Listen to this Post
A New Ransomware Empire Built on Simplicity, Speed, and Stolen Access
The ransomware landscape has changed dramatically over the past year, but few groups have risen as quickly and aggressively as The Gentlemen. Emerging in September 2025, the operation rapidly transformed from an unknown threat actor into one of the most prolific ransomware brands on the planet. By June 2026, the group had already claimed 483 victims worldwide, with an astonishing 380 attacks occurring during 2026 alone.
What makes this operation particularly alarming is not the sophistication of its malware or the novelty of its techniques. Instead, The Gentlemen demonstrate a disturbing reality about modern cybercrime: devastating ransomware campaigns no longer require groundbreaking exploits or elite technical innovation. A small team armed with stolen credentials, publicly leaked criminal knowledge, artificial intelligence tools, and a lucrative affiliate model can now operate at a global scale.
A leaked collection of internal chat logs, analyzed by cybersecurity researchers at KELA, offered an unprecedented glimpse into the inner workings of the group. The conversations revealed a surprisingly compact organization consisting of only nine core members who leveraged AI-assisted workflows and heavily relied on access obtained through commodity infostealer malware. The findings expose a ransomware ecosystem that increasingly resembles a startup company rather than a traditional criminal gang.
The Rise of The Gentlemen
The numbers surrounding The Gentlemen are difficult to ignore. In less than a year, the operation climbed to become the second most active ransomware brand based on publicly listed victims, trailing only the notorious Qilin ransomware group.
Unlike many criminal organizations that operate behind layers of secrecy, the leaked chats provided researchers with detailed insight into how the group functioned. Conversations spanning from November 2025 through April 2026 showed members discussing infrastructure management, operational decisions, and even debates about which artificial intelligence models produced the best results for analyzing stolen information.
The leaked communications painted a picture that felt surprisingly corporate. Team members exchanged ideas about workflow optimization, software development, and data processing in ways that resembled discussions occurring inside legitimate technology companies.
The difference, of course, was that their business model revolved around extortion, data theft, and ransomware deployment.
The Affiliate Program That Accelerated Global Attacks
One of the biggest factors behind the
The Gentlemen adopted a ransomware-as-a-service model where external attackers performed the actual network intrusions while the core developers maintained the ransomware infrastructure and payment systems.
Affiliates were allowed to keep 90 percent of every ransom payment collected.
That percentage is exceptionally generous even within the cybercriminal economy. Most ransomware operations traditionally split payments far more evenly between developers and operators. By offering such favorable terms, The Gentlemen successfully attracted a larger pool of motivated attackers willing to conduct intrusions under the group’s banner.
The strategy worked. More affiliates meant more attacks, more victims, and a dramatically faster expansion than many competing ransomware operations.
An Unusual Global Targeting Strategy
Perhaps one of the most surprising discoveries was the group’s victim distribution.
Historically, ransomware gangs focus heavily on American organizations because they often possess substantial financial resources and are more likely to pay large ransom demands.
The Gentlemen took a different approach.
Only approximately 15 percent of their publicly listed victims were based in the United States. This stands in stark contrast to the typical 40 to 50 percent U.S. victim concentration observed across most major ransomware leak sites.
Instead, the group focused heavily on organizations located in Thailand, Brazil, the United Kingdom, France, India, Germany, Italy, Japan, Taiwan, Spain, and numerous countries throughout Latin America.
Internal discussions revealed the reasoning behind this strategy. Operators prioritized operational disruption over corporate size. Their logic suggested that a smaller utility company generating twenty million dollars annually might feel immediate pressure to restore operations, while a larger manufacturer generating hundreds of millions could potentially absorb downtime and negotiate longer.
This approach demonstrates a deeper understanding of psychological leverage rather than simply chasing the largest financial targets.
Manufacturing Became the Primary Victim
Among all industries affected by The Gentlemen, manufacturing organizations suffered the highest number of attacks.
Technology companies, business service providers, and healthcare organizations followed closely behind. Healthcare alone accounted for forty-four publicly identified victims.
Manufacturing remains an attractive target because operational downtime directly impacts production schedules, supply chains, and customer commitments. Every hour of disruption can translate into substantial financial losses.
Cybercriminals understand that businesses facing immediate operational paralysis are often more willing to engage in ransom negotiations.
The Real Battlefield: Initial Access
The leaked evidence suggests that encryption was never the group’s primary focus.
Instead, The Gentlemen concentrated most of their resources on obtaining initial access to corporate networks.
Operators actively scanned the internet for vulnerable systems and exploited known security weaknesses. Among the most heavily targeted vulnerabilities was the FortiOS authentication bypass flaw CVE-2024-55591. They also leveraged older but still effective Active Directory attack techniques including ZeroLogon and PetitPotam.
When technical exploits were unavailable, attackers turned to stolen credentials.
Compromised Outlook Web Access accounts became valuable intelligence sources. Attackers used them to identify VPN credentials, gather organizational information, and launch phishing campaigns from legitimate internal email accounts.
Recipients naturally trusted messages arriving from known colleagues, making these attacks highly effective.
Infostealers: The Silent Enabler of Modern Ransomware
The strongest connection uncovered during the investigation involved infostealer malware.
Infostealers have quietly become one of the most important components of today’s cybercrime ecosystem. These lightweight malware strains harvest usernames, passwords, browser data, session cookies, authentication tokens, and other sensitive information from infected devices.
Researchers compared several Gentlemen victims against known infostealer databases and discovered a troubling pattern.
Many organizations had active credentials and session tokens exposed long before they appeared on the ransomware leak site.
One notable example involved Philippine logistics giant 2GO. Researchers identified multiple employee accounts, customer logins, and dozens of active session tokens already circulating within stolen credential datasets before the company became a ransomware victim.
This correlation strongly supports claims made within the leaked chats that operators actively hunted for organizations already compromised through infostealer infections.
Why Session Cookies Have Become a Critical Threat
Traditional security strategies often focus heavily on passwords and multi-factor authentication.
The Gentlemen highlight why that approach is no longer enough.
Session cookies can effectively bypass many MFA protections because they represent already authenticated user sessions. If attackers steal a valid session token, they may gain access without needing the password or the second authentication factor.
This means organizations can deploy SMS verification, mobile push notifications, and even strong password policies yet remain vulnerable if session cookies are compromised.
As ransomware groups increasingly exploit stolen sessions, monitoring dark-web credential markets and infostealer activity becomes just as important as patching software vulnerabilities.
Learning from Other Criminals
The leaked chats revealed another fascinating detail.
The Gentlemen reportedly studied the infamous Black Basta chat leak from February 2025 as if it were a professional training guide.
Rather than inventing entirely new techniques, they borrowed proven phishing methodologies, mailbox abuse tactics, and operational workflows from a rival ransomware organization.
This demonstrates how cybercrime increasingly evolves through knowledge sharing and adaptation. Once criminal tactics become public, they often spread rapidly throughout the underground ecosystem.
A leak intended to damage one ransomware group may unintentionally educate dozens of others.
AI Becomes a Daily Cybercrime Tool
Artificial intelligence played a far larger role in The Gentlemen’s operations than many observers might expect.
According to the leaked conversations, an administrator known as zeta88 claimed to have developed the group’s negotiation platform in just three days using AI-assisted coding techniques.
The team also discussed utilizing uncensored open-weight language models and modified versions of popular AI systems to assist with programming tasks and large-scale analysis of stolen datasets.
Unlike many ransomware groups that merely experiment with AI, The Gentlemen appear to have integrated these technologies directly into everyday operations.
This represents one of the clearest documented examples of a ransomware organization successfully operationalizing large language models for practical business functions.
Extortion Is Becoming More Personal
The investigation uncovered evidence that The Gentlemen increasingly relied on psychological pressure rather than technical destruction.
Researchers observed instances where operators tested extortion techniques involving sensitive personal information obtained through compromised accounts.
Rather than simply threatening to release corporate data, attackers explored ways to create emotional and reputational pressure on victims.
Meanwhile, Microsoft previously documented a self-propagating Go-based encryptor linked to the group. Yet encryption itself appears to be becoming secondary.
Modern ransomware increasingly revolves around data theft, public exposure threats, and leveraging trusted relationships against victims.
The locked files are merely one piece of a broader coercion strategy.
Defending Against The Gentlemen
Despite the
Rapid patch management remains essential, particularly for internet-facing devices and VPN infrastructure.
Organizations should treat critical vulnerabilities such as CVE-2024-55591 as emergency incidents requiring immediate remediation rather than routine maintenance tasks.
Any discovery of infostealer-related credential exposure should be treated as a full security breach.
Security teams should immediately revoke active sessions, rotate credentials, and investigate potential unauthorized access.
Passkeys and hardware-backed authentication methods offer stronger protection against session hijacking compared to traditional SMS-based MFA.
Organizations must also strengthen Active Directory security, segment internal networks, limit lateral movement opportunities, and maintain regularly tested offline backups.
Most importantly, companies should assume that data theft has occurred even if encryption never happens.
What Undercode Say:
The Gentlemen case reveals a major shift in ransomware economics.
The most dangerous aspect is not the malware itself.
The operation demonstrates that ransomware has become highly modular.
Attackers no longer need elite developers.
They no longer need sophisticated zero-day vulnerabilities.
They no longer require large teams.
Everything can be outsourced.
Access comes from infostealer marketplaces.
Phishing techniques come from leaked criminal playbooks.
AI handles coding and data processing.
Affiliates perform the intrusions.
The core team simply orchestrates the ecosystem.
This dramatically lowers the barrier to entry.
A nine-person team reaching nearly 500 victims would have been difficult to imagine several years ago.
Today it is becoming normal.
The leaked chats also challenge the assumption that cybercriminals are highly sophisticated hackers.
Many successful attacks originate from basic operational failures.
Unpatched VPN appliances.
Stolen credentials.
Compromised mailboxes.
Poor session management.
Weak Active Directory environments.
The AI component deserves special attention.
The cybersecurity industry has spent years discussing hypothetical AI-powered cyberattacks.
The Gentlemen provide evidence that practical implementation is already occurring.
Not through autonomous hacking.
Not through self-aware malware.
Instead through productivity enhancement.
AI makes criminals faster.
AI makes analysis cheaper.
AI reduces development time.
AI helps process stolen information at scale.
That productivity advantage accumulates rapidly.
The biggest lesson concerns identity security.
Perimeter security is losing relevance.
Credential security is becoming the primary battlefield.
Organizations that fail to monitor credential exposure will increasingly discover attacks only after ransomware deployment.
Dark-web monitoring is no longer optional.
Infostealer intelligence is no longer optional.
Session security is no longer optional.
The ransomware groups winning in 2026 are not necessarily the most technically advanced.
They are the most operationally efficient.
The Gentlemen prove that efficiency can be more dangerous than innovation.
Deep Analysis
The technical indicators from this campaign highlight several defensive priorities.
Check Active Sessions and Authentication Logs
last who journalctl -u ssh
Detect Suspicious Authentication Events
grep "Failed password" /var/log/auth.log grep "Accepted password" /var/log/auth.log
Identify Exposed VPN Services
nmap -sV <target-ip>
Review Active Network Connections
ss -tulpn netstat -antp
Audit Active Directory Security
Get-ADUser -Filter Get-ADComputer -Filter
Detect Lateral Movement Activity
sudo tcpdump -i any
Investigate Browser Session Artifacts
sqlite3 Cookies.db
Search for Credential Dumping Activity
sudo ausearch -k credential
Verify Backup Integrity
rsync --dry-run backup/ restore-test/
Monitor for Indicators of Compromise
yara -r rules.yar /data
Examine Endpoint Security Events
Get-WinEvent -LogName Security
The recurring pattern across The Gentlemen attacks is clear: compromised identities almost always appear before ransomware deployment. Detecting those identities early remains the most effective defense.
✅ The Gentlemen emerged in September 2025 and rapidly accumulated hundreds of victims, making them one of the most active ransomware operations observed in 2026 according to the reported investigation.
✅ Researchers obtained leaked internal chat logs that allegedly exposed operational details, affiliate structures, AI usage discussions, and credential-based attack methodologies.
✅ Infostealer malware and stolen session cookies are increasingly recognized throughout the cybersecurity industry as major contributors to ransomware intrusions, aligning with the findings described in the report.
Prediction
(+1) Ransomware groups will increasingly integrate open-source AI models into daily operations, reducing development costs and enabling smaller teams to conduct larger campaigns.
(+1) Identity-focused attacks involving stolen credentials and session cookies will surpass traditional exploit-based intrusions as the dominant ransomware entry method during the next several years.
(+1) Organizations will invest significantly more in dark-web monitoring, passkey adoption, and session protection technologies as awareness of infostealer-driven compromises grows.
(-1) The success of affiliate-heavy operations like The Gentlemen will encourage the emergence of additional ransomware brands that prioritize scale over sophistication.
(-1) More leaked criminal chat logs will likely appear as insider disputes, law enforcement actions, and operational mistakes continue exposing ransomware infrastructure.
(-1) Companies that continue relying solely on passwords and conventional MFA methods may experience increased compromise rates as session hijacking techniques become more widespread and automated.
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
