The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm
New analysis reveals The Gentlemen ransomware operation has hit 478 victims, evolving from a RaaS affiliate into a self-replicating worm-like threat.
A detailed analysis of The Gentlemen ransomware operation has revealed that the group has claimed 478 victims, according to a report published on June 11, 2026. The financially motivated threat group initially operated as an affiliate conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes including LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis).
The Gentlemen's evolution from RaaS affiliate to independent operator marks a significant shift in the ransomware landscape. By pooling tools and techniques from multiple established ransomware strains, the group has created a versatile and highly effective payload. The worm-like propagation capability allows the malware to spread rapidly across networks without requiring manual intervention, enabling attackers to maximize the impact of their intrusions before defenses can react.
The ransomware's ability to self-propagate is particularly concerning for enterprise environments. Once initial access is gained, the worm-like behavior can move laterally through connected systems, encrypting files and demanding ransoms at scale. This capability reduces the window for defenders to contain an outbreak and increases the likelihood of widespread data encryption across large organizations.
Double extortion remains a core tactic for The Gentlemen. Before encrypting files, the group exfiltrates sensitive data, then threatens to leak it publicly if the ransom is not paid. The combination of worm-like spread and double extortion creates a potent threat that is difficult to mitigate without robust network segmentation and rapid incident response.
Given its origins in the LockBit, Qilin, and Medusa ecosystems, The Gentlemen likely inherits sophisticated codebases and evasion techniques from these mature RaaS platforms. Defenders should monitor for indicators of compromise associated with these families and prioritize patching vulnerabilities commonly exploited for initial access, such as those in VPN appliances and web-facing applications.
As of the report's publication, no specific CVE identifiers were associated with The Gentlemen's toolset, though the group is known to exploit unpatched vulnerabilities and misconfigurations. Organizations are advised to implement strong access controls, enable multi-factor authentication, and maintain offline backups to mitigate the risk of data loss from ransomware attacks.
The emergence of The Gentlemen underscores the continuing trend of ransomware groups evolving from affiliates to independent operators, leveraging experience and code from multiple predecessors. This consolidation of tactics poses an ongoing challenge for cybersecurity teams worldwide, as attackers become more agile and their tools more destructive.