The Gentlemen Ransomware: Over 320 Victims and Botnet of 1,570+ Companies

The Gentlemen group becomes the second most active ransomware of 2026. Over 320 victims and a ready botnet: here is the model attracting expert affiliates.

The Gentlemen Ransomware: Over 320 Victims and Botnet of 1,570+ Companies

The Gentlemen is the second most active ransomware group of 2026, with a list of over 320 victims published in April and a botnet discovered by Check Point Research involving over 1,570 potential companies. The group's rise, emerging in mid-2025, signals a shift in the Ransomware-as-a-Service (RaaS) criminal model, driven by aggressive financial incentives for affiliates.

The criminal model: offering 90% to affiliates

The rapid expansion of The Gentlemen is not accidental. The group has introduced a criminal market strategy that is attracting expert operators from other organizations: it grants affiliates a 90% share of each ransom paid. This percentage is significantly higher than the industry standard, where most Ransomware-as-a-Service programs offer an 80% dividend. The 10% difference represents a tangible incentive for more sophisticated attackers, who possess tools for neutralizing EDRs and operate according to proven processes.

According to Check Point Research, verified affiliates are not improvising but are executing a documented and tested process designed to maximize impact before defenders can react. This level of technical professionalism, combined with a platform that supports attacks on Windows, Linux, NAS, BSD, and ESXi environments, makes the group particularly versatile and dangerous.

Emergency figures: victims and discovered botnet

The growth rate of The Gentlemen is comparable to the early years of LockBit, one of the most well-known historical groups in the sector. Of the over 320 names published on the leak site in April 2026, as many as 240 appeared in just the first few months of the year. Confirming the operational scale, during an incident response intervention, Check Point researchers discovered a botnet composed of over 1,570 potential corporate victims, ready to be exploited.

Most emerging ransomware groups disappear within a few months. However, The Gentlemen is not following this script, as highlighted by Check Point Research analysts via TechByte. The ability to maintain a botnet of this size suggests a solid infrastructure and long-term planning by the operators.

Affected sectors and lack of ethical boundaries

Analysis of the targets reveals a primarily opportunistic approach. The attacks exploit exposed and vulnerable internet-facing infrastructure, including VPNs, remote access gateways, and firewall management portals. Manufacturing and technology companies constitute the majority of victims, but the most alarming figure concerns the healthcare sector, which is the third most frequently targeted. Unlike other criminal groups that avoid hospitals to not attract law enforcement attention, The Gentlemen shows no ethical boundaries, hitting critical organizations indiscriminately.

Geographically, the United States represents the highest number of victims, followed by the United Kingdom and Germany. The group maintains an active X/Twitter account to publish information about victims, increasing pressure to pay through a strategy of media-based double extortion.

Negotiation and communication techniques

Negotiations with victims take place via a peer-to-peer messaging protocol with end-to-end encryption, a technical feature aimed at protecting criminal communications from interception. The operational approach focuses on speed: affiliates penetrate networks through exposed vulnerabilities, neutralize local defenses, and proceed with data encryption and exfiltration in a short amount of time.

Frequently asked questions

What is The Gentlemen ransomware?
The Gentlemen is a ransomware group that emerged in mid-2025, operating under the Ransomware-as-a-Service (RaaS) model. As of April 2026, it was the second most active group of the year, with over 320 published victims.
Why is The Gentlemen growing so fast?
The growth is mainly due to the economic model offered to affiliates, who receive 90% of the paid ransom compared to the 80% market standard. This attracts expert operators with advanced tools for bypassing defenses.
Which sectors does The Gentlemen target?
The group primarily hits manufacturing and technology companies, but it also represents a concrete threat to the healthcare sector, as it does not observe the ethical boundaries that other criminal groups usually respect.

This article is a summary based exclusively on the listed sources.

Sources

  • https://www.securityopenlab.it/video/6343/the-gentlemen-il-ransomware-in-rapida-ascesa.html
  • https://www.techbyte.it/news/the-gentlemen-minaccia-ransomware/
  • https://www.wired.it/article/the-gentlemen-cybergang-sicurezza-informatica-aziende/
  • https://www.ilcorrieredellasicurezza.it/the-gentlemen-una-nuova-minaccia-ransomware-in-rapida-ascesa/
  • https://www.cybersecurity360.it/news/the-gentlemen-loperazione-ransomware-as-a-service-piu-attiva-nel-2026/