The Gentlemen: the custom ransomware that has already claimed more than 1,500 hidden victims
The Gentlemen: the “custom” ransomware that has already claimed more than 1,500 hidden victims
A cybercriminal group that emerged in 2025 has just revealed its true scale: researchers discovered more than 1,570 compromised corporate networks that never made headlines. With confirmed presence in more than 50 countries, living off the land tactics, and suspicions of Russian-speaking origins, its operational model redefines what was previously understood as ransomware attacks.
In July 2025, a new ransomware group called The Gentlemen appeared on the cybercriminal scene, but few anticipated the speed at which it would escalate. Nine months later, an investigation published on April 21, 2026 by Check Point Research uncovered a finding that completely changed the perception of its reach: by conducting threat hunting on the command-and-control (C2) server of one of its affiliates, researchers identified more than 1,570 compromised corporate networks that had not even been publicly reported (Lakshmanan, 2026).
The figure is especially alarming when considering that on its data leak site (DLS), the group had only claimed around 320 victims up to that point. In other words, what was visible was merely the tip of the iceberg. As Eli Smadja, head of research at Check Point, noted: most ransomware groups make noise when they appear and then disappear, but in this case the real scale of the operation is significantly larger than what is publicly known, and it continues to grow (Lakshmanan, 2026).
Who are “The Gentlemen”?
The name is no coincidence. According to ESET analysts, the group pays aesthetic homage to Guy Ritchie’s films, projecting a disciplined and methodical brand identity, complete with a professional logo and tagline on its onion site (Ali Bravo, 2026). But that aesthetic is not just branding: it is reflected in the technical maturity of their operations, to the point that several researchers assume experienced actors from other ransomware ecosystems are behind it (SOCRadar, 2026).
Although their official origin remains classified as “unknown,” the FortiGuard Labs team points to a telling clue: the group expressly prohibits its affiliates from attacking organizations located in Russia and Commonwealth of Independent States (CIS) countries, a restriction historically associated with Russian-speaking threat actors (Fortinet, 2026). By early 2026, Fortinet had counted more than 200 published victims in more than 50 countries and more than 20 affected industries, ranging from energy and government to healthcare services.
The Gentlemen operates under the Ransomware-as-a-Service (RaaS) model. In September 2025, SOCRadar detected an announcement from the group on underground forums recruiting affiliates with an aggressive offer: 90% of the ransom proceeds for the executing affiliate, while the core operators retain control over the infrastructure, the DLS, and communication via TOX (SOCRadar, 2026). Such a high commission rate explains why the network grew so rapidly. However, FortiGuard adds a relevant nuance: the operational discipline is so high that some analysts suspect that, rather than a traditional RaaS, The Gentlemen could be a small but highly coordinated team that executes attacks directly (Fortinet, 2026).
Their toolkit is written primarily in Go and C, with variants for Windows, Linux, NAS, BSD, and a dedicated locker for ESXi environments. The cryptographic scheme combines XChaCha20 and Curve25519 in a hybrid model, and includes self-restart capabilities, startup persistence, and configurable encryption speed throttling to evade detections based on anomalous CPU/IO consumption (Mikhalov, 2025). Additionally, each payload requires an 8-byte password parameter to execute, which neutralizes automated sandboxes that cannot supply the attacker’s manual key.
A ransomware that adapts to each victim
What truly distinguishes The Gentlemen is not their code, but their operational philosophy: they do not attack en masse — they attack on a tailored basis.
The typical kill chain begins with initial access through internet-exposed services — especially poorly configured firewalls and VPNs, such as FortiGate appliances — via compromised credentials, or by exploiting known vulnerabilities such as CVE-2025-7771 (Fortinet, 2026). Additional vectors such as spear phishing and abuse of exposed RDP have also been observed. A particularly sophisticated technique documented by Cybereason and cited by SOC Prime involves DLL sideloading via OneDrive.exe (loading the malicious library SSPICLI.dll), and even VBA macros embedded in Outlook (the VbaProject.OTM file) that monitor incoming emails through the Application_NewMailEx event as C2 triggers (Mikhalov, 2025).
Once the foothold is established, the group conducts surgical reconnaissance with tools such as Advanced IP Scanner and Nmap to map Active Directory, enumerate Domain Admins, identify accounts with elevated privileges, and profile the environment’s security stack (Ali Bravo, 2026). For privilege escalation, they abuse legitimate utilities such as PowerRun.exe to bypass UAC and execute processes with NT AUTHORITY\SYSTEM privileges (SOCRadar, 2026).
For lateral movement, they rely on PsExec over SMB admin shares, WMI, PowerShell Remoting, and SCHTASKS — a living off the land (LOLBAS/LOLBins) approach that allows them to blend in as legitimate administrative traffic (Mikhalov, 2025). The arsenal documented by Fortinet also includes AnyDesk, PuTTY, WinSCP, and ICACLS for persistence, data transfer, and ACL manipulation (Fortinet, 2026).
Here is where things get most dangerous: if during reconnaissance they detect a specific EDR in the environment, they modify their tools mid-campaign. Trend Micro analysts documented how the group evolved its process-termination utility from All.exe to a custom variant called Allpatch2.exe, specifically designed to neutralize the security agents of the targeted environment (Lakshmanan, 2026). They also employ BYOVD (Bring Your Own Vulnerable Driver) techniques, leveraging signed but vulnerable drivers such as ThrottleBlood.sys to disable antivirus solutions at the kernel level (SOCRadar, 2026).
For the impact phase, they abuse Group Policy Objects (GPO) and the NETLOGON share to propagate ransomware simultaneously across the entire domain. Before encryption, they execute particularly careful anti-forensic routines: disabling Windows Defender via Set-MpPreference -DisableRealtimeMonitoring $true, adding broad exclusions with Add-MpPreference -ExclusionPath, shutting down the firewall, re-enabling SMB1, relaxing LSA anonymous controls, stopping backup services, deleting Volume Shadow Copies (VSS), and purging event logs (Lakshmanan, 2026; Mikhalov, 2025). Encrypted files receive the extension .7mtzhh and a ransom note called README-GENTLEMEN.txt is left behind.
SystemBC: the piece that revealed the true scale
The recent news focuses precisely on how researchers found the 1,570 hidden victims. A The Gentlemen affiliate deployed in their attacks a proxy malware known as SystemBC, used since 2020 in various ransomware operations. It establishes SOCKS5 tunnels within the victim’s environment and communicates with its C2 through a proprietary protocol encrypted with RC4, while also being able to download and execute additional payloads both on disk and via in-memory injection (Lakshmanan, 2026).
By analyzing that C2 server, Check Point obtained the complete list of compromised networks, distributed primarily across the United States, United Kingdom, Germany, Australia, and Romania. Notably, it remains unclear whether SystemBC is part of the group’s official playbook or whether it is used only by a specific affiliate for exfiltration and persistent remote access (Lakshmanan, 2026).
Why does this news matter now?
The Gentlemen is no longer an emerging threat: it is one of the most active in the world. According to data from ZeroFox, during the first quarter of 2026 the group ranked as the third most prolific ransomware operator in the world, with 192 incidents, just behind Qilin (338) and Akira (197) (Lakshmanan, 2026).
And the regional impact is significant. Mexico appears consistently among the most attacked countries, alongside the United States, Thailand, India, Colombia, Spain, and France (Ali Bravo, 2026). Reports confirm victims across virtually all of Latin America: Argentina, Chile, Brazil, Peru, Ecuador, Venezuela, Guatemala, the Dominican Republic, Costa Rica, Panama, and, of course, Colombia and Mexico. The most heavily hit sectors: manufacturing, technology, healthcare, finance, insurance, construction, energy, government, and media (Fortinet, 2026; SOCRadar, 2026).
The Halcyon Ransomware Evolution report also warns of a concerning pattern: 69% of attacks are executed during nights and weekends to overcome SOC response times, and dwell times have been reduced from days to hours (Lakshmanan, 2026). In other words: from initial access to full encryption can take less than a single workday.
Blue Team Perspective: honeypots and IDS as an early detection layer
Against an adversary that heavily abuses legitimate tools and modifies its toolkit mid-campaign, defenses based exclusively on signatures and blacklists are insufficient. Detecting The Gentlemen demands a defense-in-depth approach in which honeypots and intrusion detection systems (IDS/NIDS/HIDS) play a strategic role.
Honeypots: deception as detection
Since the group invests considerable time in the discovery phase — enumerating Active Directory, scanning internal ranges with Nmap and Advanced IP Scanner, and seeking high-privilege accounts — a well-instrumented environment with decoys can become the first early warning system. Some concrete strategies:
- Honey accounts in Active Directory: fake Domain Admin users with attractive names (
admin_backup,svc_sql,it_administrator) that should never authenticate. Any Kerberoasting, AS-REP Roasting, LDAP enumeration, or login attempt against them must trigger an immediate critical alert. Tools such as HoneypotBuster or the Active Directory canary tokens integrated into Microsoft Defender for Identity are especially useful here. - SMB Honey shares: decoy shared folders with names like
\\FS01\Backups$,\\FS01\Finance_2025that, when accessed by an unauthorized session via SMB admin shares or PsExec, trigger Windows events 5140/5145 correlated with a high-priority alert. - Honeytokens in files and databases: fake credentials in
.xlsx,.config, or.ps1files distributed in honey locations (C:\Temp,\\netlogon\scripts). Since The Gentlemen relies on NETLOGON to propagate its payload, any read of these files is a signal of active reconnaissance. - Exposed-service honeypots: fake FortiGate appliances or VPNs at the perimeter (deployable with T-Pot, Cowrie for SSH, Dionaea for SMB, or HoneyTrap) that capture reused credentials and brute force patterns. This is particularly relevant because the group’s most documented initial access vector is exploitation of exposed administrative interfaces.
- Internal deception grids: fake hosts within internal VLANs acting as tripwires. An Nmap scan from a compromised machine will inevitably touch these nodes, generating telemetry impossible to confuse with legitimate activity.
The strength of deception is that it produces no false positives: no legitimate process should interact with a decoy resource. This makes honeypots a high-confidence signal that can immediately escalate to the incident response playbook.
IDS/IPS and behavior-based detection
A well-tuned IDS — whether Suricata, Snort, Zeek (formerly Bro), or a commercial NDR — can detect several phases of The Gentlemen’s attack if fed with appropriate rules and analytics:
- SystemBC detection: the RC4-encrypted SOCKS5 tunnel and periodic C2 communication generate detectable traffic patterns through JA3/JA3S analysis (TLS fingerprinting) and beaconing detection over NetFlow/IPFIX flows. Suricata and Zeek have had community rules specifically for SystemBC since 2020.
- Sigma rules in the SIEM: SOC Prime published in November 2025 a specific rule set to detect The Gentlemen’s persistence and propagation, including PowerShell patterns such as
Invoke-CommandwithSet-MpPreference -DisableRealtimeMonitoringorAdd-MpPreference -ExclusionPath 'C:', unambiguous indicators of the group’s defense evasion phase (Mikhalov, 2025). These Sigma rules are translatable to any modern SIEM (Splunk, Sentinel, Elastic, QRadar, Chronicle). - BYOVD detection: monitoring the loading of signed but vulnerable drivers (
ThrottleBlood.sys,RTCore64.sys,procexp152.sys) via rules on Sysmon Event ID 6 (Driver loaded) combined with the LOLDrivers list. - Active Directory monitoring: alerts on mass GPO modifications (Event ID 5136), account creation on domain controllers (4720), or anomalous enumeration of privileged groups (4661). The group’s attacks heavily abuse GPO and NETLOGON for final propagation.
- Lateral movement detection via PsExec, WMI, and PowerShell Remoting through correlation of events 4624 Logon Type 3 with Process Creation (Sysmon Event ID 1) and internal SMB traffic on ports 445/135/5985.
- Schedule anomalies: given that 69% of attacks occur at nights and on weekends, a detection policy based on User and Entity Behavior Analytics (UEBA) that flags administrative authentications outside business hours generates a high-value signal.
The combination of honeypots + IDS + SIEM + EDR + UEBA following the MITRE D3FEND framework and mapping defenses against applicable MITRE ATT&CK TTPs (T1190, T1078, T1059.001, T1562, T1484.001, T1021.002, T1486) allows the Blue Team to reduce dwell times from hours to minutes — which is the only realistic window to disrupt an attack chain as accelerated as The Gentlemen’s.
Analysis: what this threat reveals about the current state of ransomware
The case of The Gentlemen is not simply the story of yet another group developing ransomware. It serves as an indicator of how the criminal model is evolving and how it must be addressed with applied threat intelligence knowledge.
The visibility problem. The most disturbing finding from the Check Point investigation is not the number of victims per se, but the ratio between what the group publishes on its DLS and what it actually compromises. With barely 20% of its intrusions made public, The Gentlemen operates silently, which means that many victims pay without the incident ever becoming public — thereby inflating the group’s profits without increasing regulatory pressure or the attention of threat intelligence teams. This model subverts the industry’s threat sharing mechanisms: if incidents are not reported, indicators of compromise (IoCs) do not circulate, and the defensive community arrives late to the next attack.
The reduction of dwell times as a crisis for the Blue Team. The fact that dwell times have been reduced from days to hours completely changes how a defensive posture must be adopted. The traditional detection-and-response model is no longer sufficient against an adversary that can complete its kill chain in just a few hours. This pushes defensive teams toward architectures of automated detection and orchestrated response (SOAR).
The particular risk for Latin America. The confirmed presence of the group in Mexico, Colombia, Argentina, Brazil, and other countries in the region was not accidental. Latin American organizations present a combination of factors that makes them attractive targets: high adoption of technologies such as FortiGate and VPNs that are the group’s documented attack vectors, lower average maturity in patch management programs, smaller SOC teams with less capacity for overnight response, and a poor culture of incident reporting — factors that allow the group to maintain low visibility in the region. The prohibition on attacking CIS countries also redirects operational capacity toward markets like Latin America, where perceived impunity is greater.
A signal about the evolution of the criminal ecosystem. The Gentlemen represents something the threat intelligence community has long warned about: the professionalization of ransomware has reached a level where criminal groups apply software engineering discipline, operational intelligence, and business strategy. Facing adversaries with this level of sophistication, a reactive defensive posture is not viable. The only acceptable approach is proactive detection, continuous threat hunting, and systematic reduction of the attack surface — because, as the evidence itself warns: the question is no longer if an organization will be targeted, but when, and whether it will be prepared to detect it in time.
Bibliography
Ali Bravo, C. (2026, March 26). The Gentlemen: the new generation of ransomware that attacks on demand. WeLiveSecurity (ESET). https://www.welivesecurity.com/es/ransomware/the-gentlemen-la-nueva-generacion-de-ransomware-que-ataca-a-medida/
Fortinet. (2026, April 24). The Gentlemen Ransomware — Threat Actor Profile. FortiGuard Labs. https://www.fortiguard.com/threat-actor/6387/the-gentlemen-ransomware
Lakshmanan, R. (2026, April 21). SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation. The Hacker News. https://thehackernews.com/2026/04/systembc-c2-server-reveals-1570-victims.html
Mikhalov, R. (2025, November 21). License to Encrypt: When “The Gentlemen” Go on the Offensive. SOC Prime. https://socprime.com/es/active-threats/caballeros-pasan-a-la-ofensiva/
SOCRadar. (2026, February 12). Dark Web Profile: The Gentlemen Ransomware. SOCRadar Cyber Threat Intelligence. https://socradar.io/blog/dark-web-profile-the-gentlemen-ransomware/