The Gentlemen Ransomware Escalates Global Attacks with Advanced Evasion Tactics

The Gentlemen ransomware group has rapidly emerged as a formidable threat in the cybersecurity landscape, demonstrating a significant escalation in both the scale and sophistication of its operations. Originating in mid-2025 from a schism within the Qilin Ransomware-as-a-Service (RaaS) program, The Gentlemen has evolved into a highly organized, human-operated RaaS entity, now tracked by Microsoft as Storm-2697.

Within its inaugural year, The Gentlemen has claimed over 500 victims across more than 70 countries, accounting for approximately 10% of global ransomware incidents by April 2026. This rapid expansion underscores the group’s aggressive targeting of diverse industries, including manufacturing, healthcare, financial services, and critical operational technology sectors.

Advanced Evasion Techniques

A distinguishing feature of The Gentlemen’s operations is their development and deployment of sophisticated Endpoint Detection and Response (EDR) and antivirus (AV) evasion tools. Central to this is their proprietary framework, GentleKiller, which comprises at least eight distinct Bring Your Own Vulnerable Driver (BYOVD) variants. These tools are capable of terminating over 400 security processes across 48 vendors, effectively neutralizing a wide array of defensive measures.

In addition to their in-house tools, The Gentlemen integrates third-party EDR killers such as HexKiller, ThrottleBlood, and HavocKiller into a modular evasion suite. This comprehensive approach enhances their ability to bypass security protocols and maintain persistence within compromised networks.

Technical Capabilities and Propagation

The Gentlemen’s ransomware is developed in the Go programming language, facilitating cross-platform execution and robust performance across varied enterprise environments. The malware employs hybrid Curve25519/XChaCha20 cryptography, ensuring efficient and secure encryption processes.

Propagation within networks is achieved through advanced techniques, including the manipulation of Group Policy Objects (GPO) and the exploitation of legitimate Windows drivers. These methods enable the ransomware to disable security defenses and spread laterally across systems, increasing the scope and impact of their attacks.

Organizational Structure and Operations

Insights from a leaked internal database, referred to as “Rocket,” have shed light on The Gentlemen’s organizational structure. The group comprises approximately nine core operators and at least eight distinct affiliates. Key roles include:

  • Administrator (aliases: zeta88, hastalamuerte): Oversees the RaaS platform, manages the development of the ransomware, distributes targets, and handles financial transactions.
  • Operators (aliases: qbit, quant): Conduct hands-on operations, including network reconnaissance, deployment of EDR killers, and credential harvesting.
  • Red-Teamers and Collaborators (aliases: Wick, mAst3r, Protagor): Engage in penetration testing and collaborate on specific cases.
  • Access Brokers and Support Roles (aliases: Bl0ck, JeLLy, Kunder, Mamba): Facilitate initial access and provide operational support.

The group’s recruitment strategy is notably aggressive, offering affiliates a generous revenue split of 90%, which is among the highest in the ransomware ecosystem. They actively seek partnerships with penetration testers and initial access brokers through underground forums such as RAMP and BreachForums.

Implications and Defensive Measures

The rapid ascent and advanced capabilities of The Gentlemen ransomware group highlight the evolving nature of cyber threats. Their sophisticated evasion techniques and aggressive expansion pose significant challenges to organizations worldwide. It is imperative for entities to enhance their cybersecurity posture by implementing robust defense mechanisms, conducting regular security audits, and fostering a culture of vigilance to mitigate the risks associated with such advanced ransomware operations.