The Gentlemen has grown from an affiliate operation into a full ransomware-as-a-service program with 478 claimed victims, cross-platform lockers, and a self-propagation option that can turn one compromised host into a network-wide encryption event.
The Gentlemen ransomware operation is no longer just another extortion brand rotating through leak sites. New reporting attributes 478 claimed victims to the group and describes a mature ransomware-as-a-service program with affiliate support, cross-platform payloads, and a dangerous worm-like mode designed to spread across reachable systems once an intrusion is already inside the network.
The group, tracked by PRODAFT as Phantom Mantis, appears to have started as an affiliate working with larger ransomware ecosystems including LockBit, Qilin, and Medusa before becoming an independent operation. According to PRODAFT, the crew is led by a Russian-speaking operator tracked as LARVA-368. The same reporting says the group uses AI-assisted development for ransomware maintenance, tooling, and post-exploitation support.
That matters because The Gentlemen is not just encrypting files at the end of a manual intrusion. It is packaging experience from the broader ransomware economy into a partner program: affiliates, panels, victim setup workflows, support channels, and multiple payload builds for Windows, Linux, ESXi, older Windows systems, and Linux Logical Volume Manager environments.
The operational picture is consistent with what defenders have seen across modern ransomware crews. Initial access often begins with edge systems, including VPN appliances, firewalls, and other internet-facing infrastructure. The named focus areas include Cisco and Fortinet FortiGate environments, along with exploitation paths touching VMware Aria Operations, Microsoft software, and identity systems. Ransomware.Live, which tracks public extortion listings at ransomware.live, is cited as the source for the 478 victim count.
What changed with The Gentlemen
The core shift is organizational maturity. The group reportedly moved from being an affiliate inside other ransomware programs to running its own independent partnership model in July 2025. That means the operator is not only writing malware, but recruiting partners, handling access to affiliate panels, distributing builds, and offering technical help when intrusions stall.
PRODAFT describes the group as having grown from previous ransomware collaborations into its own RaaS operation. The company also told The Hacker News that attribution tying the persona to the reported individual identity was made with “high confidence.” That attribution is useful for law enforcement and intelligence teams, but defenders should focus on the tradecraft: how the group gets in, how it moves, and how quickly encryption can spread once privileged access is obtained.
LevelBlue’s Cybereason team called The Gentlemen a “highly adaptive, fast-moving ransomware operation.” That phrase fits the technical profile. The group has been linked to double extortion, cross-platform encryption, endpoint security bypass attempts, Active Directory discovery, certificate abuse, file share discovery, and backup disruption. NCC Group reporting cited in the source material says the group can adapt during intrusions, including by manipulating Group Policy Objects, compromising privileged accounts, and changing methods to bypass endpoint protections.
The group’s affiliate model also has a defensive implication. Affiliates are reportedly required to provide at least 1 GB of stolen victim data to gain access to the panel. That is likely meant to keep researchers and law enforcement out, but it also says something about the economics of the operation: data theft is not an optional add-on. It is built into the workflow before encryption.
The worm-like risk
The most concerning technical detail is the ransomware’s spread capability. Microsoft, which tracks the cluster as Storm-2697, says the Windows ransomware is written in Go and obfuscated with Garble. When launched with a spread argument, Microsoft says it changes from a single-host encryptor into a “self-propagating worm.”
That distinction is critical. Many ransomware events are still human-directed campaigns where operators move laterally, stage payloads, disable defenses, then trigger encryption across selected systems. A worm-like mode compresses that final phase. Once credentials, administrative reach, network visibility, and file share access are in place, automated deployment can increase the number of encrypted systems faster than responders can isolate them manually.
This does not mean The Gentlemen magically breaks into every machine on the internet. Worm-like propagation usually needs reachable hosts, usable credentials, exposed administrative services, or previously weakened controls. The danger is inside an enterprise where flat networks, shared local admin passwords, over-permissive service accounts, and broad SMB or remote management access give malware plenty of paths.
The reported wipe option raises the stakes further. If enabled, post-encryption cleanup can remove recoverable artifacts and make restoration harder. That is especially painful for organizations relying on local snapshots, attached backup repositories, or VMware environments where management interfaces and backup systems sit too close to production credentials.
Affected platforms and likely exposure points
The Gentlemen is reported to offer five payload variants: Windows, Linux, ESXi, Windows XP and later, and Linux LVM. That coverage maps closely to enterprise reality. Windows remains the identity and endpoint center for many organizations. Linux hosts run applications, databases, and internal services. VMware ESXi hosts concentrate many virtual servers behind one management layer. LVM-targeting can interfere with Linux storage layouts rather than just individual files.
Edge infrastructure is another major exposure point. VPNs and firewalls are attractive because they sit on the perimeter, often carry privileged trust, and sometimes lag behind patch cycles due to operational fear. Organizations should treat Fortinet advisories, Cisco security advisories, Broadcom VMware advisories, and Microsoft Security Response Center updates as operational inputs, not just compliance reading.
The cited tooling also shows what defenders should expect after entry. NetExec, RelayKing, TaskHound, PrivHound, and CertiHound point toward Active Directory enumeration, NTLM relay workflows, certificate service abuse, privilege escalation, and file share mapping. EDRStartupHinder, gfreeze, glinker, and DumpBrowserSecrets point toward defense evasion and credential theft. Velociraptor, a legitimate open-source DFIR and endpoint visibility tool available at docs.velociraptor.app, is reportedly used for command-and-control in some activity, a reminder that trusted administrative tooling can be repurposed by attackers.
Why defenders should care about dwell time
Reported dwell time ranges from two to six weeks from initial access to encryption. That window is the opportunity. Ransomware response often fails because teams focus too heavily on the final payload and too lightly on the weeks of preparation that make mass encryption possible.
During that preparation phase, attackers need to answer practical questions. Which accounts have domain privileges? Which file shares contain high-value data? Which backup systems can be reached? Which security products are installed? Which systems can be touched through Group Policy, SMB, WinRM, RDP, SSH, or virtualization management? Which data should be stolen before encryption?
Those actions create detectable signals. Active Directory enumeration from unusual hosts, abnormal certificate template queries, NTLM relay behavior, sudden antivirus exclusion changes, event log clearing, Defender tampering, unexpected driver loads, browser credential dumping, and large outbound data transfers should all be treated as ransomware precursors.
Practical advice for security teams
Start with the perimeter. Inventory VPNs, firewalls, remote access gateways, management portals, and exposed appliances. Confirm firmware versions, disable unused services, restrict administrative access to known management networks, and require phishing-resistant MFA wherever possible. Edge devices need separate monitoring because many do not produce the same telemetry as standard servers.
Segment the paths that ransomware needs most. Domain controllers, backup servers, virtualization management, file servers, and security tooling should not be reachable from ordinary workstation networks without tight controls. ESXi and vCenter management should sit behind administrative access boundaries with separate credentials, logging, and MFA.
Reduce credential blast radius. Rotate shared local administrator passwords using Microsoft LAPS or an equivalent control. Audit service accounts for excessive rights. Remove standing domain admin sessions from workstations. Monitor for suspicious use of privileged accounts outside expected management hosts.
Harden Active Directory Certificate Services. Certificate abuse has become a common route to privilege escalation. Review templates, enrollment permissions, manager approval requirements, and ESC-class misconfigurations using defensive tools and Microsoft’s AD CS guidance. Certificate infrastructure often receives less attention than domain controllers, but attackers increasingly treat it as an identity bypass layer.
Watch for BYOVD behavior. Bring your own vulnerable driver attacks use legitimately signed but vulnerable drivers to tamper with endpoint security. Microsoft’s vulnerable driver blocklist and Defender protections can help, but teams should also alert on unusual driver installation, kernel-level service creation, and security product process tampering. Microsoft’s Defender documentation is available at learn.microsoft.com/defender.
Protect backups as a separate security domain. Backups should be immutable where possible, offline or logically isolated, and protected with different credentials from production. Test restoration from bare metal and from virtual infrastructure failure. A backup that can be deleted from a compromised domain admin account is not a ransomware recovery plan.
Prepare containment steps before encryption starts. Security teams should have tested procedures to disable compromised accounts, isolate network segments, block SMB and remote management between workstation VLANs, revoke active sessions, and cut access from suspect hosts. Worm-like encryption punishes slow, manual decisions.
The larger pattern
The Gentlemen reflects the continuing professionalization of ransomware. The group’s reported 90 percent affiliate share, support channels over Tox, SimpleX Chat, and Ricochet Refresh, and same-day patch after a decryptor release all point to a service business, not a one-off malware crew.
The defensive lesson is direct: treat ransomware as an intrusion campaign first and a malware event second. By the time the encryptor runs, the attackers may already understand the network better than the organization’s own responders. The best work happens earlier, at the exposed appliance, the over-privileged account, the unmanaged ESXi host, the unmonitored certificate service, and the backup console that should never have been reachable from a compromised workstation.
The Gentlemen’s worm mode makes that timing even more unforgiving. Once an affiliate has stolen data, mapped the network, disabled defenses, and staged credentials, propagation becomes an acceleration problem. Organizations that can detect and contain the preparation phase have a real chance to stop the incident before it becomes a public extortion case.
Comments
Please log in or register to join the discussion