A ransomware group called The Gentlemen has been quietly building one of the most aggressive cybercriminal operations seen in recent years.
Emerging publicly in the second half of 2025, the group rapidly scaled its activity to become one of the top two most active ransomware threats globally by early 2026.
What makes this group stand out is not just its speed, but the breadth of systems it targets and the scale at which it has grown.
The group has demonstrated capability against a wide range of enterprise environments, including Windows, Linux, NAS, BSD, and VMware ESXi systems.
Its attacks follow a well-organized workflow, from gaining initial access through stolen credentials or exposed remote services, to deploying ransomware across entire networks.
The group also steals data before locking systems, using that stolen information as additional lever to pressure victims into paying.
Analysts at LevelBlue said in a report shared with Cyber Security News (CSN) that The Gentlemen is not an entirely new operation.
The Gentlemen’s blog (Sourced – LevelBlue)
It appears to be a continuation of prior ransomware affiliate activity tied to the Qilin ecosystem, reportedly managed by a Russian-speaking actor known as “hastalamuerte.”
This background gives the group a head start, with existing knowledge, affiliate networks, and operational experience already in place.
The Gentlemen Ransomware
By May 10, 2026, the group had publicly claimed 352 attacks in the incomplete first half of the year alone.
Leak site data shows victim disclosures spanning more than 70 countries, with APAC, Europe, Latin America, and North America all heavily represented.
Professional services, manufacturing, technology, and healthcare account for the largest share of known victims.
Dark web monitoring also uncovered an unverified intelligence lead involving someone offering data allegedly taken from The Gentlemen’s own internal systems for $10,000 in Bitcoin.
The offered material included what appeared to be actor handles, victim negotiation content, and file mapping data. While this cannot yet be confirmed as authentic, it adds an important layer to an already complex operation.
The Gentlemen ransomware is engineered to attack multiple operating systems in a single campaign.
The Windows version is built using the Go programming language and requires a password at execution, helping the group avoid early detection and sandbox analysis.
Encrypted files receive random six-character extensions, and affected systems are left with a ransom note named READMEGENTLEMEN.txt.
The Gentlemen’s advertising banner, showing encryption launching
The encryption approach is designed to maximize damage as quickly as possible. Smaller files are fully encrypted, while larger files are only partially encrypted in chunks, allowing the ransomware to move through large environments faster while still making recovery extremely difficult without a decryptor.
Before locking files, the malware first stops services related to databases, backups, virtualization platforms, and remote access tools to prevent easy restoration.
Attacking ESXi and virtualization infrastructure is particularly damaging, as it can bring down entire server estates within minutes.
The group’s affiliate panel supports this model by allowing operators to generate custom payloads, manage victim negotiations, estimate ransom revenue, and handle stolen data uploads from a single structured backend.
Extortion Strategy and Defense Guidance
The Gentlemen’s attack model does not stop at file encryption. The group uses stolen data as a central part of its pressure strategy, threatening to publish sensitive files on its leak site if victims refuse to pay.
Even organizations that restore systems from backups can still face data exposure, regulatory consequences, and lasting reputational harm.
Security teams should start by reviewing all internet-facing infrastructure, particularly VPNs, firewalls, and remote access portals, and enforce multi-factor authentication on all privileged accounts.
Credentials exposed through prior breaches or stolen by information-stealing malware should be rotated immediately, and stale accounts should be disabled.
LevelBlue researchers recommend hunting for early-stage attack behaviors rather than waiting for ransomware to appear.
Key signals include unusual administrative logins, scanning tools like Nmap or Advanced IP Scanner, unexpected use of AnyDesk or WinSCP, and any signs of Group Policy modification or mass service shutdowns.
Backup systems and ESXi environments should be isolated from the main domain and tested regularly for restoration capability.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionIP Address91.107.247.163SystemBC C2 ServerIP Address45.86.230.112SystemBC C2 ServerSHA256992c951f4af57ca7cd8396f5ed69c2199fd6fd4ae5e93726da3e198e78bec0a5The Gentlemen Windows ransomwareSHA256025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712aThe Gentlemen Windows ransomwareSHA25622b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67The Gentlemen Windows ransomwareSHA2562ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5dThe Gentlemen Windows ransomwareSHA2563ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235The Gentlemen Windows ransomwareSHA25648d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fdThe Gentlemen Windows ransomwareSHA25662c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8The Gentlemen Windows ransomwareSHA256860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923The Gentlemen Windows ransomwareSHA25687d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546cThe Gentlemen Windows ransomwareSHA2568c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892dbThe Gentlemen Windows ransomwareSHA25691415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1The Gentlemen Windows ransomwareSHA256994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3The Gentlemen Windows ransomwareSHA2569f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454The Gentlemen Windows ransomwareSHA256a7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0adThe Gentlemen Windows ransomwareSHA256b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6The Gentlemen Windows ransomwareSHA256c46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8The Gentlemen Windows ransomwareSHA256c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73The Gentlemen Windows ransomwareSHA256ec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd2The Gentlemen Windows ransomwareSHA256efaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108fThe Gentlemen Windows ransomwareSHA256f736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12The Gentlemen Windows ransomwareSHA256fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958The Gentlemen Windows ransomwareFile Namegentlemen.bmpRansomware wallpaper/artifactSHA256fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68The Gentlemen Linux ransomwareSHA2565dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dcaInitial KillAV toolSHA2567a311b584497e8133cd85950fec6132904dd5b02388a9feed3f5e057fb891d09PowerRun utilitySHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71Additional tool
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post The Gentlemen Ransomware Attacks Windows, Linux, NAS, BSD, and ESXi Attacks appeared first on Cyber Security News.
