The Gentlemen Overtake Qilin as the Ransomware Landscape Shifts — Dark Web Recent Claims + Video

Listen to this Post

Featured Image

Introduction

The global ransomware ecosystem is entering another period of rapid transformation. While Qilin has dominated the ransomware-as-a-service (RaaS) market for more than a year, June 2026 revealed a significant shift in criminal activity. According to Bitdefender’s latest Threat Debrief, The Gentlemen emerged as the most active ransomware operation after surpassing Qilin in the number of victims publicly claimed on dark web leak sites.

It is important to note that many of these victim counts originate from cybercriminal-operated data leak sites. These figures represent claims made by ransomware groups and cannot always be independently verified. Nevertheless, they remain one of the strongest indicators for tracking trends across the ransomware ecosystem.

June 2026 Shows a Major Power Shift

Bitdefender analyzed ransomware activity recorded between June 1 and June 30, 2026, identifying 704 organizations allegedly targeted by ransomware groups during the month.

The biggest surprise was the decline of Qilin. After spending nearly a full year at the top of ransomware rankings and claiming more than 1,600 victims since mid-2025, the group’s activity noticeably slowed. Qilin claimed around 80 victims during June, a considerable decrease compared to previous months where the group frequently exceeded 100 publicly listed victims.

This slowdown allowed another emerging operation, The Gentlemen, to seize first place after publicly claiming responsibility for 121 victims.

Although this ranking reflects claims published on ransomware leak sites rather than independently verified incidents, the trend demonstrates how quickly leadership can change within today’s ransomware economy.

The Rise of The Gentlemen

One of the most fascinating developments is that The Gentlemen reportedly evolved from former Qilin affiliates.

This is not unusual within cybercrime. Much like employees leaving successful companies to establish competing businesses, ransomware affiliates frequently depart established operations with valuable knowledge, infrastructure experience, and trusted criminal relationships.

Former affiliates already understand attack workflows, victim negotiations, infrastructure deployment, encryption methods, and monetization strategies. Instead of building everything from scratch, they often improve upon what they previously learned.

That appears to be exactly what happened with The Gentlemen.

Rather than simply copying

Competing for Criminal Talent

Modern ransomware operations increasingly resemble technology startups competing for skilled employees.

Instead of hiring software engineers, these criminal organizations recruit penetration testers, malware developers, initial access brokers, infrastructure operators, negotiators, and exploit specialists.

To attract top talent, ransomware groups advertise favorable affiliate programs.

According to

Such aggressive profit-sharing makes the platform particularly attractive to experienced cybercriminals seeking higher financial returns.

Qilin’s Legacy Still Shapes the Industry

Despite losing the number one position, Qilin remains one of the most technically advanced ransomware operations currently active.

Since emerging in late 2022, the group built a reputation for attacking major international organizations across manufacturing, healthcare, technology, and other high-value sectors.

Large enterprises became preferred targets because successful compromises often generated multi-million-dollar ransom demands.

Rather than pursuing maximum victim numbers, Qilin frequently focused on organizations capable of paying exceptionally large extortion payments.

This strategy may partially explain the recent reduction in publicly listed victims if the group is concentrating on fewer but more lucrative attacks.

Advanced Automation Gives The Gentlemen an Edge

Perhaps the most significant technical difference between both groups lies in operational automation.

Bitdefender observed that The Gentlemen has integrated large language model (LLM)-based assistants into portions of its infrastructure management and development workflow.

Automation enables affiliates to deploy ransomware faster, maintain infrastructure more efficiently, and reduce operational errors.

While artificial intelligence continues delivering enormous benefits for legitimate cybersecurity defenders, threat actors are increasingly adopting similar technologies to streamline offensive operations.

This evolution demonstrates that cybercriminal organizations are rapidly embracing automation wherever it improves operational efficiency.

GentleKiller Expands BYOVD Attacks

Another major innovation involves the

GentleKiller builds upon the increasingly popular Bring Your Own Vulnerable Driver (BYOVD) technique.

BYOVD attacks exploit legitimately signed but vulnerable hardware drivers to obtain privileged kernel access. Once loaded, attackers can interfere with security software running on the system, making detection significantly more difficult.

According to Bitdefender, GentleKiller reportedly supports more than 400 security-related processes, substantially expanding the capabilities previously associated with Qilin’s own EDR-disabling tools, which affected roughly 300 processes.

Its modular architecture also allows additional components to be deployed depending on the victim’s environment, making the framework highly adaptable.

Why Endpoint Detection Still Matters

Although ransomware groups continue improving techniques for bypassing security software, layered endpoint protection remains one of the strongest defensive strategies.

Modern Endpoint Detection and Response (EDR) platforms increasingly rely on kernel monitoring, behavioral analytics, memory inspection, anomaly detection, and cloud-assisted threat intelligence.

Even when attackers successfully disable portions of endpoint security, multiple overlapping defensive layers can continue detecting malicious activity before encryption spreads throughout a network.

Organizations should therefore avoid relying on a single security product and instead implement defense-in-depth architectures.

The Ransomware Ecosystem Has Become More Competitive

Bitdefender notes that

Instead of one or two dominant organizations controlling the market, today’s ecosystem consists of numerous highly specialized groups competing for affiliates.

Cybercriminals now move freely between ransomware programs, changing platforms whenever better financial opportunities appear.

This fluid marketplace creates constant innovation, with successful techniques quickly spreading between competing operations.

As a result, defenders face a continually evolving threat landscape rather than a handful of predictable adversaries.

Germany Climbs the Target Rankings

Geographically, Germany experienced a noticeable increase in ransomware activity during June.

The country moved ahead of Canada to become the second most targeted region.

Approximately one-third of Germany’s publicly claimed victims were attributed to either Qilin or The Gentlemen, highlighting both groups’ continued interest in developed economies where organizations often possess valuable intellectual property and greater financial resources.

Developed nations remain attractive targets because successful extortion attempts generally produce larger ransom payments.

Manufacturing and Healthcare Continue to Face Heavy Pressure

Manufacturing remained the

Construction also continued experiencing elevated attack levels.

Meanwhile, healthcare overtook financial services to become the fourth most targeted industry.

Hospitals, healthcare providers, pharmaceutical companies, and medical service organizations remain especially vulnerable due to the critical nature of their operations. Service disruptions can create immediate patient safety concerns, increasing pressure to restore systems quickly.

Cybercriminals understand this urgency and frequently exploit it during ransom negotiations.

Credential Theft Remains the Primary Objective

Bitdefender’s Managed Detection and Response (MDR) teams observed that credential theft continues serving as one of attackers’ highest priorities.

Rather than immediately deploying ransomware after gaining access, threat actors increasingly spend days or weeks harvesting credentials across cloud services, identity management systems, GitHub repositories, developer environments, VPN infrastructure, and enterprise applications.

Compromised credentials allow attackers to move laterally, escalate privileges, disable security controls, and maximize the eventual impact of ransomware deployment.

Continuous identity monitoring therefore remains just as important as traditional endpoint protection.

Deep Analysis

Understanding the Leadership Change

The transition from Qilin to The Gentlemen reflects more than monthly statistics. It illustrates how ransomware operations evolve similarly to legitimate businesses, with experienced affiliates launching competing platforms that improve upon previous models.

Criminal Innovation Is Accelerating

Rather than developing entirely new malware families, many groups now innovate operationally through automation, AI integration, affiliate incentives, and infrastructure optimization.

AI Is Becoming a Double-Edged Sword

Artificial intelligence is helping defenders detect threats faster, but it is simultaneously lowering operational costs for cybercriminals by simplifying infrastructure management and malware maintenance.

Affiliate Markets Drive Growth

The ransomware economy increasingly depends on affiliate recruitment rather than exclusive technical expertise. Groups offering better profit-sharing and stronger support attract experienced operators more rapidly.

BYOVD Will Continue Expanding

Bring Your Own Vulnerable Driver techniques continue proving highly effective because they exploit trusted drivers already accepted by operating systems.

Organizations should actively monitor vulnerable driver abuse instead of focusing solely on malware signatures.

Defense Requires Multiple Layers

No single security product can prevent every ransomware attack. Endpoint security, privileged access management, identity protection, continuous monitoring, offline backups, and employee awareness training remain essential components of a resilient security strategy.

Public Leak Sites Remain Imperfect Indicators

While ransomware leak sites provide valuable intelligence regarding criminal activity, they should not be interpreted as definitive evidence of successful attacks. Some organizations may negotiate privately, some claims may be exaggerated, and others may involve recycled victim information.

Large Enterprises Remain Prime Targets

Major organizations continue facing disproportionate risk because their operational complexity, extensive digital infrastructure, and financial resources make them attractive candidates for high-value extortion.

Healthcare Risks Continue Rising

Healthcare organizations face unique pressure due to patient care responsibilities. Attackers recognize that prolonged outages may have life-threatening consequences, increasing leverage during negotiations.

The Cybercrime Economy Is Becoming More Professional

Modern ransomware operations increasingly resemble organized businesses complete with customer support, affiliate portals, automated deployment systems, negotiation specialists, and sophisticated financial models.

What Undercode Say:

The Bigger Story Behind

June’s ransomware rankings should not be interpreted as Qilin collapsing. Instead, they reveal an increasingly competitive criminal marketplace where successful techniques spread rapidly between affiliated groups.

Why The Gentlemen Matters

The emergence of The Gentlemen demonstrates that experienced affiliates no longer need years to build credible ransomware operations. Knowledge transfer significantly shortens development timelines.

Automation Is the New Battlefield

The integration of AI assistants into ransomware infrastructure signals that future cybercrime operations will become faster, cheaper, and more scalable.

Defensive Technologies Must Evolve

Traditional antivirus solutions alone cannot counter sophisticated BYOVD attacks. Organizations require behavioral detection, kernel-level visibility, identity protection, and continuous threat hunting.

Criminal Business Models Continue Improving

The ransomware economy increasingly rewards innovation in affiliate management rather than malware development alone. Higher revenue sharing encourages rapid migration between criminal platforms.

Intelligence Sharing Remains Critical

Threat intelligence collected from leak sites, incident response investigations, and managed detection services helps defenders identify emerging trends before they become widespread.

Organizations Must Prepare for Continuous Change

The ransomware landscape no longer has permanent leaders. Security teams should prepare for constantly evolving adversaries instead of focusing solely on one well-known group.

✅ Verified:

✅ Verified: The report identifies The Gentlemen as the leading group by claimed victims during June 2026, while Qilin experienced a noticeable decline compared to previous months.

✅ Partially Verified: Technical capabilities such as GentleKiller, affiliate profit-sharing models, and AI-assisted infrastructure are based on Bitdefender’s threat intelligence and available research. While credible, some operational details cannot be independently confirmed because they originate from observations of criminal infrastructure.

Prediction

(+1) Organizations will increasingly deploy AI-powered detection, identity security, and behavioral analytics to counter the growing automation adopted by ransomware groups.

(-1) Competition among ransomware affiliates is likely to produce even more sophisticated criminal platforms over the next year, with advanced BYOVD frameworks, AI-assisted attacks, and faster operational cycles becoming increasingly common, making ransomware incidents more difficult to detect and contain.

▶️ Related Video (80% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: www.bitdefender.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube