The Gentlemen ransomware group, also known as Phantom Mantis, has significantly escalated its operations, now claiming 478 victims. This expansion is attributed to the group’s evolution from an affiliate in various ransomware-as-a-service (RaaS) schemes to an independent entity with advanced capabilities.
Initially, Phantom Mantis collaborated with RaaS platforms such as LockBit, Qilin, and Medusa, conducting double extortion attacks. However, in July 2025, the group rebranded as The Gentlemen, establishing its own partnership program and reducing reliance on other RaaS groups. This strategic shift has enabled them to develop and maintain their ransomware tools more autonomously.
Central to The Gentlemen’s operations is a Russian-speaking cybercriminal identified as LARVA-368, who utilizes multiple online aliases. Reports suggest that LARVA-368 was previously associated with the Embargo ransomware group before launching their own operation. Notably, the group heavily incorporates artificial intelligence to enhance their ransomware development and post-exploitation procedures.
One of the group’s notable tactics includes the deployment of SystemBC, a proxy malware that establishes SOCKS5 network tunnels within compromised environments. This tool facilitates the download and execution of additional malware, either by writing payloads to disk or injecting them directly into memory. The use of SystemBC has led to the discovery of a botnet comprising over 1,570 victims across various countries, including the U.S., the U.K., Germany, Australia, and Romania.
The Gentlemen’s ransomware exhibits worm-like capabilities, enabling it to spread rapidly across networks. During lateral movement, the ransomware attempts to disable Windows Defender on reachable remote hosts by executing a PowerShell script. This script disables real-time monitoring, adds broad exclusions for drives and processes, shuts down the firewall, re-enables SMB1, and loosens LSA anonymous access controls before deploying the ransomware binary.
Furthermore, the group’s ransomware variants target multiple platforms, including Windows, Linux, NAS, and BSD systems. The ESXi variant, specifically designed for VMware environments, can shut down virtual machines to enhance the attack’s effectiveness, adds persistence via crontab, and inhibits recovery before deploying the ransomware binary.
In the broader context of ransomware evolution, The Gentlemen’s rapid growth and sophisticated tactics underscore the increasing industrialization of cybercrime. Their ability to adapt and integrate advanced techniques, such as AI-driven development and cross-platform targeting, highlights the need for organizations to implement robust cybersecurity measures. As ransomware groups continue to evolve, staying informed and proactive is essential to mitigate potential threats.
