The Gentlemen, a ransomware group tracked as Storm-2697, has emerged as the second most active RaaS program of 2026. The finding comes from a Unit 42 report, Palo Alto Networks' research team, published July 10, 2026. Growth has been driven by an aggressive economic model — a 90% affiliate payout — and a custom toolchain that includes the GentleKiller EDR-killer framework and a Go-based backdoor.
- The Gentlemen transitioned from Qilin affiliate (ArmCorp/Spikey Scorpius) to independent RaaS in September 2025, reaching 580 claimed victims across 77 countries as of July 7, 2026.
- The group offers a 90% affiliate payout, exceeding the standard 70-80% RaaS market range, according to the Unit 42 report.
- Victim growth exceeds 6x comparing the last 6 months of 2025 with the first 6 months of 2026, peaking at 117 victims in June 2026.
- Custom tooling includes C and Go ransomware variants for cross-platform deployment, the GentleKiller framework for EDR evasion, and exploitation of CVE-2024-55591 on Fortinet edge devices.
From Affiliate to Disruptor: The Genesis of Storm-2697
The Gentlemen's operators were previously active as the "ArmCorp" affiliate of the Qilin RaaS, tracked by the intelligence community as Spikey Scorpius. In September 2025, the group transitioned from a private entity to an independent RaaS model. The shift coincided with the development of proprietary tooling and a recruitment strategy that accelerated operational expansion.
In May 2026, The Gentlemen announced a partnership with BreachForums, the criminal marketplace run by HasanBroker, for affiliate recruitment. That same month, an alleged insider leaked an internal group database. Unit 42 does not verify the leak's authenticity but documents both events as indicators of the program's growing visibility in the criminal ecosystem.
The 90% Model: How to Fuel 600% Growth
The Unit 42 report identifies the payout as the primary economic lever. "The Gentlemen offer an unprecedented 90% payout," the report states. The figure exceeds the 70-80% range Unit 42 identifies as standard for competing RaaS programs. This additional margin, described as "unprecedented" in the source text, acts as a magnet for affiliates operating on other platforms.
The quantitative data confirms the model's effectiveness. Comparing the last six months of 2025 with the first six months of 2026, claimed victims grew over 6-fold. Note that the 2025 period covers roughly four months of activity (September through December) versus six full months in 2026, making the temporal base asymmetric, but the scaling velocity remains significant. In June 2026, the group hit a monthly high of 117 victims, nearly four times the roughly 30 seen in January 2026.
"The combination of a lucrative affiliate payout structure to recruit affiliates, alongside the use of custom tooling across different phases of their attack lifecycle, make The Gentlemen a formidable threat" — Unit 42, Palo Alto Networks
GentleKiller and the Cross-Platform Toolchain
The Unit 42 report describes an internally developed toolchain distributed in multiple languages. Ransomware variants are written in C and Go to enable cross-platform deployment. Alongside the cryptographic payload, the group fields a Go-based backdoor and the "GentleKiller" framework, designed for EDR evasion.
Unit 42 also notes "alleged use of an unspecified zero-day" — phrasing that leaves the confirmation status of the data open. The brief does not provide full technical details on the Go backdoor's operation or GentleKiller's structure, limiting itself to documenting their existence and role in the attack cycle.
For initial access, The Gentlemen combines edge device vulnerability exploits, brute force, stolen credentials, and collaboration with initial access brokers (IABs). Among exploited vulnerabilities, Unit 42 explicitly lists CVE-2024-55591, rated CVSS 9.8 CRITICAL by the National Vulnerability Database, affecting Fortinet FortiOS and FortiProxy.
The Victim Landscape: Sectors and Geography
As of July 7, 2026, The Gentlemen claims 580 total victims across 77 countries. The figure comes from "one reputable source" cited by Unit 42, identified as Ransomware.live, a ransomware tracking platform. The report does not guarantee the count's completeness nor independently verify every single case.
Manufacturing is the hardest-hit sector with 103 specified victims. Geographic distribution spans globally: the 77-country figure indicates a strategy not targeted at specific national markets, but rather a volume-driven opportunity typical of mature RaaS programs.
Unit 42 estimates the group comprises roughly 20 active operators. The relatively small size relative to the attack surface suggests a lean organization with massive delegation to affiliates for the initial compromise phase.
Why It Matters
The Unit 42 dossier does not specify corrective measures the group adopted following the May 2026 leak, nor does it document payout model variations after the BreachForums announcement. The report also does not trace infrastructure connections between Storm-2697 and other actors beyond the prior Qilin affiliation.
The brief provides no defensive operational guidance or hardening recommendations: the technical actions available in the report are limited to the reference to CVE-2024-55591 and documented access techniques. The source does not specify whether The Gentlemen modified its tooling in response to growing visibility, nor does it provide details on the nature of data exposed in the alleged internal leak.
Frequently Asked Questions
What is the relationship between The Gentlemen and Qilin?
The operators were "ArmCorp" affiliates of the Qilin RaaS (Spikey Scorpius) before going independent in September 2025. Unit 42 does not document current infrastructure overlap between the two programs.
Is the 90% payout guaranteed?
The Unit 42 report documents the public offer as an "unprecedented 90% payout" but does not verify that the figure is actually paid to all affiliates. The data concerns the declared economic model, not its execution.
What does "alleged unspecified zero-day" mean?
Unit 42 uses this phrasing to indicate the group suspects use of a zero-day vulnerability without providing an identifier, affected product, or technical confirmation. The data's status remains open.
Information is based on the cited advisory and current as of publication.
Sources
- https://unit42.paloaltonetworks.com/the-gentlemen-ransomware/
- https://unit42.paloaltonetworks.com/atoms/
- https://unit42.paloaltonetworks.com/about-unit-42/
Information is based on the cited source and current as of publication.