Hospitality Hacks and Retail Reality Checks

No Manners Here: The Ruthless Rise of The Gentlemen Ransomware

Clock Icon 5 min read
Related Products

Executive Summary

The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS, which Unit 42 tracks as Spikey Scorpius. Their ransomware variants are written in both C and Go programming languages, enabling the threat actors to spread their encryptors across different operating systems and virtual infrastructure. Figure 1 below illustrates the desktop wallpaper used by the ransomware after deployment.

Image of The Gentlemen ransomware’s wallpaper, featuring five men wearing masks in tuxedos.
Figure 1. Image of The Gentlemen ransomware’s wallpaper. Source: Krebs on Security.

Additional public reporting revealed that the operators (roughly 20 of them) likely morphed from a private entity into a RaaS model on or about September 2025. While traditional RaaS models typically offer affiliates a 70% to 80% cut of paid ransoms, The Gentlemen offer an unprecedented 90% payout.

Background

Unit 42 and other security researchers have observed The Gentlemen’s usage of a wide variety of initial access techniques similar to other RaaS operators since their inception, including the exploitation of vulnerabilities in edge devices (firewalls, VPNs), brute force attacks, obtaining leaked and/or stolen credentials and collaborating with initial access brokers (IABs).

More recently, researchers have identified The Gentlemen’s usage of a custom Go-based backdoor, an EDR killer framework dubbed “GentleKiller” and the suspected usage of an unspecified zero-day vulnerability exploit to amplify their defense evasion capabilities.

In May 2026, The Gentlemen announced a partnership with HasanBroker's BreachForums as a means to recruit affiliates, penetration testers and IABs. Figure 2 illustrates this announcement.

Figure 2. Image of partnership announcement between BreachForums and The Gentlemen. Source: Gurucul.

Additional information about The Gentlemen and their operational structure has emerged in recent months, following the leak of an internal database by an alleged insider in May 2026.

Data Leak Site Insights

One of the most alarming trends observed thus far in 2026 by Unit 42 and other security researchers is the sheer increase in volume of total victims claimed by The Gentlemen in comparison to 2025. Through July 7, one reputable source had counted a total of 580 victims claimed by The Gentlemen across 77 countries since their inception. Of those 580 victims, 103 operated within the manufacturing industry, a commonly targeted sector given the need for organizations to maintain operational uptime.

Figure 3 below represents the total number of victims claimed by The Gentlemen in 2025 compared to both Qilin and Akira, tracked by Unit 42 as Howling Scorpius, which led all RaaS programs in victims claimed last year.

Chart
Figure 3. Chart depicting total victims claimed by prominent RaaS programs in 2025. Source: Unit 42.

In comparison to the above statistics, Figure 4 below represents the total number of victims claimed by The Gentlemen thus far in 2026 (through July 3) compared to both Qilin and Akira.

Chart
Figure 4. Chart depicting total victims claimed by prominent RaaS programs in 2026. Source: Unit 42.

When comparing the last six months of 2025 to the first six months of 2026, the number of victims claimed by The Gentlemen increased by slightly more than 6x. What makes this even more concerning is that these threat actors were only active for the last four months of 2025.

Figure 5 below further illustrates the victims claimed by The Gentlemen per month since August 2025, one month prior to the official launch of their RaaS model. June 2026 represented their highest number of claimed victims to date with 117, just shy of a 4x increase from January 2026.

Figure 5. Chart depicting victims claimed by The Gentlemen per month since August 2025. Source: Ransomware.live.

Conclusion

While legacy big-game hunting RaaS programs like Qilin and Akira continue to drive high volumes of victims by sticking to their established playbooks, The Gentlemen has solidified itself as the second most active RaaS program of 2026 in terms of victims. The combination of a lucrative affiliate payout structure to recruit affiliates, alongside the use of custom tooling across different phases of their attack lifecycle, make The Gentlemen a formidable threat for enterprise organizations to reckon with in the near and mid term future.

Recommendations

Initial Access:

  • Immediately scope for and patch the following vulnerabilities known to be exploited:
  • Establish and maintain robust visibility into internet-facing systems and applications such as firewalls, VPNs and remote access gateways
  • Audit for indicators of prior exploitation of edge devices and internet-facing RDP endpoints
  • Establish strong security requirements for third-party dependencies and vendors, and monitor for breaches of any third-party tools or platforms

Execution:

  • Create immediate, high-severity SIEM alerts for the creation, deletion or execution of any scheduled task matching the string gentlemen*

Privilege Escalation:

  • Immediately scope for and patch the following vulnerabilities known to be exploited:
    • CVE-2025-7771 (ThrottleStop.sys driver)

Defense Impairment:

  • Enable EDR Tamper Protection and monitor for the unexpected loading of unsigned or known vulnerable drivers
  • Implement behavioral alerts for systems executing wevtutil to clear Security/System logs

Credential Access:

  • Deploy phishing-resistance multi-factor authentication (MFA) on all systems
  • Regularly audit and rotate credentials

Discovery:

  • Monitor for internal usage of tools such as Advanced IP Scanner, which the threat actors frequently use for internal network reconnaissance and mapping

Lateral Movement:

  • Enforce strict SMB signing, disable SMBv1 completely, and restrict lateral network movement between internal segments to contain the self-propagation mechanism
  • Ensure SSH is turned off on ESXi hosts by default and only enabled temporarily for explicit maintenance windows
  • Treat your virtualized environment as tier-0 infrastructure and restrict ESXi management interfaces to a dedicated, isolated management VLAN

Command and Control:

  • Monitor for anomalous outbound traffic over non-standard ports or traffic matching known SystemBC communication signatures

Impact:

  • Maintain and validate offline backup and recovery capabilities
  • Implement behavioral alerts for systems using vssadmin and wmic to delete Volume Shadow Copies
Enlarged Image