A relatively new entrant in the ransomware ecosystem, The Gentlemen, is rapidly emerging as one of the most active and disruptive threat groups of 2026. Since its appearance in mid-2025, the ransomware-as-a-service (RaaS) operation has already claimed over 320 victims, with nearly 240 attacks recorded in 2026 alone—making it the second most active ransomware group by victim count this year.
What makes this rise particularly notable is not groundbreaking technical sophistication, but a combination of operational efficiency, aggressive scaling, and a business model designed to attract top-tier cybercriminal talent.
According to Check Point Research (CPR), which has been tracking the group since its inception, The Gentlemen’s growth trajectory rivals early-stage LockBit 3—long considered a benchmark in ransomware operations. CPR’s investigation uncovered even more concerning insights during a live incident response engagement, where researchers gained access to an attacker-controlled command-and-control server. The server revealed a botnet of over 1,570 likely corporate victims—far exceeding the group’s publicly disclosed numbers.
This discrepancy highlights a critical reality: the true scale of ransomware activity often remains hidden, with many compromised organizations yet to be extorted or publicly named.
At the core of The Gentlemen’s rapid expansion is a simple but powerful differentiator—economics. The group offers affiliates a 90% share of ransom payouts, significantly higher than the industry-standard 80%. This seemingly small margin shift is proving decisive in a profit-driven underground economy, drawing experienced operators away from competing ransomware programs. These affiliates bring not only technical expertise but also pre-existing access to corporate networks, accelerating the group’s operational reach.
Technically, The Gentlemen rely on familiar tactics rather than novel exploits. Their primary entry points are unpatched or misconfigured internet-facing systems such as VPNs, firewalls, and remote access gateways. Once inside, attacks unfold with alarming speed. CPR documented incidents where attackers, already in possession of domain-level credentials, moved laterally across networks, disabled security tools, and deployed ransomware across entire environments within hours—often using Group Policy to trigger simultaneous encryption.
Sector-wise, manufacturing and technology firms are the most frequently targeted, reflecting broader ransomware trends. However, the increasing focus on healthcare is particularly concerning. Unlike some ransomware groups that avoid critical infrastructure sectors, The Gentlemen appear unconstrained by such informal boundaries.
Geographically, the United States remains the primary target, followed by the UK and Germany. However, the opportunistic nature of these attacks means any organization with exposed infrastructure is at risk.
For enterprise security leaders, the implications are clear. The threat does not stem from unknown vulnerabilities but from well-documented security gaps that remain unaddressed. Prioritizing patch management for internet-facing systems, enforcing multi-factor authentication, and strengthening privileged access controls are essential first steps. Equally important are network segmentation, proactive monitoring for lateral movement, and regularly tested backup and recovery strategies.
Ultimately, The Gentlemen’s rise underscores a broader shift in the ransomware landscape. The barrier to launching a high-impact RaaS operation has significantly lowered. Success no longer depends on technical innovation alone—it hinges on scalable infrastructure, effective monetization strategies, and the ability to attract skilled affiliates.
In that sense, The Gentlemen are not an outlier—they are a preview of what modern ransomware operations are becoming.