| At a glance | |
|---|---|
| Group | The Gentlemen (ransomware-as-a-service) |
| Activity | Ransomware, data-leak extortion, custom tool development |
| Targets | Large firms and critical infrastructure: manufacturing, IT, healthcare, finance, construction, logistics |
| Scale | Reportedly 320+ leak-site victims by April 2026; a top RaaS actor of 2026 (per public reports) |
| Status | No arrests or charges reported; tracked by Kaspersky, Check Point, ESET, and others |
| Source | Kaspersky (Securelist) |
TL;DR
The Gentlemen ransomware is a new RaaS operation that scaled fast in 2026. Kaspersky tracked fresh tactics, a Go-based backdoor, and a new C-based locker still in testing. The group hits large organizations worldwide and now leans on data-leak extortion.
What happened
Kaspersky’s Securelist team published a deep look at The Gentlemen ransomware. The group runs a ransomware-as-a-service model and recruits affiliates. Researchers have tracked it since February 2026.
Affiliates usually break in through exposed edge devices. They abuse VPNs and firewalls, then use stolen or weak credentials. In some cases, access came from an initial access broker rather than the group itself.
How the attacks unfold
Once inside, the operators map the network with tools like SharpADWS, NetScan, and Advanced IP Scanner. They also capture traffic with Microsoft’s netsh to harvest passwords. Then they spread the locker through Group Policy, the NETLOGON share, and PsExec.
To clear a path, the group disables security software. It loads vulnerable drivers in a “bring your own vulnerable driver” attack, a method other vendors connect to a toolset named GentleKiller. The malware even tries to uninstall Kaspersky Antivirus, though behavioral detection blocks that step.
The main Go locker is password-protected to dodge sandboxes. It offers many flags, from a SYSTEM mode to fast modes that encrypt only a slice of each file. For encryption, it pairs Curve25519 with the XChaCha20 cipher. Before locking files, it stops Hyper-V virtual machines and wipes shadow copies to block recovery.
Who is behind The Gentlemen ransomware

Kaspersky attributes the activity to The Gentlemen and its affiliates with high confidence. As the researchers state, “We have high confidence in attributing the observed activities.” That call rests on the group’s name, email addresses, and leak-site links found in the binaries and ransom notes.
Other vendors go further on the people involved. Check Point Research and PRODAFT tie the operation to a Russian-speaking operator known by the alias hastalamuerte, also tracked as LARVA-368. Reports say this actor once worked as a Qilin affiliate. No arrests or charges have been made public.
Impact and scale
The Gentlemen ransomware grew quickly. Check Point counted more than 320 victims on the leak site by April 2026. Later tallies from Ransomware.Live put the figure near 478 by mid-June. These numbers are claims drawn from the group’s own leak site.
The true reach may be wider. Check Point found an affiliate server tied to a SystemBC botnet of over 1,570 likely corporate hosts. Leaked negotiation chats also show one victim reportedly paying about $190,000, down from a $250,000 demand.
Targeting spans many sectors and regions. Kaspersky names manufacturing, IT services, healthcare, finance, construction, and logistics among the hardest hit. Its telemetry points to Brazil, China, Indonesia, Taiwan, and Thailand as frequent targets. Notably, the group shows little restraint toward hospitals or critical services.
New malware in the mix
Kaspersky found two notable additions. A Go-based backdoor lands a day before the locker and opens a remote channel for commands and a SOCKS proxy. Meanwhile, a new C-based ransomware, still in development, uses AES-256-GCM with RSA and switches victim contact from Tox to email.
How to stay protected
Patch internet-facing VPNs, firewalls, and services without delay. Then enforce strong, unique credentials and multi-factor authentication on remote access. Watch for sudden Defender changes, new scheduled tasks, and unexpected PsExec or GPO activity.
Back up critical data offline and test restores often. Also, monitor for vulnerable-driver loads, since the group relies on that trick to kill defenses. Quick detection during reconnaissance offers the best chance to stop an attack before encryption begins.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.