{
	"id": "2ad1a575-73fe-42d5-8fea-58ef80219e71",
	"created_at": "2026-04-06T00:20:56.035191Z",
	"updated_at": "2026-04-10T03:26:51.882178Z",
	"deleted_at": null,
	"sha1_hash": "aa20732e94bdf7496b5e13cfc3563fba6addfd54",
	"title": "Dark Web Profile: The Gentlemen Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73424,
	"plain_text": "Dark Web Profile: The Gentlemen Ransomware\r\nPublished: 2026-02-12 · Archived: 2026-04-05 15:25:36 UTC\r\n1. Home\r\n2. Blog\r\n3. Threat Actor Profiles\r\n4. Dark Web Profile: The Gentlemen Ransomware\r\nDespite its polished name, The Gentlemen Ransomware shows little interest in playing nice. First observed in\r\n2025, the group quickly established itself as a capable and coordinated threat, operating across multiple regions\r\nand enterprise environments with notable speed.\r\nThis profile outlines who The Gentlemen are, how they operate, which organizations they target, and what\r\ndefenders should know to reduce exposure to this ransomware threat.\r\nWho Is “The Gentlemen” Ransomware?\r\nThe Gentlemen is an emerging ransomware threat group first observed in mid-to-late 2025. While some indicators\r\nsuggest development activity as early as July 2025, The ransomware group was first clearly observed in active\r\ncampaigns beginning in August 2025.\r\nDespite its relatively recent appearance, the group has demonstrated a level of technical maturity and operational\r\ndiscipline more commonly associated with established ransomware operators. This has led researchers to assess\r\nthat The Gentlemen may consist of experienced actors, potentially with ties to earlier ransomware ecosystems.\r\nThreat actor card for The Gentlemen Ransomware\r\nThe group operates a double-extortion model. After gaining access to a victim’s network, the attackers exfiltrate\r\nsensitive data, encrypt systems, and threaten to publish stolen information on Dark Web leak sites if ransom\r\ndemands are not met. This approach increases pressure by combining operational disruption with reputational and\r\nregulatory risk.\r\nTechnically, The Gentlemen Ransomware is primarily written in Go, with variants targeting Windows, Linux,\r\nand ESXi environments. Execution requires a password parameter, a control mechanism that helps prevent\r\naccidental deployment in unintended or analysis environments. This design choice reflects a deliberate, operator-driven deployment model rather than indiscriminate spreading.\r\nObserved Ransomware-as-a-Service (RaaS) Activity\r\nIn September 2025, SOCRadar observed a Dark Web forum post advertising “The Gentlemen’s RaaS,”\r\nindicating that the group was actively recruiting partners through a structured ransomware program. The post\r\nhttps://socradar.io/blog/dark-web-profile-the-gentlemen-ransomware/\r\nPage 1 of 6\n\ninvited teams and individual operators to cooperate and outlined a clear affiliate-based model.\r\nDark Web forum post advertises The Gentlemen’s RaaS (SOCRadar Dark Web News)\r\nAccording to the advertisement, affiliates are offered 90% of ransom proceeds and full control over victim\r\nnegotiations, while the operators retain centralized control over infrastructure such as the data leak site.\r\nCommunication is handled primarily through TOX, and the service infrastructure is intentionally kept minimal to\r\nreduce operational exposure.\r\nThe post describes a cross-platform ransomware family, supporting Windows, Linux, NAS, BSD, and a\r\ndedicated ESXi locker, with malware written in Go and C. Advertised features include hybrid encryption using\r\nXChaCha20 and Curve25519, password-protected builds, partial or full encryption modes, background\r\nexecution, and automated network discovery. The ESXi variant is positioned as optimized for virtualized\r\nenvironments, with support for multithreaded encryption and controlled VM handling.\r\nFurther features of The Gentlemen’s RaaS (SOCRadar Dark Web News)\r\nWhat Are The Gentlemen Ransomware’s Targets?\r\nThe Gentlemen Ransomware primarily targets medium to large organizations operating complex enterprise\r\nenvironments.\r\nGeographically, The Gentlemen operates on a global scale, impacting organizations across at least 17 countries.\r\nThe United States leads with 9 victims, followed by Brazil (7) and Thailand (6). European activity is also\r\nnotable, with France (5) and the United Kingdom (4) affected, alongside multiple victims in Indonesia,\r\nColombia, and Vietnam. This distribution highlights a preference for regions with mature enterprise\r\ninfrastructure rather than a single geographic focus.\r\nTop 10 countries targeted by The Gentlemen Ransomware\r\nManufacturing and technology are the most affected industries, with 13 known victims each, reflecting the\r\ngroup’s focus on environments that rely heavily on shared infrastructure and centralized identity management.\r\nHealthcare follows with 10 victims, where service disruption and sensitive data significantly increase extortion\r\nleverage, while financial services account for 9 victims, driven by regulatory exposure and the value of\r\nconfidential customer information. Additional activity has been observed in education and other operationally\r\ndependent sectors, indicating flexible but deliberate targeting.\r\nTop 10 industries targeted by The Gentlemen Ransomware\r\nOverall, The Gentlemen’s targeting strategy emphasizes high-impact environments where enterprise access,\r\nshared systems, and operational dependency allow the group to maximize the effectiveness of its double-extortion\r\nmodel.\r\nRecent Attacks and Claims Linked to The Gentlemen Ransomware\r\nhttps://socradar.io/blog/dark-web-profile-the-gentlemen-ransomware/\r\nPage 2 of 6\n\nPublic leak-site reporting suggests The Gentlemen continued adding new victims into late 2025 and January 2026.\r\nHere are a few recent examples, based on the group’s published victim claims as tracked by ransomware\r\nmonitoring sources:\r\nIn mid-January 2026, the group listed Dongguan HYX Industrial with a discovery date of January 16,\r\n2026, indicating ongoing activity into the new year.\r\nAround the same period, Rogers Capital appeared as a claimed victim with a discovery date of January\r\n14, 2026, showing that the group’s targeting extends beyond industrial sectors into business and financial\r\nservices.\r\nOn January 11, 2026, Warka Bank for Investment and Finance was also listed, reinforcing the group’s\r\nwillingness to name organizations in regulated sectors where data exposure can add extra pressure during\r\nextortion.\r\nIn late 2025, one post tied to Solumek included a notable data-theft claim – “1.5 terabytes of data stolen”\r\n– which aligns with The Gentlemen’s broader double-extortion playbook.\r\nWhat Are The Gentlemen Ransomware’s Techniques?\r\nThe Gentlemen Ransomware uses a streamlined but highly effective attack chain, built around adaptive tooling\r\nand deep enterprise access. Below is a concise, step-by-step overview incorporating the group’s most notable\r\ntechniques.\r\nThe Gentlemen Ransomware attack chain\r\nInitial Access:\r\nThe attackers gain entry by exploiting internet-exposed services or compromised administrative credentials,\r\nincluding exposed firewall and VPN management interfaces such as FortiGate appliances.\r\nReconnaissance:\r\nAfter establishing a foothold, the group maps the environment using tools like Advanced IP Scanner and Active\r\nDirectory queries to identify:\r\nDomain administrators\r\nPrivileged accounts\r\nNetwork shares and critical servers\r\nPrivilege Escalation:\r\nTo obtain full control, The Gentlemen abuse legitimate utilities such as PowerRun.exe to bypass User Account\r\nControl (UAC) and execute processes with SYSTEM-level privileges.\r\nDefense Evasion:\r\nDefense evasion is a core strength of the group. Techniques include:\r\nBring Your Own Vulnerable Driver (BYOVD) abuse using signed drivers\r\nhttps://socradar.io/blog/dark-web-profile-the-gentlemen-ransomware/\r\nPage 3 of 6\n\nCustom tools (e.g., All.exe with ThrottleBlood.sys) to terminate antivirus and EDR processes\r\nAdaptive tooling that changes based on the victim’s security stack\r\nLateral Movement:\r\nWith elevated access, the attackers move laterally using PsExec over SMB admin shares, allowing them to\r\nexecute commands across multiple systems while blending into normal administrative traffic.\r\nRansomware Deployment:\r\nThe ransomware is deployed centrally through domain resources such as NETLOGON shares, using\r\npassword-protected payloads to prevent accidental execution and analysis. The group is capable of encrypting\r\nWindows, Linux, and ESXi environments.\r\nImpact:\r\nBefore encryption, the malware:\r\nTerminates backup, database, virtualization, and security services\r\nDeletes logs and recovery artifacts\r\nEncrypted files are appended with the .7mtzhh extension, and ransom notes named README-GENTLEMEN.txt are dropped across affected systems to initiate double-extortion pressure.\r\nThis focused, step-driven methodology highlights how The Gentlemen combine legitimate tools, privileged\r\naccess, and adaptive evasion to execute high-impact ransomware attacks against enterprise environments.\r\nWhat Are the Mitigation Tactics Against The Gentlemen Ransomware?\r\nDefending against The Gentlemen Ransomware requires a focus on preventing privileged abuse and early-stage\r\ndetection, rather than relying solely on signature-based protection.\r\nKey mitigation strategies include:\r\nReducing attack surface by securing internet-facing services and eliminating unnecessary external access\r\nEnforcing strong identity controls, including multi-factor authentication for all administrative accounts\r\nMonitoring Active Directory activity, especially mass account enumeration, GPO changes, and\r\nNETLOGON modifications\r\nHardening endpoints against driver abuse and unauthorized service termination attempts\r\nRestricting execution paths, particularly user download and temporary directories commonly used for\r\ntool staging\r\nMaintaining offline, tested backups to ensure recovery options remain viable\r\nOrganizations should also prioritize behavior-based detection capable of identifying reconnaissance, defense\r\nevasion, and lateral movement well before encryption is triggered.\r\nHow Can SOCRadar Help?\r\nhttps://socradar.io/blog/dark-web-profile-the-gentlemen-ransomware/\r\nPage 4 of 6\n\nSOCRadar can support defense against The Gentlemen Ransomware by providing targeted visibility across\r\nexternal exposure, underground activity, and ransomware operations.\r\nDark Web Monitoring enables organizations to track The Gentlemen’s leak sites, underground forums,\r\nand extortion activity, helping identify stolen data, victim listings, or brand mentions early in the extortion\r\ncycle.\r\nSOCRadar’s Dark Web Monitoring\r\nRansomware Group Tracking provides ongoing insight into The Gentlemen’s infrastructure, tooling, and\r\ntargeting patterns, allowing security teams to anticipate shifts in tactics and respond proactively.\r\nSOCRadar’s Threat Actor Intelligence, The Gentlemen Ransomware details\r\nAttack Surface Management (ASM) identifies exposed VPNs, firewalls, and remote access services that\r\nransomware operators commonly exploit for initial access, reducing entry points before they are abused.\r\nThreat Intelligence Feeds deliver actionable indicators of compromise and observed TTPs associated with\r\nThe Gentlemen, enabling faster detection, threat hunting, and security control updates.\r\nTogether, these SOCRadar modules help organizations detect exposure earlier, reduce attack surface risk, and\r\nstrengthen preparedness against advanced ransomware campaigns.\r\nWhat Are the MITRE ATT\u0026CK TTPs of The Gentlemen Ransomware?\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name\r\nInitial Access\r\nT1190 Exploit Public-Facing Application\r\nT1078 Valid Accounts\r\nT1078.002 Valid Accounts: Domain Accounts\r\nExecution\r\nT1059 Command and Scripting Interpreter\r\nT1059.001 Command and Scripting Interpreter: PowerShell\r\nT1059.003 Command and Scripting Interpreter: Windows Command Shell\r\nPersistence\r\nT1547 Boot or Logon Autostart Execution\r\nT1136 Create Account\r\nPrivilege Escalation T1068 Exploitation for Privilege Escalation\r\nDefense Evasion T1562 Impair Defenses\r\nT1112 Modify Registry\r\nhttps://socradar.io/blog/dark-web-profile-the-gentlemen-ransomware/\r\nPage 5 of 6\n\nT1027 Obfuscated Files or Information\r\nT1484.001 Domain Policy Modification: Group Policy Modification\r\nDiscovery\r\nT1046 Network Service Discovery\r\nT1087 Account Discovery\r\nT1087.002 Account Discovery: Domain Account\r\nT1482 Domain Trust Discovery\r\nLateral Movement\r\nT1021 Remote Services\r\nT1021.001 Remote Services: Remote Desktop Protocol\r\nT1021.002 Remote Services: SMB/Windows Admin Shares\r\nT1021.004 Remote Services: SSH\r\nCollection \u0026\r\nExfiltration\r\nT1074 Data Staged\r\nT1074.001 Data Staged: Local Data Staging\r\nT1039 Data from Network Shared Drive\r\nT1048 Exfiltration Over Alternative Protocol\r\nT1048.001\r\nExfiltration Over Alternative Protocol: Unencrypted/Obfuscated\r\nNon-C2 Protocol\r\nCommand \u0026 Control\r\nT1071 Application Layer Protocol\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nT1219 Remote Access Software\r\nImpact\r\nT1486 Data Encrypted for Impact\r\nT1489 Service Stop\r\nT1552 Unsecured Credentials\r\nSource: https://socradar.io/blog/dark-web-profile-the-gentlemen-ransomware/\r\nhttps://socradar.io/blog/dark-web-profile-the-gentlemen-ransomware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://socradar.io/blog/dark-web-profile-the-gentlemen-ransomware/"
	],
	"report_names": [
		"dark-web-profile-the-gentlemen-ransomware"
	],
	"threat_actors": [
		{
			"id": "d513772b-a5ef-4e28-9e9d-d1c2bcd32737",
			"created_at": "2026-03-08T02:00:03.462729Z",
			"updated_at": "2026-04-10T02:00:03.97828Z",
			"deleted_at": null,
			"main_name": "The Gentlemen",
			"aliases": [],
			"source_name": "MISPGALAXY:The Gentlemen",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434856,
	"ts_updated_at": 1775791611,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aa20732e94bdf7496b5e13cfc3563fba6addfd54.pdf",
		"text": "https://archive.orkl.eu/aa20732e94bdf7496b5e13cfc3563fba6addfd54.txt",
		"img": "https://archive.orkl.eu/aa20732e94bdf7496b5e13cfc3563fba6addfd54.jpg"
	}
}