The Gentlemen Overtake Qilin: How a New AI-Powered Ransomware Empire Is Reshaping the Global Cybercrime Landscape + Video

Listen to this Post

Featured ImageIntroduction: A New Leader Emerges in the Ransomware War

The global ransomware ecosystem is evolving at an alarming pace. While organizations have spent years defending themselves against notorious groups such as LockBit, Akira, and Qilin, a new threat has rapidly climbed to the top of the cybercriminal hierarchy. The emergence of The Gentlemen ransomware operation demonstrates how modern ransomware groups are no longer relying solely on sophisticated malware. Instead, they are combining automation, artificial intelligence, affiliate-friendly business models, and streamlined attack frameworks to dramatically increase the speed and scale of their operations.

Recent threat intelligence reveals that The Gentlemen has become the world’s most active ransomware organization during the latest three-month reporting period, overtaking Qilin after nearly a year of dominance. The shift signals more than just a change in rankings—it reflects a transformation in how ransomware-as-a-service (RaaS) groups are attracting affiliates, launching attacks, and industrializing cybercrime.

The Gentlemen Becomes the

According to cybersecurity researchers at ReliaQuest, The Gentlemen ransomware gang was responsible for approximately 300 publicly claimed attacks during the latest three-month reporting period.

This achievement pushed the group ahead of Qilin, which recorded 289 attacks during the same timeframe after dominating ransomware statistics throughout the previous year.

The report highlights how quickly cybercriminal ecosystems can change. Groups that dominate one quarter can lose momentum almost overnight when competitors introduce better tools, more attractive affiliate programs, and faster operational workflows.

For defenders, this means focusing solely on familiar ransomware names is no longer enough. New organizations can emerge and become global threats within just a few months.

Global Ransomware Activity Continues to Expand

ReliaQuest tracked 1,368 victim claims published across ransomware data leak sites by 11 major ransomware groups.

These victims were distributed across 99 different countries, demonstrating that ransomware remains one of the largest international cybersecurity threats affecting governments, healthcare providers, manufacturers, educational institutions, financial organizations, and private enterprises.

Although many attacks never become public, leak sites provide valuable insight into ransomware activity because attackers frequently publish stolen data to pressure victims into paying extortion demands.

The volume of publicly listed victims suggests that ransomware remains highly profitable despite increasing law enforcement efforts worldwide.

The Gap Between the Largest and Smaller Ransomware Operations

While several well-known ransomware organizations remain active, The Gentlemen and Qilin have separated themselves significantly from the rest of the ecosystem.

Other major operators include:

DragonForce

Akira

LockBit

Each of these groups accounted for roughly 100 to 150 observed incidents, placing them well behind the two leading ransomware organizations.

This ranking is particularly surprising considering LockBit previously dominated the ransomware landscape before extensive international law enforcement disruption campaigns weakened its infrastructure.

The cybercriminal market is clearly rewarding innovation and operational efficiency over reputation.

Why The Gentlemen Is Growing So Quickly

Security researchers believe the rapid rise of The Gentlemen is largely due to its highly organized Ransomware-as-a-Service (RaaS) platform.

Rather than requiring experienced hackers, the operation provides affiliates with nearly everything needed to conduct successful attacks.

Their offering reportedly includes:

Complete attack playbooks

Pre-configured intrusion frameworks

Target recommendations

Network exploitation guidance

Command-and-control deployment instructions

SMB encryption deployment methods

Lightweight tunneling utilities

This dramatically lowers the technical barrier required to launch ransomware campaigns.

Instead of building infrastructure from scratch, affiliates can simply follow documented procedures much like employees following an operations manual.

AI Is Becoming a Weapon for Cybercriminal Innovation

Perhaps the most concerning discovery is the reported use of artificial intelligence throughout The Gentlemen’s development pipeline.

Leaked conversations suggest developers are leveraging AI tools to accelerate malware development, improve ransomware features, automate coding tasks, and rapidly produce updated versions of their platform.

This allows the group to:

Release new capabilities faster.

Fix bugs more rapidly.

Improve evasion techniques.

Adapt to defensive technologies.

Support affiliates more efficiently.

As AI-assisted software development becomes increasingly common, cybercriminal organizations are adopting many of the same productivity advantages enjoyed by legitimate software companies.

This represents one of the most significant shifts in modern cybercrime.

Affiliate Recruitment Has Become a Competitive Marketplace

Modern ransomware groups compete aggressively for affiliates.

Instead of recruiting elite hackers, successful RaaS organizations now focus on creating attractive business ecosystems.

According to ReliaQuest, The Gentlemen appears to outperform competitors by offering:

Faster malware updates

Better documentation

Easier deployment

Comprehensive support

AI-assisted development

Lower technical learning curves

Affiliates naturally gravitate toward platforms that maximize profits while minimizing operational complexity.

This mirrors competition seen in legitimate Software-as-a-Service businesses, except the product being sold is cybercrime.

How The Gentlemen Conducts Attacks

Researchers indicate that affiliates receive extensive operational guidance covering every phase of the intrusion lifecycle.

Typical attack stages include:

Initial access through vulnerable internet-facing services.

Privilege escalation.

Credential theft.

Lateral movement across corporate networks.

Deployment of lightweight tunneling software.

Data exfiltration.

SMB-based encryption across targeted systems.

Double-extortion negotiations.

The availability of standardized playbooks increases consistency across affiliate attacks while reducing operational mistakes.

Why Organizations Should Take This Threat Seriously

The rise of The Gentlemen demonstrates that ransomware operations are becoming increasingly professional.

Instead of isolated hacking groups, many now resemble organized technology companies complete with:

Development teams

Customer support

Documentation

Continuous updates

Affiliate management

Product improvements

AI-assisted workflows

This level of organization enables ransomware groups to scale much faster than traditional criminal organizations.

Consequently, businesses should expect attacks to become more frequent, more automated, and more sophisticated.

How Organizations Can Strengthen Their Defenses

ReliaQuest recommends several practical defensive measures that organizations should prioritize immediately.

Key recommendations include:

Restrict Remote Desktop Protocol (RDP) access.

Limit unnecessary remote administration services.

Enable

Monitor blockchain Remote Procedure Call (RPC) traffic.

Watch Session Messenger communications leaving the network.

Strengthen identity security against voice phishing.

Deploy protections against Adversary-in-the-Middle (AiTM) attacks.

Enforce multi-factor authentication wherever possible.

Continuously monitor privileged accounts.

Maintain offline backups protected from ransomware encryption.

These defensive controls significantly reduce the attack surface exploited by modern ransomware operators.

Deep Analysis: Understanding The

The

A typical intrusion chain often begins with exposed Remote Desktop Protocol (RDP) services, stolen credentials, VPN weaknesses, or phishing. Once inside, attackers focus on privilege escalation, credential harvesting, lateral movement, and disabling security controls before deploying ransomware across the network.

Security teams should continuously monitor Windows Event Logs, SMB activity, PowerShell execution, and unusual authentication behavior to detect early signs of compromise.

Useful Defensive Commands and Security Checks

Identify active RDP sessions (Windows):

query user

List active SMB connections:

Get-SmbSession

Display listening network ports:

netstat -ano

Review PowerShell execution history:

Get-History

Check Windows Defender status:

Get-MpComputerStatus

Enable

Set-ProcessMitigation -System -Enable MicrosoftSignedOnly

Audit failed logon attempts:

Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4625}

Search for suspicious scheduled tasks:

schtasks /query /fo LIST /v

Identify unusual services:

sc query type= service state= all

Review firewall configuration:

Get-NetFirewallProfile

Defenders should also implement endpoint detection and response (EDR), network segmentation, privileged access management, immutable backups, and continuous threat hunting. Combining these technical controls with employee awareness training creates multiple layers of defense that significantly reduce the likelihood of successful ransomware deployment.

What Undercode Say:

The emergence of The Gentlemen marks a turning point in the ransomware economy. What makes this group dangerous is not merely the number of attacks but the maturity of its operational model. Cybercrime is increasingly resembling legitimate software development, complete with onboarding guides, documentation, technical support, rapid release cycles, and AI-assisted coding.

The use of artificial intelligence is particularly significant. While AI has become a productivity tool for businesses, it is simultaneously becoming a force multiplier for attackers. Malware authors can now prototype new features faster, automate repetitive coding tasks, and respond more quickly to security vendor detections. This reduces development time and allows ransomware groups to evolve at a pace that traditional defense teams may struggle to match.

Another notable trend is the democratization of cybercrime. The Gentlemen’s playbooks lower the skill threshold required to launch sophisticated attacks, enabling less experienced affiliates to conduct operations that previously demanded advanced technical expertise. This expands the pool of potential attackers and increases the overall volume of ransomware campaigns.

The decline of Qilin also illustrates how competitive the ransomware-as-a-service ecosystem has become. Affiliates behave much like contractors in a commercial marketplace, moving to whichever platform offers the best tools, higher payouts, stronger support, and faster innovation. Loyalty is secondary to profitability.

Organizations should also recognize that ransomware is no longer a single-stage encryption event. Modern campaigns typically involve credential theft, persistence, data exfiltration, identity compromise, and double extortion. Even companies with reliable backups may still face significant business disruption and reputational damage if sensitive information is stolen.

Another concern is the increasing focus on identity-based attacks. Techniques such as AiTM phishing, token theft, and voice phishing continue to bypass traditional perimeter defenses. This makes identity protection just as important as endpoint security.

From a defensive standpoint, visibility is becoming the decisive factor. Organizations that continuously monitor authentication events, privileged accounts, network anomalies, PowerShell activity, and lateral movement indicators stand a much better chance of interrupting ransomware before encryption begins.

The growing professionalization of ransomware groups suggests that defenders must also become more disciplined. Regular patch management, threat hunting, incident response exercises, backup validation, and zero-trust architecture should become standard practice rather than optional security enhancements.

Ultimately, The Gentlemen is not simply another ransomware gang. It represents the next generation of cybercriminal operations—one built on automation, scalability, affiliate enablement, and AI-driven development. As these trends continue, cybersecurity teams will need to rely more heavily on automation, behavioral analytics, and proactive intelligence to keep pace with increasingly agile adversaries.

✅ Confirmed: ReliaQuest reported that The Gentlemen recorded approximately 300 publicly claimed ransomware incidents, surpassing Qilin’s 289 incidents during the analyzed three-month period.

✅ Confirmed: The report tracked 1,368 victim claims across 99 countries from 11 ransomware groups, highlighting the continued global impact of ransomware operations.

✅ Confirmed with Context: ReliaQuest identified affiliate-friendly tooling, structured intrusion playbooks, and AI-assisted development as major factors contributing to The Gentlemen’s rapid rise. While leaked chats suggest AI is being used to accelerate development, the exact extent of AI integration cannot be independently verified from public evidence alone.

Prediction

(+1) Organizations that adopt Zero Trust architectures, identity-first security, continuous threat hunting, and AI-assisted detection platforms will significantly improve their ability to identify and contain next-generation ransomware campaigns before widespread encryption occurs.

(-1) AI-powered ransomware development is likely to accelerate over the next 12 to 24 months, enabling cybercriminal groups to release new malware variants faster, evade traditional security products more effectively, and recruit a growing number of lower-skilled affiliates, increasing both the frequency and sophistication of global ransomware attacks.

▶️ Related Video (76% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube