Emerging Gentlemen Ransomware Hits 17 Countries with Double Extortion & BYOVD Evasion Tactics

A sophisticated new ransomware operator has rapidly ascended the ranks of the cybercriminal underworld, targeting industries across 17 countries with “double extortion” tactics. Dubbed Gentlemen, the group was first identified in August 2025 and has quickly established itself as one of the year’s most active emerging threats, according to a new report from AhnLab.

The group employs high-level intrusion techniques to breach networks, steal sensitive data, and encrypt critical systems, leaving victims with a paralyzed infrastructure and a ransom demand.

The Gentlemen group distinguishes itself through the use of advanced tactics often reserved for state-sponsored actors or elite cybercrime syndicates. The report notes that during breaches, “the group employs typical tactics seen in advanced ransomware groups, such as Group Policy Objects (GPO) manipulation and Bring Your Own Vulnerable Driver (BYOVD)”.

The use of BYOVD attacks—where attackers deploy a legitimate but vulnerable driver to bypass security software—indicates a high level of technical competency designed to evade modern endpoint defenses. Furthermore, their use of “sophisticated internal propagation procedures” allows them to spread rapidly through a victim’s network once inside.

What is perhaps most alarming is the speed at which Gentlemen has scaled its operations. In just a few months, the group has cast a wide net. “The attack by Gentlemen quickly spread after its appearance, and there have been reports of damage in at least 17 countries,” the report states.

The victimology is dangerously diverse, sparing no sector. Attacks have hit organizations in “manufacturing, construction, healthcare, and insurance,” spanning continents from the Asia-Pacific (APAC) region to North America, South America, and the Middle East. This wide operational scope suggests the group is likely not targeting specific regions but is instead opportunistic and capable of managing simultaneous campaigns globally.

The group’s ransom notes are stark and coercive, leveraging the theft of confidential data to pressure victims into paying—a tactic known as double extortion. They warn victims that refusing to negotiate will lead to the “irreversible wipe of all data” and the publication of exfiltrated secrets on their leak site.

In a chilling attempt to discourage victims from seeking help, the ransom note asserts: “It’s a fundamental mathematical reality. Only we can decrypt your data”. They explicitly warn that law enforcement and third-party recovery firms are useless, claiming they “will only waste your time, take your money, and block you from recovering your files”.

While it remains unconfirmed if Gentlemen is a rebrand of a defunct group or a new player operating under a Ransomware-as-a-Service (RaaS) model, their impact is undeniable. “Since its emergence, Gentlemen has been evaluated as one of the most active emerging ransomware groups in 2025,” researchers concluded.

Related Posts:

• New Ransomware Tactics & Tools: An In-Depth Analysis of Emerging Threats
• The Gentlemen: A New Ransomware Group Using Legitimate Tools to Bypass Security
• Sophisticated “The Gentlemen” Ransomware RaaS Emerges with XChaCha20 Encryption and 48 Victims in 3 Months
• Weaponizing Group Policy: Custom Client-Side Extensions as a Stealthy Backdoor into Active Directory