A recent study conducted by cybersecurity intelligence firm PRODAFT has revealed that the notorious “The Gentleman” ransomware gang has so far claimed at least 478 victims worldwide through a series of sophisticated double extortion attacks. The findings highlight the growing threat posed by organized cybercriminal groups that continue to exploit businesses, government entities, and critical infrastructure for financial gain.
According to the report, The Gentleman ransomware operation has been active since 2021 and has rapidly evolved into one of the more dangerous cybercrime syndicates operating today. Although the exact amount earned by the gang remains unknown, cybersecurity analysts estimate that the criminal group may have accumulated nearly $38 million through ransom payments, extortion schemes, and other illicit cyber activities.
PRODAFT, the Switzerland-based threat intelligence company tracking the group, identifies The Gentleman under the aliases “Phantom Mantis” and “Larva 368.” Investigators believe the gang is primarily Russian-speaking and operates using a highly organized ransomware-as-a-service (RaaS) model. This allows affiliated hackers and cybercriminals to deploy ransomware tools in exchange for a share of the profits.
Security researchers also noted that Larva 368 has increasingly adopted artificial intelligence-powered tools to automate and enhance cyberattacks. These AI-enabled techniques reportedly help attackers identify vulnerabilities faster, craft convincing phishing campaigns, and evade traditional cybersecurity defenses. The group is also believed to distribute and support several well-known ransomware strains, including LockBit, Qilin, Medusa, and RansomHub, making it a significant player in the global ransomware ecosystem.
Meanwhile, cybersecurity publication KrebsonSecurity has issued an additional warning regarding the gang’s aggressive recruitment tactics. Reports suggest that The Gentleman ransomware operators are actively targeting insiders within multinational corporations by offering them up to 90 percent of the ransom profits in exchange for confidential access to corporate systems and networks. Such insider threats significantly increase the risk of successful cyberattacks, as employees may unknowingly or deliberately assist hackers in bypassing security controls.
Experts from Check Point Software Technologies have further analyzed the group’s activities and found that The Gentleman successfully compromised more than 240 organizations during 2026 alone. Investigators say the gang primarily exploits internet-facing devices and poorly secured remote access systems to infiltrate corporate networks before encrypting sensitive data and demanding ransom payments.
Interestingly, Check Point researchers have assigned the ransomware operation the codename “Zeta88.” The same group is also believed to operate anonymously on Telegram under the name “Hastalmuerte,” where it allegedly communicates with affiliates and negotiates with victims.
The growing scale and sophistication of ransomware groups like The Gentleman underline the urgent need for organizations to strengthen cybersecurity defenses, monitor insider threats, and regularly update vulnerable systems to prevent becoming the next victim of cyber extortion.
Join our LinkedIn group Information Security Community!
