.
organisation
MediaFire
In the following days, the same account posted two MediaFire links containing proof files supporting the claimed leak.
organisation
LDW
Gblog88
,
JLL
,
LDW
,
n0n3
,
PRTGRS
,
W1Z
.
organisation
Roles & Structure
Roles & Structure
The group appears to have a clear division of roles and responsibilities.
organisation
EDR
This operator also curates toolsets in the
TOOLS
channel, including EDR kill kits and
kiljalki
collections, selects targets, and assigns them to specific teams, often talking about “targets”, “подбор” (selection) channels, and distributing corporate victims to groups of 2–3 people.
organisation
higher‑value
quant
is oriented toward OW/OVA spam and higher‑value (“тир1”)
organisation
GB RAM
(English:
“tier‑1”
) victims and has set up a powerful “brute server” (Threadripper PRO, 128 GB RAM, RTX 5090) for large‑scale brute forcing.
data_breach
128 GB RAM
(English:
“tier‑1”
) victims and has set up a powerful “brute server” (Threadripper PRO, 128 GB RAM, RTX 5090) for large‑scale brute forcing.
organisation
OV
Around these core and key operators, there are several other accounts, including
Wick
,
mAst3r
,
Protagor
,
Bl0ck
,
JeLLy
,
Kunder
, and
Mamba
who take on various roles such as red‑teamers, advertising partners, access brokers, or case‑specific collaborators; for example,
Protagor
is mentioned in connection with OV (online vault/OWA‑type) spam, while
Mamba
acts as an access broker for Fortinet VPNs sourced from
ramp
.
organisation
Mamba
Around these core and key operators, there are several other accounts, including
Wick
,
mAst3r
,
Protagor
,
Bl0ck
,
JeLLy
,
Kunder
, and
Mamba
who take on various roles such as red‑teamers, advertising partners, access brokers, or case‑specific collaborators; for example,
Protagor
is mentioned in connection with OV (online vault/OWA‑type) spam, while
Mamba
acts as an access broker for Fortinet VPNs sourced from
ramp
.
organisation
Group
Group members collaborate on various infections and share the profits as well.
organisation
BYOD
At the same time, they invest significant effort into disabling or bypassing security tools such as EDR and antivirus solutions, using a combination of misconfigurations, registry abuse, logging mechanisms, and bring-your-own-vulnerable-driver–style (BYOD) techniques to tamper with or overwrite security binaries.
organisation
Tools & Infra
Tools & Infra
The leaked conversations show that The Gentlemen RaaS operators use a repeatable and fairly mature toolset to support their operations.
organisation
C2 / Remote Access
Category
Tool / Resource
Purpose / Usage
Reference / Notes
C2 / Remote Access
ZeroPulse
Remote access / C2 framework for controlling compromised hosts.
organisation
C2 / Remote Access
Velociraptor
C2 / Remote Access
Velociraptor
Used as a covert C2 platform, including memory and LSASS dumping.
organisation
C2 / Remote Access
Cloudflare Zero Trust
C2 / Remote Access
Cloudflare Zero Trust / Tunnels
Provides stealthy tunnels into victim networks over HTTPS.
organisation
HTTPS
C2 / Remote Access
Cloudflare Zero Trust / Tunnels
Provides stealthy tunnels into victim networks over HTTPS.
organisation
VPN / Network Access
VPN / Network Access
wireguard-install
Automates WireGuard VPN deployment.
organisation
Automates WireGuard
VPN / Network Access
wireguard-install
Automates WireGuard VPN deployment.
organisation
NXC
Offensive / Red‑Team
NetExec
(
NXC
)
Multi‑purpose offensive framework for AD, SMB, WinRM, and more.
organisation
SMB
Offensive / Red‑Team
NetExec
(
NXC
)
Multi‑purpose offensive framework for AD, SMB, WinRM, and more.
organisation
MSI
Often used for MSI service abuse.
organisation
EDR / AV Evasion
EDRStartupHinder
Blocks
EDR / AV Evasion
EDRStartupHinder
Blocks or delays EDR processes at startup.
organisation
EDR / AV Evasion
EDR / AV Evasion
gfreeze
Part of their EDR “killer” toolkit to hinder security products.
organisation
EDR / AV Evasion
DumpBrowserSecrets
Dumps
EDR / AV Evasion
DumpBrowserSecrets
Dumps browser cookies and secrets for session hijacking.
organisation
EDR / AV Evasion
zerosalarium
EDR / AV Evasion
zerosalarium
ETW/log tricks
Public research they follow for ETW and log‑based EDR kill techniques.
organisation
GLOCKER
These ideas are suggested in the chats but do not appear to be fully implemented.
zeta88
states that he built the
GLOCKER
admin panel in three days using AI‑assisted coding.
organisation
Panel
Figure 18 — zeta88 “vibe-coded” the Panel.
organisation
Emi
zeta88
states that he finds
DeepSeek
,
Qwen
,
Kimi
, and
Emi
the most effective models for his purposes, particularly for coding assistance and technical queries.
organisation
high‑value
For more challenging tasks such as operational data analysis, identifying high‑value access points, and offloading much of the manual data‑triage work to an AI model, the operators explicitly discuss using an uncensored, self‑hosted LLM.
organisation
SSH
This shows that the group is not simply aware of the CVE but is actively evaluating whether it can be used in real operations, specifically in environments where Cisco or Erlang-based SSH services are exposed.
organisation
PoC
Even if they are cautious about PoC reliability, the discussion confirms that this vulnerability is part of their potential exploit toolkit.
organisation
Dell
iDRAC to domain admin paths
, leveraging Dell iDRAC weaknesses.
organisation
WPR
WPR, AutoLogger, and ETW manipulation
techniques documented by
zerosalarium
and others to overwrite or disable security binaries.
organisation
AutoLogger
WPR, AutoLogger, and ETW manipulation
techniques documented by
zerosalarium
and others to overwrite or disable security binaries.
organisation
Payments & Negotiations
Payments & Negotiations
Zeta88 acts as the organizer/administrator, distributing cryptocurrency payouts to team members (including those who are “AFK”) and advising on how to cash out proceeds via Bitcoin wallets (Guarda, Trust Wallet, Exodus).
organisation
AML
The group discusses AML (Anti-Money Laundering) evasion strategies.
organisation
Anti-Money Laundering
The group discusses AML (Anti-Money Laundering) evasion strategies.
organisation
Zeta88
Zeta88 sends a BTC transaction to Kunder as a payout, which Kunder confirms receiving.
organisation
Kunder
Zeta88 sends a BTC transaction to Kunder as a payout, which Kunder confirms receiving.
organisation
скупов
The specific mentions of how they handle Bitcoin laundering/cash out:
Exchange Chains (“связки обмена”)
Zeta88 mentions running ~800 transactions through “buy desks” (скупов) via exchange chains, or sometimes sending directly, suggesting chain-hopping to obscure transaction origins.
organisation
AML Checking
They
AML Checking
They discuss whether their BTC is “clean” and reference a buyer who actively checks AML scores before transacting.
organisation
BTC
AML Checking
They discuss whether their BTC is “clean” and reference a buyer who actively checks AML scores before transacting.
organisation
KYC
Wallet Infrastructure
They recommend non-custodial wallets (Guarda, Trust Wallet, Exodus) specifically to avoid KYC/AML controls that centralized exchanges enforce.
data_breach
44.4 MB
While the partial leaked data that we obtained is around
44.4 MB
, a screenshot shared by the same account on another underground forum shows a total size of approximately
16.22 GB
, which likely corresponds to the full leaked data set.
data_breach
16.22 GB
While the partial leaked data that we obtained is around
44.4 MB
, a screenshot shared by the same account on another underground forum shows a total size of approximately
16.22 GB
, which likely corresponds to the full leaked data set.
2026/05/13
The Gentlemen, a Russian-speaking ransomware operation, targeted 82 US victims in February.
Click on any entity below to view its context and source!
victims
338 victims
Qilin’s sustained dominance:
Qilin maintained its position as the most prominent ransomware operation for the third consecutive quarter, posting 338 victims.
organisation
Ransomware Attacks by Industry
Ransomware Attacks by Industry – Q1 2026
infrastructure
Linux
The new version introduced multi-platform support (Windows, Linux, ESXi), enhanced evasion and anti-analysis mechanisms, faster encryption routines, and randomized 16-character file extensions to disrupt signature-based detection.
infrastructure
Windows
The new version introduced multi-platform support (Windows, Linux, ESXi), enhanced evasion and anti-analysis mechanisms, faster encryption routines, and randomized 16-character file extensions to disrupt signature-based detection.
data_breach
300 GB
Its data audit service, which analyzes stolen datasets exceeding 300 GB to identify the most valuable information for extortion leverage, represents genuine innovation in the extortion model.
organisation
CVE-2024-55591
The FortiGate stockpile
The group’s most distinctive asset is a cache of approximately 14,700 pre-exploited FortiGate devices, exploited primarily via CVE-2024-55591 (a critical authentication bypass in FortiOS/FortiProxy).
infrastructure
Fortigate
The FortiGate stockpile
The group’s most distinctive asset is a cache of approximately 14,700 pre-exploited FortiGate devices, exploited primarily via CVE-2024-55591 (a critical authentication bypass in FortiOS/FortiProxy).
Both The Gentlemen and Nightspire exploit the same FortiGate vulnerability (CVE-2024-55591).
The Gentlemen (13.3% US) reflects the geographic distribution of its approximately 14,700-device FortiGate access stockpile, which is concentrated in Thailand (10.8%), Brazil (6%), and India (4.2%).
In addition to the exploited devices, the operators maintain 969 validated brute-forced FortiGate VPN credentials ready for attack.
This may reflect the geographic distribution of exploitable FortiGate devices; the group attacks where it has pre-positioned access, and that access happens to be concentrated in APAC and Latin American networks.
organisation
FortiGate
The FortiGate stockpile
The group’s most distinctive asset is a cache of approximately 14,700 pre-exploited FortiGate devices, exploited primarily via CVE-2024-55591 (a critical authentication bypass in FortiOS/FortiProxy).
infrastructure
14,700 device
The FortiGate stockpile
The group’s most distinctive asset is a cache of approximately 14,700 pre-exploited FortiGate devices, exploited primarily via CVE-2024-55591 (a critical authentication bypass in FortiOS/FortiProxy).
The Gentlemen (13.3% US) reflects the geographic distribution of its approximately 14,700-device FortiGate access stockpile, which is concentrated in Thailand (10.8%), Brazil (6%), and India (4.2%).
organisation
FortiOS/FortiProxy
The FortiGate stockpile
The group’s most distinctive asset is a cache of approximately 14,700 pre-exploited FortiGate devices, exploited primarily via CVE-2024-55591 (a critical authentication bypass in FortiOS/FortiProxy).
data_breach
969 validated forced VPN credentials
In addition to the exploited devices, the operators maintain 969 validated brute-forced FortiGate VPN credentials ready for attack.
organisation
Genesis
Genesis (93.1% US) whose near-exclusive US focus (27 of 29 confirmed victims) and emphasis on the Healthcare sector (20.7%) is striking for an emerging actor with no documented affiliate program.
victims
29 confirmed victims
Genesis (93.1% US) whose near-exclusive US focus (27 of 29 confirmed victims) and emphasis on the Healthcare sector (20.7%) is striking for an emerging actor with no documented affiliate program.
Nightspire, a closed-group operation with OneDrive cloud encryption
capability
, expanded by 183% from 29 victims to 82, sustaining growth across two consecutive quarters.
victims
79 victims
LockBit 5.0 activity increased by 106%, from 79 victims to 163.
victims
8 victims
Taiwan
also rose sharply (from 8 victims to 26), while
South Korea dropped out entirely.
organisation
Nightspire
Nightspire, a closed-group operation with OneDrive cloud encryption
capability
, expanded by 183% from 29 victims to 82, sustaining growth across two consecutive quarters.
organisation
OneDrive
Nightspire, a closed-group operation with OneDrive cloud encryption
capability
, expanded by 183% from 29 victims to 82, sustaining growth across two consecutive quarters.
organisation
Cl0p
This is the same dynamic observed in Cl0p’s geographic analysis, where Canada and Australia were over-represented because of Oracle EBS adoption.
organisation
Anubis
Anubis stands apart from all other top-20 actors in its willingness to target healthcare (13.0%, +8.3 percentage points above baseline) and critical infrastructure (8.7%, +7.7 percentage points above baseline).
organisation
Hastalamuerte
Origins: A Qilin defection
The Gentlemen was
founded
by a threat actor known as Hastalamuerte – an experienced Qilin affiliate, who left the Qilin RaaS program following a dispute over an unpaid commission of approximately $48,000.
organisation
IR
With $244 million in total proceeds and a 34% share of IR
engagements
, Akira’s sector selection reflects deliberate targeting of firms where the pressure to pay is greatest.
victims
21 victims
Japan
(21 victims): The Gentlemen (6 victims) + Everest (4 victims) + Nightspire (3 victims).
victims
6 victims
Japan
(21 victims): The Gentlemen (6 victims) + Everest (4 victims) + Nightspire (3 victims).
Two countries stand out for having three or more actors independently converging to create unusually diverse threat environments:
Turkey
(23 victims): LockBit (6 victims) + DragonForce (5 victims) + The Gentlemen (5 victims), 70% of Turkey’s victim totals are due to the activity of just three actors.
victims
4 victims
Japan
(21 victims): The Gentlemen (6 victims) + Everest (4 victims) + Nightspire (3 victims).
victims
3 victims
Japan
(21 victims): The Gentlemen (6 victims) + Everest (4 victims) + Nightspire (3 victims).
victims
23 victims
Two countries stand out for having three or more actors independently converging to create unusually diverse threat environments:
Turkey
(23 victims): LockBit (6 victims) + DragonForce (5 victims) + The Gentlemen (5 victims), 70% of Turkey’s victim totals are due to the activity of just three actors.
victims
5 victims
Two countries stand out for having three or more actors independently converging to create unusually diverse threat environments:
Turkey
(23 victims): LockBit (6 victims) + DragonForce (5 victims) + The Gentlemen (5 victims), 70% of Turkey’s victim totals are due to the activity of just three actors.
organisation
Devman
Devman declined by 70%, from 82 victims to 25.
victims
82 victims
Devman declined by 70%, from 82 victims to 25.
Figure 4 – The Gentlemen monthly victim trajectory, February peak: 82 victims in a single month.
organisation
EBS
Cl0p’s traditional mass exploitation campaigns produce victim distributions that mirror the installed base of the exploited software, in this case EBS
campaign
(CVE-2025-61882).
infrastructure
53.5
Software footprint targeting.
Cl0p’s 53.5% Business Services concentration (+18.6 percentage points above baseline) does not reflect a preference for professional services firms.
infrastructure
18.6
Software footprint targeting.
Cl0p’s 53.5% Business Services concentration (+18.6 percentage points above baseline) does not reflect a preference for professional services firms.
organisation
Business Services
Software footprint targeting.
Cl0p’s 53.5% Business Services concentration (+18.6 percentage points above baseline) does not reflect a preference for professional services firms.
organisation
Obscura
An example is Obscura, whose encryption
bug
renders files over 1 GB permanently unrecoverable regardless of payment.
data_breach
1 GB
An example is Obscura, whose encryption
bug
renders files over 1 GB permanently unrecoverable regardless of payment.
organisation
SafePay
Declines:
SafePay fell by 77%, going from 97 victims to 22.
victims
97 victims
Declines:
SafePay fell by 77%, going from 97 victims to 22.
organisation
Sinobi
Sinobi dropped by 42%, from 139 victims to 80.
victims
139 victims
Sinobi dropped by 42%, from 139 victims to 80.
organisation
Interpol’s Red Notice for Devman
Figure 3 – Interpol’s Red Notice for Devman’s operator, Nefedov.
organisation
Nefedov
Figure 3 – Interpol’s Red Notice for Devman’s operator, Nefedov.
victims
10 victims
However, most of the newcomers posted fewer than 10 victims, failing to take advantage of the disappearance of established mid-tier operators.
organisation
ShinyHunters
Coinbase Cartel, initially reported as a DragonForce sub-brand, has been independently linked to the ShinyHunters operation by Bitdefender.
organisation
Per-Actor Geographic
Per-Actor Geographic Targeting: Distinct Patterns
A per-actor analysis of the top 20 groups’ country distributions reveals that the ecosystem-level averages mask dramatically different targeting strategies.
organisation
Country-Level Actor Dominance
Country-Level Actor Dominance: When One Group Shapes a Nation’s Threat Profile
Flipping the analysis from “which countries does an actor target” to “which actors dominate each country” reveals an even more striking picture.
organisation
Consumer Goods
Akira’s targeting of Consumer Goods (23.9%, +9.8 percentage points above baseline) and Industrial Manufacturing (17.8%, +6.7 percentage points above baseline), a combined 41.7% versus the 25.1% baseline, is consistent with an economically optimized model.
organisation
Industrial Manufacturing
Akira’s targeting of Consumer Goods (23.9%, +9.8 percentage points above baseline) and Industrial Manufacturing (17.8%, +6.7 percentage points above baseline), a combined 41.7% versus the 25.1% baseline, is consistent with an economically optimized model.
data_breach
41.7 combined %
Akira’s targeting of Consumer Goods (23.9%, +9.8 percentage points above baseline) and Industrial Manufacturing (17.8%, +6.7 percentage points above baseline), a combined 41.7% versus the 25.1% baseline, is consistent with an economically optimized model.
data_breach
732 recorded victims
Monthly volumes within Q1 were consistently stable: in January there were 732 recorded victims, 684 in February, and 706 in March.
data_breach
684 recorded victims
Monthly volumes within Q1 were consistently stable: in January there were 732 recorded victims, 684 in February, and 706 in March.
victims
74 victims
Play posted a 64% increase, going from 74 victims to 121.
victims
56 victims
After a strong January (56 victims), activity collapsed to just 7 victims in March.
victims
7 victims
After a strong January (56 victims), activity collapsed to just 7 victims in March.
victims
38 victims
Publishing 38 victims within weeks of beginning operation strongly suggests pre-existing access in the form of a massive number of compromised devices rather than real-time exploitation.
victims
85 victims
After an initial surge of 85 victims in January (likely to reflect the accumulation of access during the pre-launch period), activity dipped to just 33 victims in February before climbing back to 45 in March.
victims
33 victims
After an initial surge of 85 victims in January (likely to reflect the accumulation of access during the pre-launch period), activity dipped to just 33 victims in February before climbing back to 45 in March.
just the first five months of 2026
Threat actors used the Data Leak platform to target approximately 332 victims in just five months of 2026.
Click on any entity below to view its context and source!
tactic
Data Leak
In 2026, based on victims listed on the data leak site (DLS), The Gentlemen appears to be
one of the most active RaaS programs
, with approximately
332 published victims
in just the first five months of 2026.
organisation
DLS
In 2026, based on victims listed on the data leak site (DLS), The Gentlemen appears to be
one of the most active RaaS programs
, with approximately
332 published victims
in just the first five months of 2026.
victims
332 published victims
In 2026, based on victims listed on the data leak site (DLS), The Gentlemen appears to be
one of the most active RaaS programs
, with approximately
332 published victims
in just the first five months of 2026.
the first quarter of 2026
Threat actors used a data leak service to target 70 active sites that collectively listed new victims.
Click on any entity below to view its context and source!
tactic
Data Leak
Consolidation at Scale
During the first quarter of 2026, we monitored more than 70 active data leak sites (DLS) that collectively listed 2,122 new victims.
organisation
DLS
Consolidation at Scale
During the first quarter of 2026, we monitored more than 70 active data leak sites (DLS) that collectively listed 2,122 new victims.
general_metric
70 active leak sites
Consolidation at Scale
During the first quarter of 2026, we monitored more than 70 active data leak sites (DLS) that collectively listed 2,122 new victims.
victims
2,122 new victims
Consolidation at Scale
During the first quarter of 2026, we monitored more than 70 active data leak sites (DLS) that collectively listed 2,122 new victims.
January to 35
DragonForce launched 101 attacks in Q1, with a rapid escalation from January to March.
Click on any entity below to view its context and source!
general_metric
29 unique campaigns
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
organisation
DragonForce
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
victims
101 victims
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
victims
10 victims
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
data_breach
56 steep climb
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
Tactical Metrics
Metrics
victims
8
Victims
Click for context!
Taiwan
also rose sharply (from 8 victims to 26), while
South Korea dropped out entirely.
Metrics
victims
29
Confirmed Victims
Genesis (93.1% US) whose near-exclusive US focus (27 of 29 confirmed victims) and emphasis on the Healthcare sector (20.7%) is striking for an emerging actor with no documented affiliate program.
Nightspire, a closed-group operation with OneDrive cloud encryption
capability
, expanded by 183% from 29 victims to 82, sustaining growth across two consecutive quarters.
Metrics
infrastructure
Fortigate
Affected Product
The Gentlemen (13.3% US) reflects the geographic distribution of its approximately 14,700-device FortiGate access stockpile, which is concentrated in Thailand (10.8%), Brazil (6%), and India (4.2%).
The FortiGate stockpile
The group’s most distinctive asset is a cache of approximately 14,700 pre-exploited FortiGate devices, exploited primarily via CVE-2024-55591 (a critical authentication bypass in FortiOS/FortiProxy).
In addition to the exploited devices, the operators maintain 969 validated brute-forced FortiGate VPN credentials ready for attack.
This may reflect the geographic distribution of exploitable FortiGate devices; the group attacks where it has pre-positioned access, and that access happens to be concentrated in APAC and Latin American networks.
Both The Gentlemen and Nightspire exploit the same FortiGate vulnerability (CVE-2024-55591).
The group claims to usually gain initial access through exposed edge devices such as VPN appliances, firewalls, and other internet-facing systems, with a particular focus on platforms like Fortinet FortiGate and Cisco.
Figure 21 — Qwen 3.5 post.
zeta88
directs affiliates to use AI as a quick reference—for example, to look up FortiGate internals—rather than asking in the channel.
While the chats do not show detailed exploitation steps, the presence of this CVE alongside their FortiGate targeting suggests it is part of the set of vulnerabilities they track for potential use against exposed management interfaces.
Metrics
infrastructure
14,700
Device
The Gentlemen (13.3% US) reflects the geographic distribution of its approximately 14,700-device FortiGate access stockpile, which is concentrated in Thailand (10.8%), Brazil (6%), and India (4.2%).
The FortiGate stockpile
The group’s most distinctive asset is a cache of approximately 14,700 pre-exploited FortiGate devices, exploited primarily via CVE-2024-55591 (a critical authentication bypass in FortiOS/FortiProxy).
The 14,700-device inventory likely predates the group’s September 2025 launch.
Metrics
victims
21
Victims
Japan
(21 victims): The Gentlemen (6 victims) + Everest (4 victims) + Nightspire (3 victims).
Metrics
victims
6
Victims
Japan
(21 victims): The Gentlemen (6 victims) + Everest (4 victims) + Nightspire (3 victims).
Two countries stand out for having three or more actors independently converging to create unusually diverse threat environments:
Turkey
(23 victims): LockBit (6 victims) + DragonForce (5 victims) + The Gentlemen (5 victims), 70% of Turkey’s victim totals are due to the activity of just three actors.
Metrics
victims
4
Victims
Japan
(21 victims): The Gentlemen (6 victims) + Everest (4 victims) + Nightspire (3 victims).
Metrics
victims
3
Victims
Japan
(21 victims): The Gentlemen (6 victims) + Everest (4 victims) + Nightspire (3 victims).
Metrics
data_breach
42
Combined %
Akira’s targeting of Consumer Goods (23.9%, +9.8 percentage points above baseline) and Industrial Manufacturing (17.8%, +6.7 percentage points above baseline), a combined 41.7% versus the 25.1% baseline, is consistent with an economically optimized model.
Metrics
financial
10
Top Ransomware Groups
Key Findings
Consolidation after peak fragmentation:
The top 10 ransomware groups accounted for 71% of all Q1 2026 victims, a sharp reversal from the fragmentation seen in Q3 2025.
Figure 2 – Top 10 ransomware groups by number of publicly claimed victims – Q1 2026.
Metrics
victims
338
Victims
Qilin’s sustained dominance:
Qilin maintained its position as the most prominent ransomware operation for the third consecutive quarter, posting 338 victims.
Metrics
victims
40
Victims
The Gentlemen is the breakout story of Q1 2026
reaching the third place on the global ransomware list, increasing their victim count from 40 victims in Q4 2025 to 166 in Q1 2026.
Metrics
victims
163
Victims
LockBit 5.0 comeback confirmed:
LockBit posted 163 victims in Q1 2026, climbing to fourth place.
Ransomware in Q1 2026:
LockBit 5.0: Making a Comeback
LockBit posted 163 victims in Q1 2026 (an increase of 106% compared to Q4 2025), climbing from outside the top 10 to fourth place globally.
Metrics
victims
2,122
New Victims
Consolidation at Scale
During the first quarter of 2026, we monitored more than 70 active data leak sites (DLS) that collectively listed 2,122 new victims.
Metrics
data_breach
300
Gb
Its data audit service, which analyzes stolen datasets exceeding 300 GB to identify the most valuable information for extortion leverage, represents genuine innovation in the extortion model.
Metrics
data_breach
969
Validated Forced Vpn Credentials
In addition to the exploited devices, the operators maintain 969 validated brute-forced FortiGate VPN credentials ready for attack.
Metrics
infrastructure
Windows
Affected Product
The new version introduced multi-platform support (Windows, Linux, ESXi), enhanced evasion and anti-analysis mechanisms, faster encryption routines, and randomized 16-character file extensions to disrupt signature-based detection.
Indicators of Compromise
Description
Value
The Gentlemen Windows
025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a
1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436f
1af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2
22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67
24ac3588fb8cfbff63b7fdfcbc7dec1f3c60e54e6f949dd69d68e89e0c89d966
2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d
3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235
3c2182cb0bc7528829ef03f1b1745a92bcc47d917eb8870862488f21fdf1a6d6
48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd
4a175eed927c0a477eafb8aa35a93c191748acaa78ac7aecd8ea3c4cd868887c
51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2
62c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8
6a3ab9e984a759d55af4e84487d1fc44683065cc9a1089d5aa4ad1c0e4e84a63
860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923
87d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c
8aa0cb69ca2777001e0f4ba0eaab0841592710e4cc5ccd6b0b526d78bbd8bfba
8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892db
91415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1
994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3
9f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454
a7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0ad
b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6
c46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8
c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73
dce2e5cc00eff2493f8ced546dc51f9d5ef78c5ee56805906ec642dfa77a1c70
dfe696ff713318c53fb17731bd4a6585a02c085b590149b19847990b324a0be6
ec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd2
efaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108f
f736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12
fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958
The Gentlemen Linux
1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c
5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca
788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19
Yara Rule
rule thegentlemen_ransomware
{
meta:
author = "@Tera0017/Check Point Research"
description = "The Gentlemen Ransomware written in GO.
These include a full overhaul of the communication structure, the deployment of a new NAS with unlimited storage, and several technical upgrades to the locker, such as removing hardware breakpoints, performing NTDLL unhooking, and patching ETW to suppress Event Tracing for Windows.
A separate group of tools is dedicated to EDR and AV evasion, including
EDRStartupHinder
,
gfreeze
,
glinker
, and
DumpBrowserSecrets
, as well as techniques inspired by public research on abusing Windows logging and Event Tracing for Windows (ETW).
Offensive / Red‑Team
Titanis
Offensive tooling for Windows logging / ETW manipulation.
Metrics
infrastructure
Linux
Affected Product
The new version introduced multi-platform support (Windows, Linux, ESXi), enhanced evasion and anti-analysis mechanisms, faster encryption routines, and randomized 16-character file extensions to disrupt signature-based detection.
At the core, the main operator and developer,
zeta88
(most likely
hastalamuerte
), runs the infrastructure and builds and maintains the custom ransomware locker, the RaaS panel and builder (Linux with containers and a TOR front), as well as the GPO‑based spread mechanism and the locker’s “spread” module.
Indicators of Compromise
Description
Value
The Gentlemen Windows
025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a
1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436f
1af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2
22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67
24ac3588fb8cfbff63b7fdfcbc7dec1f3c60e54e6f949dd69d68e89e0c89d966
2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d
3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235
3c2182cb0bc7528829ef03f1b1745a92bcc47d917eb8870862488f21fdf1a6d6
48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd
4a175eed927c0a477eafb8aa35a93c191748acaa78ac7aecd8ea3c4cd868887c
51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2
62c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8
6a3ab9e984a759d55af4e84487d1fc44683065cc9a1089d5aa4ad1c0e4e84a63
860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923
87d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c
8aa0cb69ca2777001e0f4ba0eaab0841592710e4cc5ccd6b0b526d78bbd8bfba
8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892db
91415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1
994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3
9f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454
a7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0ad
b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6
c46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8
c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73
dce2e5cc00eff2493f8ced546dc51f9d5ef78c5ee56805906ec642dfa77a1c70
dfe696ff713318c53fb17731bd4a6585a02c085b590149b19847990b324a0be6
ec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd2
efaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108f
f736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12
fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958
The Gentlemen Linux
1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c
5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca
788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19
Yara Rule
rule thegentlemen_ransomware
{
meta:
author = "@Tera0017/Check Point Research"
description = "The Gentlemen Ransomware written in GO.
Metrics
infrastructure
53.5
Software Version
Software footprint targeting.
Cl0p’s 53.5% Business Services concentration (+18.6 percentage points above baseline) does not reflect a preference for professional services firms.
Metrics
infrastructure
18.6
Software Version
Software footprint targeting.
Cl0p’s 53.5% Business Services concentration (+18.6 percentage points above baseline) does not reflect a preference for professional services firms.
Metrics
victims
2,416
Victims
This figure represents a 12.2% decline from the Q4 2025 all-time record of 2,416 victims but remains the second-highest Q1 on record at 117% above Q1 2024 (977 victims) and is keeping in line with the elevated baseline established through 2025.
Metrics
victims
977
Victims
This figure represents a 12.2% decline from the Q4 2025 all-time record of 2,416 victims but remains the second-highest Q1 on record at 117% above Q1 2024 (977 victims) and is keeping in line with the elevated baseline established through 2025.
Metrics
victims
707
Victims
This reflects a sustained operating rate of an average of 707 victims per month in Q1 2026.
Metrics
victims
2,285
Victims
The headline year-over-year (YoY) comparison shows a 7.1% decline from the 2,285 victims in Q1 2025.
Metrics
victims
390
Victims
However, this comparison is misleading as the Q1 2025 numbers were heavily inflated by
Cl0p’s Cleo mass-exploitation campaign
which contributed approximately 390 victims in a single burst.
Metrics
victims
1,894
Victims
If we exclude Cl0p from both periods, there were 1,894 victims in Q1 2025 versus 1,995 in Q1 2026, an actual YoY increase of 5.3%.
Metrics
data_breach
1
Gb
An example is Obscura, whose encryption
bug
renders files over 1 GB permanently unrecoverable regardless of payment.
Metrics
victims
97
Victims
Declines:
SafePay fell by 77%, going from 97 victims to 22.
Metrics
victims
82
Victims
Devman declined by 70%, from 82 victims to 25.
Figure 4 – The Gentlemen monthly victim trajectory, February peak: 82 victims in a single month.
Metrics
victims
139
Victims
Sinobi dropped by 42%, from 139 victims to 80.
Metrics
victims
101
Victims
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
Metrics
victims
10
Victims
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
Figure 6 – Top 10 targeted countries, Q1 2026.
However, most of the newcomers posted fewer than 10 victims, failing to take advantage of the disappearance of established mid-tier operators.
Metrics
data_breach
56
Steep Climb
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March.
Metrics
victims
30
Korean Organizations
This confirms that Qilin’s Q3 2025 financial sector campaign
targeting
30 South Korean organizations was a one-off event rather than a sustained targeting shift.
Metrics
data_breach
732
Recorded Victims
Monthly volumes within Q1 were consistently stable: in January there were 732 recorded victims, 684 in February, and 706 in March.
Metrics
data_breach
684
Recorded Victims
Monthly volumes within Q1 were consistently stable: in January there were 732 recorded victims, 684 in February, and 706 in March.
Metrics
victims
79
Victims
LockBit 5.0 activity increased by 106%, from 79 victims to 163.
Metrics
victims
74
Victims
Play posted a 64% increase, going from 74 victims to 121.
Metrics
victims
56
Victims
After a strong January (56 victims), activity collapsed to just 7 victims in March.
Metrics
victims
7
Victims
After a strong January (56 victims), activity collapsed to just 7 victims in March.
Metrics
victims
38
Victims
Publishing 38 victims within weeks of beginning operation strongly suggests pre-existing access in the form of a massive number of compromised devices rather than real-time exploitation.
Metrics
victims
85
Victims
After an initial surge of 85 victims in January (likely to reflect the accumulation of access during the pre-launch period), activity dipped to just 33 victims in February before climbing back to 45 in March.
Metrics
victims
33
Victims
After an initial surge of 85 victims in January (likely to reflect the accumulation of access during the pre-launch period), activity dipped to just 33 victims in February before climbing back to 45 in March.
Metrics
victims
23
Victims
Two countries stand out for having three or more actors independently converging to create unusually diverse threat environments:
Turkey
(23 victims): LockBit (6 victims) + DragonForce (5 victims) + The Gentlemen (5 victims), 70% of Turkey’s victim totals are due to the activity of just three actors.
Metrics
victims
5
Victims
Two countries stand out for having three or more actors independently converging to create unusually diverse threat environments:
Turkey
(23 victims): LockBit (6 victims) + DragonForce (5 victims) + The Gentlemen (5 victims), 70% of Turkey’s victim totals are due to the activity of just three actors.
Metrics
victims
332
Published Victims
In 2026, based on victims listed on the data leak site (DLS), The Gentlemen appears to be
one of the most active RaaS programs
, with approximately
332 published victims
in just the first five months of 2026.
Metrics
victims
412
Current Public Victims
Based on the current
412 public victims
listed on the data leak site (DLS), and considering that there are likely additional victims who paid and therefore were not published, we identified
29 unique campaigns
in public sources such as VirusTotal.
Metrics
victims
1,570
Victims
In that case, the affiliate used
SystemBC
, and the associated command‑and‑control (C&C) server revealed more than
1,570 victims
.
Metrics
data_breach
128
Gb Ram
(English:
“tier‑1”
) victims and has set up a powerful “brute server” (Threadripper PRO, 128 GB RAM, RTX 5090) for large‑scale brute forcing.
Metrics
victims
320
Public Victims
With over
320 public victims
in 2026 and hundreds more systems visible through related infrastructure, it stands among the most productive RaaS operations that maintain a public data‑leak presence.
Metrics
data_breach
44
Mb
While the partial leaked data that we obtained is around
44.4 MB
, a screenshot shared by the same account on another underground forum shows a total size of approximately
16.22 GB
, which likely corresponds to the full leaked data set.
Metrics
data_breach
16
Gb
While the partial leaked data that we obtained is around
44.4 MB
, a screenshot shared by the same account on another underground forum shows a total size of approximately
16.22 GB
, which likely corresponds to the full leaked data set.
Intelligence Sources
Zero Day Fans
2026-05-11
The State of Ransomware – Q1 2026
Zero Day Fans
Zero Day Fans
2026-05-13
Thus Spoke…The Gentlemen
Zero Day Fans
Zero Day Fans
2026-05-13
Thus Spoke…The Gentlemen
Zero Day Fans
Zero Day Fans
2026-05-11
The State of Ransomware – Q1 2026
Zero Day Fans
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Reset / Delete
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-15T05:46
Comprehensive Tactical Telemetry
Highly Correlated Entities
115x
organisation
Identified Entity
Genesis
entity
48x
general metric
%
13
%
29x
victims
Victims
8
victims
22x
timeline
Temporal Reference
August 2025
date
17x
target region
Target Country
United States
country
7x
tactic
Cyber Operation Type
Ransomware
tactic
5x
malware
Malware Payload
Qilin
tool
4x
vulnerability
Exploited CVE
CVE-2024-55591
cve
4x
general metric
Usd
190,000
usd
3x
general metric
Pattern
1
pattern
3x
industry
Targeted Sector
Manufacturing
sector
3x
infrastructure
Affected Product
Fortigate
software
3x
data breach
Gb
300
gb
3x
tactic
MITRE ATT&CK Technique
T1592.002 - Software
technique
2x
source region
Origin Country
United States
country
2x
infrastructure
Software Version
53.5
version
2x
general metric
Top Groups
10
top groups
2x
data breach
Recorded Victims
732
recorded victims
Contextual Telemetry
Context Block
29 METRICS
general metric
Percentage Point
30
percentage point
general metric
Focus
27
focus
victims
Confirmed Victims
29
confirmed victims
infrastructure
Device
14,700
device
data breach
Combined %
42
combined %
financial
Top Ransomware Groups
10
top ransomware groups
general metric
Q1
2,026
q1
general metric
Comeback
5
comeback
general metric
Active Leak Sites
70
active leak sites
victims
New Victims
2,122
new victims
data breach
Validated Forced Vpn Credentials
969
validated forced vpn credentials
target region
Target Region
APAC
region
campaign
Campaign
Operation Cronos
operation
general metric
Character
16
character
general metric
New Names
21
new names
general metric
Q4
2,025
q4
data breach
Steep Climb
56
steep climb
victims
Korean Organizations
30
korean organizations
general metric
February
706
february
general metric
Distinct Affiliate Tox Ids
8
distinct affiliate tox ids
victims
Published Victims
332
published victims
victims
Current Public Victims
412
current public victims
malware
Offensive Tool
Bloodhound
tool
data breach
Gb Ram
128
gb ram
victims
Public Victims
320
public victims
general metric
Accounts
9
accounts
data breach
Mb
44
mb
general metric
Qwen
4
qwen
general metric
0X5A4D
4
0x5a4d
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.