← All Threat Actors
The Gentlemen
Ransomware-as-a-Service (RaaS) operation · Financial — ransomware and extortion
Reports 1
Active Since 2025
Last Reported 22 May 2026
Sectors Targeted finance, healthcare, critical-infrastructure, transport
Tactics, Techniques & Procedures (TTPs)
- Pre-stockpiled FortiGate VPN access inventory — access acquired before campaigns begin
- BYOVD (Bring Your Own Vulnerable Driver) for kernel privilege escalation and EDR bypass
- GPO-based domain-wide simultaneous ransomware detonation
- Go-based cross-platform locker targeting Windows, Linux, and VMware ESXi
- SystemBC proxy malware for encrypted C2 traffic obfuscation
- 90% affiliate commission model attracting high-skill operators from dismantled groups
Known Targets
Manufacturing and logistics (Asia-Pacific)Healthcare organisationsFinancial servicesTransport operatorsNon-US markets — Asia (~46% of victims), Europe, Latin America
Analyst Notes
Founded mid-2025 by a former Qilin affiliate following a profit-sharing dispute. Reached global top-3 in Q1 2026 with 340+ confirmed victims. Deliberately targets non-US markets — which reduces the law enforcement pressure that US-focused groups attract. The 90% affiliate revenue share (vs the industry-standard 70-80%) has attracted a disproportionate number of high-skill operators from disrupted groups including Qilin and former ALPHV/BlackCat affiliates.
Also Known As
Hastalamuerte (internal operator alias)