A Closer Look at The Gentlemen’s Alleged Leak

Executive Summary

The Gentlemen is an active ransomware and extortion operation that emerged publicly in the second half of 2025 and rapidly scaled into a high-volume threat actor. Rather than a fully new group, it seems to be a continuation or reorganization of prior ransomware affiliate activity, with links to the Qilin ecosystem and the Russian-speaking actor “hastalamuerte". Its growth likely reflects existing ransomware experience, affiliate relationships, and access to resources.

Figure 1. The Gentlemen’s related Illustration spotted on the dark web.

The group has demonstrated capability against enterprise environments, including Windows, Linux, NAS, BSD, and VMware ESXi systems. Observed activity includes the abuse of exposed remote access infrastructure, compromised credentials, network reconnaissance, legitimate administrative tools, security tool disabling, data exfiltration, and domain-wide ransomware deployment.

A new relevant finding is that underground sources show attempts to sell data claimed to be connected to The Gentlemen ransomware activity. At this stage, the available information is limited and does not provide enough victim-specific or technical details to confirm the data’s origin, freshness, or authenticity. This finding should be treated as a separate intelligence lead requiring further validation.

The Gentlemen should be assessed as a financially motivated ransomware threat with growing operational maturity, aggressive affiliate recruitment, and strong potential to cause both operational disruption and data-exposure impact.

Analytical Assessment

The Gentlemen represents a mature and fast-growing ransomware threat. Its significance is not only in its malware, but in its operating model, affiliate recruitment, multi-platform capability, and use of the wider cybercriminal access economy. The group benefits from the same conditions that support many modern ransomware operations: exposed remote infrastructure, weak identity controls, credential theft, access brokerage, and poor segmentation.

The Gentlemen may not be a fully new ransomware ecosystem, but rather a structured continuation of prior affiliate activity. The operation has evolved from an earlier affiliate group associated with the Qilin ransomware ecosystem and is reportedly managed by a Russian-speaking actor known as hastalamuerte. This context is important because it suggests that The Gentlemen benefits from existing ransomware experience, operational knowledge, affiliate relationships, and access to resources rather than building capability from scratch.

Figure 2. The Gentlemen’s account on X.

For affected or potentially exposed organizations, the main risk is not limited to encryption. The broader risk includes data exposure, regulatory impact, business interruption, credential compromise, third-party exposure, and reputational damage. Defensive response should therefore combine incident response readiness, external exposure management, identity security, backup resilience, and dark web monitoring.

The Gentlemen uses data theft as a core part of its pressure strategy. Stolen data may be uploaded to the group’s infrastructure or listed on its leak site if the victim does not negotiate. The group’s extortion model therefore extends beyond encryption alone. Even if an organization restores systems from backups, the risk of data exposure, regulatory impact, customer notification obligations, and reputational damage may remain.

Operational Model

The Gentlemen’s operating model follows a mature ransomware workflow. Initial access is likely obtained through a combination of exposed remote services, compromised credentials, VPN or firewall abuse, purchased access, and credential material sourced from stealer logs or access brokers. After gaining access, affiliates typically conduct internal reconnaissance, identify privileged users, map Active Directory, enumerate reachable hosts, disable security tools, stage data, and deploy ransomware across the environment.

Figure 3. The Gentlemen’s advertising banner, showing encryption launching.

The group’s affiliate panel is reported to support victim management, payload generation, ransom note customization, victim revenue estimation, stolen data uploads, negotiation channel configuration, and decryptor management. This indicates a structured backend environment rather than an isolated malware campaign.

Figure 4. The Gentlemen’s advertising banner.

Negotiations are not always handled directly through the public leak portal. In some cases, communication appears to be delegated to affiliate-controlled Tox or Session identifiers. This makes tracking incidents more difficult because communication channels may vary between intrusions.

The Gentlemen’s Statistics

From a purely statistical standpoint, 2026 marks the inflection year for The Gentlemen ransomware operation. Leak site monitoring shows that the group publicly claimed 352 attacks during the incomplete first part of 2026 (May 10, 2026). This places The Gentlemen among the top two most active ransomware groups globally in 2026, despite being less than a year old at the start of the reporting period.

Figure 5. The Gentlemen’s blog.

The most revealing trend is the velocity of disclosures rather than the cumulative number alone. Activity increased sharply in Q1 to Q2 2026, with February and April standing out as the most active months in the dataset. In the normalized view, Q1 2026 accounts for around 219 unique disclosure records, while Q2 2026 up to May 10, 2026, already accounts for around 133 records. Several days show unusually high publication volume, including January 20, 2026, February 6, 2026, April 8, 2026, and April 14, 2026, when the group listed large batches of victims. This pattern suggests either coordinated batch publication, multiple active affiliates, or both, and supports the assessment that The Gentlemen operates with broad affiliate concurrency rather than isolated single-operator activity.

Figure 6. The Gentlemen’s victim distribution by sector.

Table 1. The Gentlemen's distribution of victims by sector.

The victims’ sector distribution shows a strong concentration in business and industrial environments. Professional services and manufacturing represent the two largest categories, together accounting for nearly 37% of all records. They are followed by technology, healthcare, transportation and logistics, financial services, agriculture and food, education, construction, and government/public sector. This distribution indicates that The Gentlemen is not limited to one vertical; however, the repeated appearance of manufacturing, professional services, technology, and healthcare suggests a preference for organizations with complex operational networks, valuable business data, and higher disruption potential.

Figure 7. Distribution of victims by geographical region.

Table 2. Distribution of victims by geographical region.

Geographically, the dataset shows broad international activity across approximately 70 countries, with no single region fully dominating the victim list. In the normalized data, APAC represents the largest regional share, followed by Europe, Latin America, and the United States and Canada.

Figure 8. Distribution of victims by country.

Table 3. Distribution of victims by country.

At the country level, the United States is the most frequently listed country, followed by Thailand, France, El Salvador, Italy, Brazil, Japan, India, Germany, and Taiwan. The concentration across APAC, Europe, Latin America, and North America suggests a globally distributed target set, while the absence of Russia and CIS countries in the dataset remains consistent with the group’s reported affiliate rules and broader Russian-speaking ransomware targeting patterns.

The group’s activity is concentrated on organizations with commercially valuable data and exposed attack surfaces, rather than on a single strategic sector. While healthcare, financial services, government, energy, logistics, and telecommunications remain high-risk categories, the broader pattern indicates opportunistic targeting across industries. This supports the assessment that The Gentlemen’s growth is driven by affiliate scale, exposed perimeter infrastructure, valid credential abuse, and monetizable business data.

Crucially, experienced analysts caution that leak site victim counts materially underrepresent real compromise activity. During a 2026 incident response investigation, researchers correlated The Gentlemen’s use of the SystemBC proxy infrastructure. They identified telemetry from over 1,570 enterprise environments, many of which never appeared on the group’s public shame site. This indicates that the 692 publicly disclosed victims in 2026 likely represents only organizations that refused to pay, not the full scale of its intrusion activity.

Taken together, the 2026 statistics paint a clear picture: The Gentlemen’s growth is not episodic but structural. The aggressive affiliate economics, rapid exploitation of internet-facing systems, and short time-to-encryption cycles have translated directly into rising victim counts. From a defensive standpoint, these numbers should be interpreted not as retrospective reporting but as a leading indicator of continued high volume ransomware risk, particularly for industrial and infrastructure-adjacent organizations.

The Gentlemen’s Malware Capabilities

The Gentlemen ransomware includes multi-platform capabilities. Public technical analysis indicates support for Windows, Linux, NAS, BSD, and ESXi environments. This is important because attacks against ESXi and virtualization infrastructure can rapidly disrupt entire server estates and critical business applications.

The Windows locker has been reported as Go-based and requires a password parameter during execution. This type of execution control may reduce accidental detonation, limit sandbox analysis, and allow affiliates to control when and where the payload runs.

The ransomware has been associated with the ransom note name:

• README-GENTLEMEN.txt

Observed encrypted file extensions include:

• .7mtzhh
• .ojuopo
• variable six-character extensions

The encryption logic reportedly uses a hybrid encryption approach and may support configurable encryption modes. Smaller files may be fully encrypted, while larger files may be partially encrypted in chunks to accelerate impact. This allows the actor to damage large file repositories faster while still making recovery difficult without backups or decryptors.

Before encryption, the malware attempts to stop services and processes associated with databases, backup software, virtualization platforms, remote access tools, and enterprise applications. This behavior is designed to maximize business disruption and prevent easy restoration.

Alleged Sale of The Gentlemen-Related Data

During our dark web monitoring, a forum activity was identified in which an unknown actor claimed to have access to data allegedly related to The Gentlemen ransomware group.

Figure 9. The Gentlemen’s data advertised on a dark web forum.

The actor offered the full dataset for sale for US$10,000, requesting payment in Bitcoin, and invited interested buyers to contact them for samples.

Figure 10. Sample files published by the dark web poster to prove the authenticity of his claims.

As proof, the forum actor published material allegedly taken from the group’s internal environment. One post included content that appears to be an /etc/shadow file, which also contained actor names or nicknames, as observed across other platforms, discussions, and underground offers. This may indicate an attempt to demonstrate access to infrastructure or systems associated with the ransomware operation.

Another dark web forum post made a similar claim of access to The Gentlemen related data and provided additional alleged proof. The posted material reportedly included one of the threat actor’s nicknames previously visible in the mentioned file content, a related credential reference, chat conversations that may represent the victim negotiation preparation process, and mapping data that appears to describe collected files or directories from victim machines. If authentic, this type of material could indicate exposure not only of victim data, but also of internal operational artifacts linked to the ransomware group or its affiliates.

Figure 11. Company name spotted on the shared screenshot.

Among the listed items, the name JN Aceros was mentioned. JN Aceros appears to refer to J.N. Aceros S.A., a Peru-based company focused on the import and commercialization of stainless-steel products, including tubes, sheets, bars, plates, and related materials. Public ransomware tracking also lists JN Aceros as a victim claimed by The Gentlemen, with the claim discovered on September 9, 2025. This overlap makes the reference relevant, but it does not independently confirm the authenticity of the newly offered forum data.

Figure 12. A screenshot of a part of a file included in the leaked data claims.

One of the screenshots attached to the data allegedly leaked from The Gentlemen’s servers appears to show a plaintext log, export, or working note connected to the preparation of a ransomware leak-site post. The content includes Russian-language discussion, actor handles such as “xanax,” “donpakto,” and “Protagor,” as well as onion links and a structured list of allegedly stolen data. The visible material does not look like a standard victim file directory. It appears closer to actor-side operational content, possibly a chat export, backend note, draft publication text, or affiliate workspace artifact.

The main topic of the screenshot appears to be the preparation of an extortion message for a victim in the mining, energy, or natural resources sector. The listed stolen data categories include production and technological information, geological data about deposits, mining and processing plans, financial and commercial information, contracts, bank details, management strategy, employee personal data, occupational health and safety documents, and environmental or regulatory records. The same content appears in both Russian and English, which may indicate that the actors were preparing or translating a public-facing leak description. The text also includes pressure language claiming that, if the victim does not contact the actors, the data may be shared with competitors, members of the media, and the authorities.

The numeric values visible in the log may represent spreadsheet-style date or time values. If interpreted as Excel-style serial dates, they could correspond to early February 2026, but this should not be treated as confirmed without access to the original source file, time zone context, and metadata. The screenshot also contains Onion links that appear to reference a group.

From a threat intelligence perspective, the screenshot is relevant because it may show more than stolen victim data. It may expose elements of the ransomware group’s internal or affiliate-side workflow, including actor handles, publication preparation, victim pressure messaging, and possible leak site references. However, the current evidence remains limited to a screenshot. It is not enough to confirm that the data came directly from The Gentlemen’s own infrastructure. The material could be genuine actor-side data, an affiliate leak, copied negotiation or publication content, recycled victim material, or a proof package assembled by a third party.

For responsible delivery, this finding should be presented as an unverified intelligence lead under investigation, not as a confirmed compromise of The Gentlemen's infrastructure. At this stage, the source and authenticity of the offered data cannot be verified. The data remains under investigation.

Conclusions

The Gentlemen should be assessed as a mature, data-driven extortion ecosystem rather than only a ransomware group publishing victim names. Its leak site activity, communication channels, victim countdowns, and negotiation pressure show that stolen data is central to its operation. Even when systems can be restored, the remaining risks include public disclosure, resale of stolen data, regulatory exposure, and reputational damage.

The victim dataset shows rapid disclosure growth during Q1 and Q2 2026, including several high-volume publication days and a broad geographic spread. This pattern suggests scalable affiliate activity and coordinated leak site management rather than isolated incidents. The group’s focus on professional services, manufacturing, technology, healthcare, logistics, financial services, and other commercially sensitive sectors indicates a clear interest in organizations holding valuable operational, customer, employee, financial, and contractual data.

The recently observed dark web posts offering data allegedly connected to The Gentlemen add an important but still unverified intelligence lead. The claims reference actor-side artifacts, possible negotiation material, victim mapping data, and samples allegedly taken from the group’s own environment. If validated, this could expose internal workflows, affiliate activity, victim references, infrastructure details, or data-handling practices within the ransomware operation itself. Until confirmed, the material should be treated carefully and monitored alongside leak-site publications, resale posts, actor handles, file samples, and victim-data overlaps.

Remediations

Organizations should first review internet-facing exposure, especially VPNs, firewalls, remote access portals, and management interfaces. Any exposed administrative panel should be restricted, patched, monitored, and protected with MFA. Logs from perimeter devices should be reviewed for suspicious administrative sessions, new accounts, configuration changes, and authentication anomalies.

Credential security should be treated as a priority. This includes enforcing MFA, rotating credentials exposed in stealer logs or previous breaches, disabling stale accounts, reviewing privileged group membership, and monitoring for unusual use of domain administrator accounts. Service accounts should be reviewed for excessive permissions and interactive login capability.

From an operational resilience perspective, organizations should verify offline or immutable backups, test restoration procedures, isolate backup infrastructure from the domain, restrict access to virtualization management, and segment critical servers from user workstations. The ability to restore ESXi and core business systems should be tested before an incident occurs.

Threat hunting should focus on early-stage ransomware behaviors: reconnaissance, remote access tooling, file transfer tools, process termination, security-control tampering, suspicious GPO modifications, and lateral movement. Detection engineering should avoid relying only on known hashes, because affiliate tooling and payload builds may change frequently.

Detection should prioritize behaviors that appear before encryption. The most valuable opportunities are suspicious remote access, abnormal administrative activity, scanning, credential abuse, security control tampering, and domain-wide deployment preparation.

High-value detection areas include unusual VPN or firewall administration activity, new privileged accounts, suspicious logins from unexpected geographies, AnyDesk installation outside approved IT procedures, Nmap or Advanced IP Scanner execution from servers, WinSCP activity from unusual hosts, BYOVD driver loading, broad Defender exclusions, mass service-stopping activity, ransomware-like file rename patterns, unexpected GPO changes, payload staging in NETLOGON, and large outbound transfers before encryption.

Special attention should be given to virtualization environments. ESXi hosts, vCenter, backup servers, storage systems, and management networks should be monitored for unusual authentication, SSH activity, file modification, VM shutdown commands, and unexpected encryption-related artifacts.

Appendix 1: TTPs Used by The Gentlemen

The Gentlemen’s activity follows a mature ransomware-as-a-service intrusion model. The group’s affiliates appear to rely on a combination of exposed perimeter infrastructure, compromised credentials, valid accounts, and access obtained from the wider cybercriminal ecosystem. Public reporting highlights abuse of internet-facing services, VPN or firewall access, and FortiGate-related exposure as relevant initial access paths. The group’s recruitment of affiliates and penetration testers also suggests that intrusion methods may vary between cases depending on the operator involved.

Table 4. TTPs used by The Gentlemen ransomware group.

The group’s pre-encryption activity is especially important for detection. Reported intrusions include network scanning with tools such as Advanced IP Scanner and Nmap, the use of AnyDesk for remote access, WinSCP for data transfer, and PsExec or WMI for lateral execution. This indicates that defenders should not wait for ransomware artifacts but should prioritize the detection of abnormal administrative behavior, unusual remote access, privilege escalation, domain enumeration, and file staging.

The Gentlemen has also been associated with more advanced post-exploitation infrastructure. Recent reporting describes the attempted deployment of SystemBC, a proxy malware used to create SOCKS5 tunnels, support covert access, and deliver additional payloads. The same activity involved Cobalt Strike infrastructure, showing that affiliates may use a broader toolchain before ransomware deployment. This reinforces the need to hunt for C2 traffic, suspicious outbound connections, unknown proxy behavior, and unexpected beaconing from internal systems.

For deployment and impact, the group has been observed using domain-level mechanisms such as Group Policy and NETLOGON-based staging to push ransomware across compromised environments. Its advertised and reported multi-platform capability, including Windows, Linux, NAS, BSD, and VMware ESXi systems, increases the potential business impact because compromise may affect endpoints, servers, file shares, backup systems, and virtualization infrastructure at the same time.

The following MITRE ATT&CK mapping summarizes the main tactics and techniques associated with The Gentlemen ransomware activity. The mapping is intended to support detection engineering, threat hunting, and incident response prioritization, and should be validated against the customer’s own telemetry.

These techniques show that The Gentlemen should be monitored as a full intrusion lifecycle threat, not only as a final stage encryptor.

Appendix 2: IOCs