Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
The Gentlemen ransomware emerged as a formidable Ransomware-as-a-Service (RaaS) operation in June 2025 and has rapidly escalated into a global cyber threat, claiming over 320 victims by April 2026, with approximately 240 victims compromised in the first months of 2026 alone. The Gentlemen RaaS operation targets organizations worldwide across Windows, Linux, NAS, BSD, and VMware ESXi platforms, excluding CIS countries in accordance with Russian-speaking ransomware group operational norms.
The Gentlemen ransomware operation is led by a Russian-speaking threat actor using the alias “hastalamuerte” (also tracked as LARVA-368), who previously operated as an affiliate crew leader called ArmCorp within the Qilin RaaS program before launching The Gentlemen as an independent ransomware brand following a payment dispute in July 2025. The Gentlemen RaaS supplies affiliates with a multi-OS Go-based ransomware locker for Windows, Linux, NAS, and BSD environments, plus a dedicated C-based locker specifically designed for ESXi hypervisors, enabling coordinated ransomware attacks across heterogeneous enterprise environments.
The Gentlemen ransomware affiliates have been observed combining the ransomware payload with SystemBC proxy malware and Cobalt Strike frameworks, establishing covert SOCKS5 tunnels for command-and-control communications, harvesting credentials with Mimikatz, and deploying ransomware domain-wide through weaponized Group Policy Objects. The Gentlemen ransomware operation follows a classic double-extortion model, exfiltrating hundreds of gigabytes to multiple terabytes of sensitive data per victim before encryption, then publishing stolen data on a dedicated Tor-based leak site and applying public pressure via a branded X/Twitter account if ransom demands remain unpaid. The Gentlemen ransomware has impacted manufacturing, technology, healthcare, retail, business services, transportation, financial services, education, government, real estate, agriculture, energy, insurance, pharmaceutical, food service, media, hospitality, charitable organizations, telecommunications, and legal sectors globally.
The Gentlemen RaaS Operation Origins and Business Model
The Gentlemen ransomware is a Ransomware-as-a-Service operation that publicly surfaced in September 2025, though malware samples and forensic evidence trace The Gentlemen ransomware development activity back to at least mid-July 2025, with its earliest confirmed victim, a Peruvian steel manufacturer, compromised as early as June 30, 2025. The Gentlemen ransomware operation is run by a Russian-speaking threat actor using the alias “hastalamuerte” (also tracked as LARVA-368), who previously led an affiliate crew called ArmCorp inside the Qilin RaaS program before launching The Gentlemen as an independent ransomware brand.
After a public payment dispute with Qilin on the RAMP underground forum in July 2025, hastalamuerte formalized an already-planned departure and launched The Gentlemen ransomware as an independent brand, reusing proven tooling and infrastructure from previous operations. The Gentlemen RaaS was formally advertised on underground forums on September 12, 2025 under the alias “Zeta88,” promoting a minimal-infrastructure model consisting of a leak site plus Tox messenger and a cross-platform locker initially covering Windows and Linux, with NAS, BSD, and ESXi support added in later iterations.
Consisting of roughly 20 members, The Gentlemen ransomware group offers affiliates an aggressive 90/10 revenue split, well above the ransomware industry norm of 80/20, along with full control over victim negotiations, which has fueled rapid recruitment of seasoned operators from competing ransomware programs. This favorable affiliate split has contributed to The Gentlemen ransomware’s explosive growth trajectory across global targets.
The Gentlemen Ransomware Rapid Scaling and Victim Impact
The Gentlemen ransomware group has scaled dramatically in under a year, growing from approximately 30 claimed victims across 17 countries in autumn 2025 to 48 by October 2025, roughly 130 by early February 2026, and over 320 publicly listed victims by April 2026, with 240 of those victims claimed in the first months of 2026 alone. Independent telemetry from a command-and-control server tied to a Gentlemen ransomware affiliate revealed a SystemBC botnet of more than 1,570 likely corporate victims, indicating the true scale of The Gentlemen ransomware operation exceeds the leak-site count significantly.
Manufacturing, technology, healthcare, and financial services are the most impacted sectors by The Gentlemen ransomware, and the group shows no self-imposed restraint regarding hospitals or critical services, unlike some ransomware groups. The heaviest geographic concentrations of The Gentlemen ransomware attacks are the United States, Thailand, United Kingdom, Germany, Brazil, and France. Consistent with Russian-speaking ransomware norms, The Gentlemen affiliate rules explicitly prohibit targeting organizations in Russia and other CIS states.
The Gentlemen Ransomware Initial Access and Reconnaissance
Initial access for The Gentlemen ransomware is predominantly achieved through exploitation of internet-facing edge devices, most notably FortiGate appliances via CVE-2024-55591, an authentication bypass vulnerability in FortiOS/FortiProxy. The Gentlemen ransomware operators maintain a curated database of roughly 14,700 already-compromised FortiGate devices and 969 validated brute-forced VPN credentials, enabling affiliates to skip the reconnaissance phase entirely and immediately access victim networks.
Infostealer-sourced credentials and exposed administrative panels serve as secondary initial access vectors for The Gentlemen ransomware affiliates. Once inside victim networks, The Gentlemen ransomware affiliates conduct structured reconnaissance using Advanced IP Scanner, Nmap, and Active Directory enumeration scripts to map the environment and identify high-value targets for encryption and data exfiltration.
The Gentlemen Ransomware Defense Evasion and Privilege Escalation
The Gentlemen ransomware affiliates pivot to defense evasion through a Bring-Your-Own-Vulnerable-Driver (BYOVD) technique abusing the ThrottleStop.sys driver (renamed ThrottleBlood.sys by attackers) to exploit CVE-2025-7771, granting kernel-level code execution for The Gentlemen ransomware operations. Custom utilities such as All.exe and Allpatch2.exe are deployed by The Gentlemen ransomware affiliates to terminate EDR and antivirus processes at the kernel level.
The Gentlemen ransomware defense evasion is supplemented by PowerShell commands that disable Windows Defender, add broad path and process exclusions, and purge Defender support files to ensure ransomware deployment proceeds undetected. These comprehensive defense evasion techniques enable The Gentlemen ransomware to operate in enterprise environments even with security controls nominally in place.
The Gentlemen Ransomware Lateral Movement and Credential Harvesting
Lateral movement for The Gentlemen ransomware relies on living-off-the-land utilities including PsExec, WMI, WinRM, PowerRun.exe for UAC bypass and SYSTEM escalation, and remote scheduled tasks or services created across reachable hosts. Credentials are harvested from memory using Mimikatz by The Gentlemen ransomware affiliates, and AnyDesk is typically installed with a hardcoded password as a fallback remote access channel for persistent access.
Command-and-control for The Gentlemen ransomware is established through Cobalt Strike beacons and SystemBC SOCKS5 proxies using an RC4-encrypted protocol, while data exfiltration is performed over encrypted channels via WinSCP. The Gentlemen ransomware affiliates exfiltrate stolen data, often ranging from hundreds of gigabytes to multiple terabytes per victim, which is staged before encryption and published on a Tor-based leak site if ransom demands go unmet.
The Gentlemen Ransomware Group Policy Weaponization and Encryption
The defining impact technique of The Gentlemen ransomware is the built-in Group Policy deployment mode, which, once a Domain Controller is compromised, copies the locker to the NETLOGON share, creates a malicious GPO with an immediate scheduled task, and forces policy refresh to trigger near-simultaneous encryption across every domain-joined system in the victim environment. This Group Policy weaponization enables The Gentlemen ransomware to achieve enterprise-wide encryption within minutes of final payload deployment.
The Gentlemen ransomware Go-based locker targets Windows, Linux, NAS, and BSD environments, with a companion C-based variant specifically designed for ESXi hypervisors. The Gentlemen ransomware requires a per-build password argument to prevent sandbox detonation and uses hybrid cryptography combining X25519 key exchange with XChaCha20 stream encryption, generating a unique ephemeral key per file to ensure recovery without the attacker-controlled decryption key is effectively impossible.
The Gentlemen Ransomware Anti-Forensics and Double-Extortion
Configurable speed modes in The Gentlemen ransomware encrypt only 1 to 9 percent of large files for throughput while retaining destructive impact, and operators can optionally wipe free disk space to defeat forensic recovery attempts. Before encryption, The Gentlemen ransomware malware terminates dozens of backup, database, virtualization, and security services, deletes shadow copies, clears Windows event logs, and removes prefetch and RDP artifacts to frustrate incident response and forensic analysis.
Following a double-extortion model, stolen data exfiltrated by The Gentlemen ransomware affiliates is published on a Tor-based leak site if ransom demands go unmet, with negotiations conducted through Tox and Session messengers and additional public pressure applied via a branded social media account. The Gentlemen ransomware operation has demonstrated consistent follow-through on data leak threats, publishing sensitive victim data to maximize pressure for ransom payment.
Patch Internet-Facing Services
Prioritize timely patching of any exposed VPN appliances, RDP gateways, and remote-access infrastructure, since affiliates of The Gentlemen ransomware rely heavily on opportunistic exploitation of exposed services and stolen credentials for initial access. Organizations should immediately apply patches for CVE-2024-55591 (Fortinet FortiOS authorization bypass), CVE-2023-27532 (Veeam Backup & Replication missing authentication), and CVE-2024-37085 (VMware ESXi authentication bypass) to close critical initial access vectors exploited by The Gentlemen ransomware.
Harden and Monitor Domain Controllers
Treat Domain Controllers as the crown jewel of The Gentlemen ransomware kill chain. Restrict interactive and network logons to Domain Controllers, monitor for unusual ADMIN$ writes, abnormal RPC-launched binaries, and PowerShell sessions spawned under scheduled-task contexts on DCs. The Gentlemen ransomware Group Policy weaponization technique requires Domain Controller compromise, making DC hardening a critical defensive control.
Block and Detect Group Policy Weaponization
Alert on the creation of new GPOs, changes to NETLOGON or SYSVOL scheduled-task XML files, and bulk Invoke-GPUpdate or gpupdate /force activity executed across domain-joined systems. The Gentlemen ransomware –gpo deployment path is the single most impactful deployment mechanism in this ransomware operation and must be detectable in near real time to prevent enterprise-wide encryption.
Hunt for SystemBC Proxy Activity
Instrument EDR and NetFlow for unexpected SOCKS5 traffic, particularly from corporate hosts that should never act as proxies. Outbound connections to 45[.]86[.]230[.]112 or anomalous encrypted tunnels from workstations to low-reputation hosts should be investigated as potential pre-ransomware staging by The Gentlemen ransomware affiliates. The SystemBC proxy malware is a consistent component of The Gentlemen ransomware attack chain.
Conduct Regular Data Backups and Test Restoration
Regularly backup critical data and systems, store them securely offline in immutable or air-gapped storage. Test restoration processes to ensure backup integrity and availability. In case of a The Gentlemen ransomware attack, up-to-date backups enable recovery without paying the ransom. The Gentlemen ransomware specifically targets and attempts to destroy backup infrastructure, making offline backup storage essential.
Protect Windows Defender Tamper Controls
Enable Tamper Protection, restrict who can run Set-MpPreference, and alert on any execution of Set-MpPreference -DisableRealtimeMonitoring, Add-MpPreference -ExclusionPath ‘C:’, or Add-MpPreference -ExclusionProcess commands, as all are explicit behaviors of The Gentlemen ransomware locker during defense evasion operations. Monitoring for Windows Defender manipulation provides early warning of The Gentlemen ransomware deployment.
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Command and Control
Exfiltration
Impact
IPv4 Addresses
SHA256 Hashes (Selected samples)
Ransom Note Filename
Tor Leak Site
Tox IDs
File Paths
https://research.checkpoint.com/2026/dfir-report-the-gentlemen/
https://www.group-ib.com/blog/hastalamuerte-gentlemen-raas-ttps/
Get through updates and upcoming events, and more directly in your inbox