RansomwareEDP  /  Threat Actor Library
Developed by Reno  •  Analytical profiles compiled from open-source intelligence
Threat Actor Profile — Last updated May 2026
The Gentlemen
Ransomware-as-a-Service  •  Double Extortion  •  Qilin Splinter
Critical Threat Fully Operational RaaS Rapidly Scaling
First Observed
Mid-2025
RaaS from Sep 2025
Claimed Victims
420+
As of May 2026
Countries Targeted
50+
FortiGuard, 2026
Affiliate Split
90/10
Affiliate / Operator
Microsoft Tracking
Storm-2697
Operator cluster
LE Disruptions
Zero
No takedowns, no sanctions
Lineage
Qilin
Payment dispute splinter
01

Executive Summary and Group Overview

The Gentlemen is a rapidly scaling Ransomware-as-a-Service (RaaS) operation that emerged in mid-2025 and transitioned to a full affiliate model in September 2025. Within its first year of operation it became one of the highest-volume RaaS programs globally by claimed victim count, responsible for an estimated 10% of all publicly tracked ransomware incidents in early 2026. The group is characterized by a generous 90/10 revenue split favoring affiliates, a Go-based encryptor with aggressive self-propagation capability, and a deliberate policy of excluding Commonwealth of Independent States (CIS) targets, consistent with Russian-speaking origin. Microsoft Threat Intelligence tracks the operator cluster as Storm-2697; the malware family is detected as Ransom:Win64/Gentlemen.A.

The group's operational data was partially compromised in May 2026 when internal Rocket.Chat communications and panel data were leaked and circulated on underground forums. Despite this OPSEC setback, the group continued active operations with no observable disruption to victim accumulation.

AttributeDetail
Common namesThe Gentlemen, TheGentlemen, Gentlemen RaaS
Microsoft trackingStorm-2697 (operator cluster); Ransom:Win64/Gentlemen.A (malware family)
Fortinet FortiGuard"The Gentlemen Ransomware" (no internal codename published as of May 2026)
IBM X-Force"The Gentlemen" threat group (internal GUID: 688ac4f45c5a4791b8019a4d313594f7; no codename published)
Check Point Research"The Gentlemen Ransomware-as-a-Service" (no additional family tag)
Halcyon"The Gentlemen Ransomware Group" (no codename)
Trend Micro"The Gentlemen ransomware" (no codename)
Cybereason"The Gentlemen" (no codename)
Group-IB"The Gentlemen" (no codename)
Operational modelRansomware-as-a-Service with affiliate panel, custom build generator
Extortion mechanicDouble extortion (encryption + data publication threat); opportunistic triple extortion elements
Assessed jurisdictionRussia / CIS region (CREDIBLE)
LE disruption statusNone confirmed as of May 2026
Lineage assessmentSplinter from Qilin ecosystem following payment dispute (CREDIBLE)
Analytical note on vendor designations: As of May 2026, no major vendor (CrowdStrike, Secureworks, Palo Alto Unit 42) has published a formal internal codename for The Gentlemen. Microsoft is the only vendor with a published tracking designation: Storm-2697 for the operator cluster. Absence of codenames from other vendors reflects the group's recency, not analytical ambiguity. Analysts should not conflate any Qilin-era designations with The Gentlemen; they are organizationally distinct.
Data Leak Site & Branding
02

Lineage and Organizational Heritage

Overall Assessment
Credible

Multi-vendor consensus holds that The Gentlemen emerged from the Qilin ransomware affiliate ecosystem following a payment dispute, with experienced operators breaking away to found a new, independently branded RaaS. This is best characterized as a splinter or successor operation, not a rebrand: The Gentlemen operates under a distinct brand, distinct codebase (Go, not Qilin's Go variant), and distinct business model with a notably more generous affiliate split. Halcyon, IBM X-Force, and Ransom-ISAC all support this framing. No vendor has formally assessed it as a direct rebrand. [1][4][5][7]

Evidentiary Pillars
Pillar 1 — Credible
Personnel and Timing Continuity
The Gentlemen emerged in mid-2025 at a period of known internal friction within the Qilin affiliate program. Internal chat leaks (Rocket.Chat, analyzed by KELA and Ransom-ISAC) show core operator "zeta88" referencing prior RaaS work under a different platform where affiliates were underpaid, inferred by multiple analysts to be Qilin. Timeline alignment is consistent with a deliberate departure rather than coincidental launch. [3][7]
Pillar 2 — Credible
Business Model Reaction
The Gentlemen's 90/10 affiliate split (one of the most generous in the ecosystem) and affiliate-owned wallet structure are analytically consistent with a founding team that felt undercompensated under a prior operator. Halcyon frames this as an explicit corrective move: the group positioned itself as more attractive to affiliates than its predecessor. [4][7]
Pillar 3 — Analyst Inference
TTP and Infrastructure Overlap
Group-IB and Check Point document use of SystemBC, VPN device exploitation (FortiGate, Cisco), and infostealer-driven initial access, all consistent with Qilin's documented playbook. However, these TTPs are widely shared across Russian-language RaaS and are not Qilin-specific. Infrastructure overlap is suggestive but not probative. [2][10][17]
Pillar 4 — Analyst Inference
Code Lineage
The Gentlemen uses a Go-based encryptor with Garble obfuscation. Qilin also uses Go. Microsoft's deep-dive found no public claim of direct code reuse or forking from Qilin's codebase; the encryptor appears to be original work. Go is a popular language among modern RaaS builders and shared language choice alone does not imply code lineage. [1]
Vendor-Specific Lineage Positions
VendorPositionConfidence Applied
HalcyonFormed after a payment dispute within the Qilin ecosystem; approximately 20-person core team; deliberately more attractive business model than predecessorCredible
IBM X-ForceEmerged from Qilin ecosystem; distinct group with experienced operators; not a Qilin rebrandCredible
Ransom-ISACInternal chats reference prior RaaS grievances consistent with Qilin; operator "zeta88" discussed payment disputes predating The Gentlemen's launchCredible
Check Point ResearchDistinct RaaS operation; Qilin lineage not formally assessed in published reportingNot formally assessed
Microsoft (Storm-2697)Financially motivated RaaS operator; Qilin lineage not referenced in published reportingNot formally assessed
Group-IBPositions within Russian-language RaaS cluster sharing infrastructure and tooling with Qilin and others; treats as distinct groupCredible (shared ecosystem)
Key disambiguation: No vendor designation associated with Qilin (e.g., Scattered Spider adjacency assessments, any vendor's Qilin tracking codename) should be applied to The Gentlemen. They are analytically and operationally distinct entities. Shared Qilin affiliation by individual operators is the proposed link, not organizational identity.
03

Operational Model

RaaS Structure

The Gentlemen began as a closed group in mid-2025 and transitioned to a full RaaS model with external affiliates in September 2025. [13][1] The group subsequently established an official partnership with BreachForums, a major cybercriminal marketplace, to recruit affiliates including penetration testers and initial access brokers. [1] The operator provides: a custom build generator panel producing multi-platform lockers; affiliate-specific Tox/Session IDs injected into ransom notes; and a data leak site for victim publication.

The core operator is identified in internal communications under the handle "zeta88," who manages the panel, conducts affiliate onboarding via Tox and Session, and sets revenue settlement arrangements. [3][7] Internal chats describe approximately 20 core personnel at the operational level. [4]

Affiliate Revenue Split
Affiliate Share
90%
Wallet owned by affiliate; among highest in ecosystem
Operator Share
10%
Settled via internal arrangement post-receipt
Wallet Ownership
Affiliate
Fragmented cash-out; no central operator wallet
Negotiation Control
Affiliate
Operator intervenes only in disputes or edge cases

The 90/10 split and affiliate-owned wallet model are structurally significant for on-chain attribution: there is no single operator wallet to trace. Payment flows are highly fragmented across numerous affiliate wallets, consistent with what Halcyon describes as a "RaaS-as-SaaS" cash-out architecture. [4][16]

Affiliate Recruitment and Vetting

Recruitment is conducted via underground forum postings and the BreachForums partnership. The group targets affiliates with demonstrated intrusion skills, specifically penetration testers and initial access brokers capable of delivering high-value targets. Mass-spam operators are deprioritized in favor of skilled, targeted operators. [3][8] Basic technical vetting occurs before panel access is provisioned. [3]

Internal chats indicate preference for affiliates who can bring their own initial access or who have established relationships with IABs. This produces an affiliate pool oriented toward mid-market and enterprise targets rather than opportunistic volume attacks. [12]

Negotiation Behavior
  • Initial demands: Low- to mid-eight-figure USD equivalent for large enterprises; scaled to perceived victim revenue and liquidity. [9]
  • Discount range: 40-70% off initial ask documented in analyzed incidents. [9]
  • Deadlines: Typically 5-10 days before publication threats escalate; some cases show staged partial data leaks as interim pressure. [6]
  • Communication channels: Tox and Session IDs (affiliate-specific, injected at build time); sometimes email or Tor portal. [2][3]
  • Operator involvement: Minimal during negotiations; affiliates run their own deals. Operator engages only in disputes or complex settlements. [3]
Multi-Extortion Mechanics

Standard (double extortion): Data exfiltration precedes encryption. Non-paying victims are named on the Tor-based leak site, with staged data publication (sample data first, full archive later). [2][6]

Opportunistic (triple extortion): Some affiliates have threatened DDoS or regulatory reporting (e.g., notifying the victim's regulator of a data breach) as additional pressure. These appear affiliate-driven and opportunistic rather than formalized RaaS policy. [5]

04

Technical Capabilities

Platform Support
PlatformLanguageEncrypted ExtensionNotes
WindowsGo (Garble obfuscated).umc16hPrimary; self-propagating; per-file ephemeral key encryption
LinuxGoTBDConfirmed per IBM X-Force / Check Point
NAS / BSDGoTBDConfirmed per IBM X-Force
ESXiCTBDSeparate C-based locker; targets virtual environments
Encryption Scheme

The Windows encryptor implements a hybrid cryptographic design documented by Microsoft: [1]

  • Per-file ephemeral Curve25519 key pair: A unique ephemeral keypair is generated for each file. The ECDH shared secret between the ephemeral private key and the operator's embedded public key is used as the XChaCha20 key.
  • XChaCha20 stream cipher: File content is encrypted using XChaCha20. The nonce is derived from the first 24 bytes of the ephemeral public key, making separate nonce storage unnecessary.
  • File footer: The Base64-encoded ephemeral public key is appended to the encrypted file after the marker --eph--, along with a GENTLEMEN identification marker. Large files also include a speed flag marker indicating the chunk percentage used.
  • Size-based strategy: Files under 1MB are fully encrypted. Files over 1MB are partially encrypted in three distributed chunks (default: 9% per chunk, ~27% total). Speed flags allow affiliates to set ultrafast (0.9%), superfast (3%), or fast (9%) modes.
Decryptor status: As of May 2026, no publicly available universal decryptor exists. The per-file ephemeral key design, where the operator's private key is required to reconstruct the XChaCha20 key for each file, is cryptographically robust. Operational weaknesses revealed in internal leaks have not yet translated into a general decryptor. No More Ransom does not list a Gentlemen decryptor. [11]
Initial Access Vectors
VectorAssessmentSources
FortiGate SSL-VPN exploitation / brute forcePrimary vector per Raven File and Ransom-ISAC analysis; credential theft or exploitation of SSL-VPN configuration weaknesses[8][7]
Infostealer-driven credentialsHudson Rock describes this as the group's defining access model: large-scale infostealer log purchases providing VPN, RDP, and SaaS credentials at scale[11]
Cisco VPN / edge device exploitationConfirmed per Spanish-language reporting and Group-IB TTP analysis; credential reuse or appliance exploitation[10]
RDP (compromised credentials)Documented by FortiGuard as a key vector alongside VPN access[6]
Phishing (credential harvesting)Listed by FortiGuard; less prominent than VPN/infostealer vectors in DFIR case reporting[6]
Initial access broker (IAB) purchasesConsistent with affiliate recruitment targeting IABs; internal chats show discussion of purchased access[3]
CVE status: As of May 2026, no specific CVE number has been formally confirmed in multi-vendor reporting as the signature exploit for The Gentlemen. References to Fortinet and Cisco device exploitation are consistent with a range of known SSL-VPN vulnerabilities (FortiOS SSL-VPN, Cisco ASA/FTD families) but public reporting has not settled on a single CVE anchor. Analysts should treat FortiGate SSL-VPN exposure as the primary attack surface indicator rather than a specific CVE.
Defense Evasion and Pre-Encryption Actions
  • Disables Microsoft Defender: PowerShell commands disable real-time monitoring, add exclusion paths, and exclude the full C:\ volume from scanning. [1]
  • Deletes shadow copies: Both vssadmin and wmic are used to delete all Volume Shadow Copies. [1]
  • Clears event logs: System, Application, and Security logs cleared via wevtutil. [1]
  • Removes forensic artifacts: Prefetch files, Defender diagnostic logs, RDP logs, and PowerShell command history (PSReadline) deleted across all user profiles. [1]
  • Process and service termination: Extensive target list including databases (MSSQL, MySQL, PostgreSQL, Oracle), backup software (Veeam, Acronis, Backup Exec), EDR agents, SAP, virtualization (VMware, Docker), Office apps, and Exchange. [1]
  • Garble obfuscation: The Go binary is obfuscated with Garble to hinder static analysis and EDR detection. [1]
Persistence Mechanisms

The encryptor establishes layered persistence via two independent methods: [1]

  • Scheduled Tasks: Tasks named UpdateSystem (SYSTEM context) and UpdateUser (current user context) are created to relaunch the payload at startup. A separate task named gentlemen_system is used for privilege escalation during the encryption phase.
  • Registry Run Keys: Values GupdateS (HKLM, device-wide) and GupdateU (HKCU, user-scoped) provide redundant autorun paths across privilege levels.
Self-Propagation Module

The most operationally distinctive feature of The Gentlemen encryptor is its self-propagation module, activated via the --spread argument. When enabled, the malware transforms from a single-host encryptor into a network worm that attempts deployment to every reachable host on the network simultaneously. [1]

Per Microsoft's analysis, the module executes 21 distinct remote execution operations per discovered target host across eight independent methods, each attempted regardless of prior success: [1]

Propagation MethodDescription
Remote file copy via C$ shareStages payload on target's local C:\Temp via administrative share
PsExec (embedded or downloaded)Three-stage PsExec execution: defense evasion blob, payload from SMB share, payload from local C:\Temp
WMIC process creationThree commands via wmic.exe: defense evasion, then two payload executions
Scheduled tasks (user context)Three tasks: DefU (evasion), UpdateGU and UpdateGU2 (payload from both paths)
Scheduled tasks (SYSTEM context)Same three tasks replicated under SYSTEM account for higher privilege
Windows service creationDefSvc, UpdateSvc, UpdateSvc2 services created and started on target
PowerShell remoting (WinRM / Invoke-Command)Direct remote execution via Windows Remote Management
PowerShell WMI class (Win32_Process)Alternative WMI path bypassing wmic.exe if binary is restricted

The malware first creates a hidden SMB share (share$) on the infected host pointing to C:\Temp, enabling anonymous retrieval of the payload by target hosts. It also modifies firewall rules and enables network discovery services (fdrespub, fdPHost, SSDPSRV, upnphost) to maximize visibility into the network. On each target, it runs a defense evasion blob that disables Defender, turns off the Windows Firewall across all profiles, enables SMB1, and loosens LSA anonymous-access restrictions before executing the payload. [1]

Lateral Movement Toolset
PhaseTools / Techniques
Initial staging / C2SystemBC (SOCKS5 proxy and C2 tunneling); AnyDesk, WinSCP, PuTTY, AnyDesk, RustDesk
DiscoveryAdvanced IP Scanner, Nmap, net commands
Credential accessDomain credential dumping; ICACLS for permission manipulation; stolen VPN/infostealer credentials
Lateral movementPsExec, WMI, PowerShell remoting, Windows services; RDP; WinRM
ExfiltrationSystemBC-tunneled exfiltration; WinSCP
Persistence (hands-on-keyboard)Scheduled tasks, Registry Run keys, Windows services
CIS Exclusion
Confirmed

The Gentlemen enforces an explicit policy prohibiting attacks on organizations in Russia and other CIS countries. FortiGuard reports this as an operator-level policy; Group-IB notes it as consistent with Russian-language RaaS norms. Some technical analyses reference locale or language checks in the encryptor, though binary-level detail on the CIS exclusion mechanism has not been published as of May 2026. [6][10]

Ransom Note Format

Note filename: README-GENTLEMEN.txt (excluded from encryption target list). Contents: victim-specific identifier, affiliate Tox and Session contact IDs, Tor portal link, payment instructions in cryptocurrency, threat of data publication if unpaid, and a warning against third-party decryption attempts. Tone is pragmatic and business-oriented. The note is dropped in each scanned directory during traversal. [1][2]

05

Financial Infrastructure

Payment Model

Ransoms are demanded primarily in Bitcoin; some affiliates may accept additional cryptocurrencies at their discretion. The affiliate-owned wallet model means payment goes directly to the affiliate's wallet, with the operator's 10% settled via internal arrangement afterward. This architecture produces no single canonical operator wallet and significantly complicates on-chain attribution. [16][7]

On-Chain Infrastructure
Analyst Inference

As of May 2026, no TRM Labs, Chainalysis, or Elliptic study specifically mapping The Gentlemen's on-chain fund flows has been published. This is an active intelligence gap. The following is derived from general RaaS-ecosystem reporting and internal leak analysis:

1
Initial Receipt
Victim pays Bitcoin to affiliate-controlled wallet. The affiliate-owned model means numerous distinct wallets are used across the affiliate pool, with no operator-controlled central receiving wallet. [7][16]
2
Operator Settlement
The 10% operator share is settled via direct wallet transfer to operator-controlled addresses after receipt confirmation. This inter-affiliate transfer is the most attributable on-chain link to the operator cluster. [3][7]
3
Laundering (assessed)
Early operations (late 2025) appear to use standard BTC mixing approaches. 2026 reports mention affiliates experimenting with privacy coins and chained mixing services, though public detail is limited. Halcyon characterizes The Gentlemen among "next-generation" RaaS with increasing on-chain OPSEC sophistication. [4]
4
Cash-Out
No vendor-named specific exchanges or mixing services have been publicly identified in association with The Gentlemen. Attribution of cash-out paths awaits dedicated blockchain forensics firm analysis. [4]
Revenue Estimates

Total revenue extracted by The Gentlemen is not yet clearly quantified in public sources. Single-source estimates characterize tens of millions of USD equivalent in 2025-2026 based on partial payment observations and average demand sizes, but these carry low confidence. The combination of high victim volume (420+ claimed), mid-to-high-value targeting, and a generous affiliate split suggests a rapidly growing total revenue figure. [16]

Sanctions Status
Confirmed: No Sanctions

As of May 2026, no OFAC designation, EU sanctions listing, or equivalent action specifically naming The Gentlemen, its wallets, or any identified individual in the operator cluster has been publicly reported. The group's recency and the typical lag between LE intelligence gathering and sanctions action mean this gap is expected rather than indicative of reduced threat. [17]

06

Victim Profile and Targeting

Volume Metrics
DLS Claimed Victims (May 2026)
420+
Raven File / Ransom-ISAC estimate, May 2026
FortiGuard DLS Count
200+
50+ countries, early 2026
C2-Linked Victims
1,570+
SystemBC C2 compromise incl. partial intrusions
Global Share (Early 2026)
~10%
Of all public ransomware claims, per KELA analysis
Countries Targeted
50+
All major regions; CIS excluded
2026 Ranking
Top 3
By claimed attacks, early 2026
Sector Targeting

Targeting is assessed as primarily opportunistic, driven by affiliate access availability rather than deliberate pre-selected sector strategy. Sectors documented across DFIR cases and vendor reporting: [1][6][12]

SectorEvidence LevelNotes
EducationConfirmed (Microsoft)Observed in Microsoft's documented impact set
HealthcareConfirmed (Microsoft / FortiGuard)No documented exclusion; healthcare not protected
Transportation / LogisticsConfirmed (Microsoft)Documented in Microsoft case analysis
Financial ServicesConfirmed (Microsoft)Documented in Microsoft case analysis
Manufacturing / IndustrialCredible (S-RM, SOC Prime)Notable in Asia-Pacific and Europe
Energy / Government / ITCredible (FortiGuard)Listed among targeted sectors; individual cases not named
Geographic Distribution

Victims span all major global regions with particular concentration in Asia (Japan, South Korea, Southeast Asia), North America, and Europe. CIS-region organizations are systematically excluded per group policy. [1][6][9]

Geographic intelligence gap: As of May 2026, no vendor has published a country-level breakdown of The Gentlemen victims comparable to ransomware.live's open data for older groups. Microsoft documents North America, South America, Europe, Africa, and Asia as all affected. A definitive country-by-count table is not available in public reporting.
Victim Size and Selection Model

Internal chats show affiliates focusing on organizations with high perceived ability to pay, using revenue or employee count as heuristics. Mid-market and large enterprises are prioritized; some affiliates explicitly avoid very small targets as uneconomical. [7]

The 1,570+ victim count from the SystemBC C2 compromise includes a large number of small and mid-sized organizations appearing as partial or failed intrusions, suggesting wide scanning and triage with selective escalation to full deployment against higher-value targets. [16][17]

Named / Notable Victims

Individual victim names disclosed by The Gentlemen on its leak site are not reproduced here. Vendor briefings reference large manufacturing, energy, and healthcare firms by sector but avoid naming due to legal exposure. Open-source lists of named enterprises remain partial, scattered across sources, and predominantly single-sourced. Analysts requiring named victim lists should consult ransomware.live directly.

07

Law Enforcement and Regulatory Response

Confirmed: No LE Action to Date
Arrests and Indictments

As of May 2026, no publicly known arrests, indictments, or named individual charges linked to The Gentlemen have been issued by any Western or CIS law enforcement authority. The group's recency (sub-12 months) and the typical intelligence-gathering phase preceding overt enforcement action mean this gap is consistent with normal LE timelines rather than indicative of investigative disinterest. [17]

Infrastructure Seizures

No coordinated public LE takedown (FBI/Europol seizure banners, domain seizures, key escrow releases) has been announced against The Gentlemen infrastructure. The SystemBC C2 compromise and Rocket.Chat internal data leak analyzed by KELA and Ransom-ISAC are products of private-sector research and/or adversarial insider activity, not formal LE operations. [3][17]

Sanctions

No OFAC, EU, UK, or equivalent financial sanctions specifically naming The Gentlemen, its wallets, or identified individuals in the group have been announced as of May 2026. [17]

International Cooperation and Advisories

No dedicated multi-agency joint advisory (comparable to the LockBit or Hive advisories from FBI/CISA/NCSC) has been issued against The Gentlemen as of May 2026. The group is referenced in general ransomware-threat advisories and sectoral alerts but has not yet triggered a named advisory product from Five Eyes partners. [5]

CISA, FBI, and partner agency advisories on ransomware in general remain applicable given the group's TTPs (edge device exploitation, VPN credential abuse, double extortion). Specific IoC packages for The Gentlemen are available via Microsoft Defender XDR threat analytics (Storm-2697 / Gentlemen tool profile). [1]

08

Attribution and State Nexus

Assessed Jurisdiction
Credible

Multiple converging indicators support attribution to Russian-speaking operators in the CIS region: [1][6][10]

  • CIS exclusion policy: Explicit prohibition on targeting Russian and CIS organizations, enforced at the operator policy level. This is the single strongest jurisdictional indicator and is consistent across all vendor assessments.
  • Language: Internal Rocket.Chat communications analyzed by KELA are Russian-language. [3]
  • Ecosystem positioning: IBM X-Force and Group-IB position The Gentlemen within a cluster of Russian-language RaaS operations sharing language, tooling preferences, and no-CIS policies. [5][10]
  • No-CIS behavioral norm: The CIS exclusion pattern is a known proxy indicator for Russian-nexus actors operating under de-facto safe harbor: criminal activity tolerated by Russian authorities as long as it remains directed outward. [4]
State Nexus Assessment
Analyst Inference

No vendor or government publication as of May 2026 provides direct evidence of FSB, SVR, or GRU control, tasking, or operational coordination with The Gentlemen. The group is assessed as financially motivated criminal rather than state-directed. [1][4]

As with other top-tier Russian-language RaaS operations, The Gentlemen likely operates under de-facto non-prosecution safe harbor in CIS territory, consistent with Russia's documented pattern of tolerating outward-facing cybercriminal activity. This is an analyst inference based on structural patterns, not a confirmed intelligence finding. [4]

Named Individuals

The core operator is identified in internal communications by the handle "zeta88." Real-world identity, location, and nationality remain unconfirmed in any open-source reporting as of May 2026. No additional named individuals have been publicly identified by vendors or law enforcement. [3][5]

Overall Analytic Line
Best current assessment: Financially motivated, Russian-speaking cybercriminal RaaS with no confirmed state nexus, operating under likely de-facto safe harbor in CIS territory. Assessed jurisdiction: Russia or broader post-Soviet region (CREDIBLE). Direct state tie: not evidenced (ANALYST INFERENCE that safe harbor exists). Microsoft Storm-2697 tracking designation applies to the operator cluster; Ransom:Win64/Gentlemen.A is the malware family designation.
09

Trajectory Assessment

Internal Disruption: The May 2026 Leak

In May 2026, partial internal chat logs (Rocket.Chat backend), panel data, and images tied to The Gentlemen were leaked and advertised on underground forums. KELA, Ransom-ISAC, and Check Point analyzed the dataset. The leak revealed internal arguments about target selection, payment disputes, quality of initial access, and OPSEC practices. The likely cause was insider betrayal or compromise of admin infrastructure. [2][3][7][8]

Despite this OPSEC setback, new victim claims continued appearing on The Gentlemen's leak site through May 2026, and no operational pause has been documented. The group appears resilient to the leak, consistent with a distributed affiliate model where individual compromise of operator communications does not halt affiliate operations. [9]

Rebranding Signals
No Current Evidence

As of late May 2026, there are no credible signals of an active rebrand. The Gentlemen continues operating under its existing brand in forum postings and on its leak site. Internal chats show discussions of OPSEC enhancements and contingency infrastructure planning, but not a structured exit strategy or rebrand timeline. [2][3]

Scale and Volume Trajectory

The group's victim accumulation rate in early 2026 is among the fastest documented for any RaaS program. Multiple sources rank The Gentlemen in the top 2-3 groups by claimed attacks globally for Q1 2026. The BreachForums partnership, announced to further expand the affiliate pool, may accelerate this trajectory. [1][6][9]

Capability Trajectory
  • Encryptor under active development: Microsoft notes new defense-evasion features and self-propagation mechanics being added over time; the malware is not static. [1]
  • High baseline: Multi-platform support (Windows, Linux, NAS, BSD, ESXi) from launch indicates developers began at an advanced technical level rather than iterating up from a basic ransomware. [5]
  • EDR evasion maturation: Huntress and Trend Micro document adoption of custom EDR-evasion tools, tamper-protection bypasses, and increased scheduled-task abuse. [12][14]
  • Self-propagation worm capability: The 21-execution-path propagation module is a significant capability differentiator; rapid network-wide encryption reduces the window for defenders to isolate and respond. [1]
Connected Group Cluster
GroupRelationshipConfidenceNotes
QilinAssessed parent ecosystem; payment dispute sparked The Gentlemen's foundingCredible (Halcyon, IBM, Ransom-ISAC)Distinct groups; not a rebrand. No formal CrowdStrike/Secureworks/Unit 42 published assessment as of May 2026
SystemBC ecosystemShared tooling; affiliates deploy SystemBC as proxy/C2Confirmed (shared tool), Low (structural tie)SystemBC used across dozens of RaaS groups; not an organizational link
BreachForums marketplaceOfficial affiliate recruitment partnershipConfirmed (Microsoft, May 2026)Supply-chain link; BreachForums provides affiliate pipeline
IAB ecosystem / infostealer vendorsOperational dependency; group purchases infostealer logs for credential accessConfirmed (Hudson Rock, internal chats)Shared criminal supply chain, not organizational merger
Key Intelligence Gaps
  • Leadership identity: "zeta88" and other handles known; no confirmed real-world identities or locations.
  • On-chain forensics: No TRM Labs, Chainalysis, or Elliptic study specifically mapping The Gentlemen's fund flows has been published.
  • Specific CVE anchor: No confirmed signature exploit CVE; FortiGate SSL-VPN is the strongest access vector indicator but no specific CVE is confirmed.
  • Code lineage to Qilin: Full reverse-engineering comparison between The Gentlemen encryptor and Qilin's codebase has not been publicly published.
  • CrowdStrike / Secureworks / Unit 42 designations: None of the three major codename-issuing vendors has published a formal tracking designation for The Gentlemen as of May 2026.
  • Linux / ESXi encryptor details: Technical deep-dives comparable to Microsoft's Windows analysis have not been published for the Linux, NAS, BSD, or ESXi variants.

Sources

Primary Technical Analysis
[1]
Microsoft Threat Intelligence, "The Gentlemen ransomware: Dissecting a self-propagating Go encryptor", May 28, 2026. Storm-2697 designation, full encryptor analysis, self-propagation module, IOCs.
[2]
Check Point Research, "DFIR Report: The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy", April 20, 2026. DFIR case study, multi-OS locker details, ransom note format, affiliate communication.
[3]
KELA Cyber, "The Gentlemen Ransomware Internal Chat Leak Analysis," 2026. Internal Rocket.Chat corpus analysis; operator handle zeta88; affiliate onboarding; revenue model.
[4]
Halcyon, "Threat Assessment: The Gentlemen Ransomware Group". Qilin payment dispute origin; ~20-person core; RaaS-vs-SaaS framework; next-gen on-chain OPSEC.
[5]
IBM X-Force, "The Gentlemen" threat group profile. Qilin ecosystem emergence; Windows/Linux/NAS/BSD/ESXi locker confirmation; triple extortion elements.
[6]
Fortinet FortiGuard, "The Gentlemen Ransomware" threat actor profile. 200+ victims / 50+ countries; CIS exclusion; initial access vectors; sector list.
Internal Data / Leak Analysis
[7]
Ransom-ISAC, "The Gentlemen Leak Analysis". Rocket.Chat corpus; zeta88 references to prior RaaS payment disputes; affiliate relationships; 90/10 split; wallet model.
[8]
The Raven File, "Gentlemen Ransomware Leaks", May 23, 2026. 420+ total claimed victims; FortiGate SSL-VPN as primary access vector; leak cause analysis.
Vendor Research
[9]
S-RM Intelligence, "Ransomware in Focus: Meet The Gentlemen". Negotiation behavior; 40-70% demand discounts; deadline patterns; enterprise targeting.
[10]
Group-IB, "Hasta La Muerte: The Gentlemen RaaS TTPs". Russian-language cluster positioning; CIS exclusion; TTP overlap with broader ecosystem.
[11]
Hudson Rock, "How The Gentlemen Ransomware Group Operates: A Blueprint Built on Infostealer Credentials". Infostealer-driven access model; credential log purchasing; VPN/RDP/SaaS access paths.
[12]
Huntress, "The Gentlemen Ransomware: Defense Evasion TTPs". EDR evasion tooling; log clearing; scheduled-task abuse; persistence mechanisms.
[13]
Cybereason, "License to Encrypt: The 'Gentlemen' Make Their Move". September 2025 RaaS launch timeline; initial affiliate recruitment.
[14]
Trend Micro, "Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed". Custom EDR evasion; tamper-protection bypasses; capability evolution.
[15]
SOC Prime, "The Gentlemen Ransomware Detection". Detection guidance; sector targeting list; deadline and negotiation patterns.
Infrastructure / Supporting Analysis
[16]
Ransomware.live, The Gentlemen group page. Victim counts; 90/10 split confirmation; affiliate-owned wallet model; activity timeline.
[17]
The Hacker News, "SystemBC C2 Server Reveals 1570 Victims", April 2026. SystemBC C2 compromise; 1570+ linked victims; C2 infrastructure in The Gentlemen operations.
[18]
Check Point Research, "Thus Spoke The Gentlemen". Internal leak; stability assessment; OPSEC setback analysis.