A New Group That Isn’t Acting Like One
Since surfacing in mid-2025, the group has grown at a pace that rivals the early years of LockBit 3, a program widely considered the gold standard of ransomware operations. By April 2026, The Gentlemen have publicly listed over 320 victims on their data leak site, with 240 of those occurring in the first months of 2026 alone. That figure only reflects organizations that refused to pay; the actual number of victims is almost certainly higher.
Check Point Research (CPR) has been tracking this group since its emergence, and their latest analysis, including findings from an active incident response engagement and access to a live attacker-controlled server, reveals why this operation is scaling so quickly, and what it means for enterprise security teams.
For the full technical breakdown, read the CPR deep-dive report.
Why They’re Growing: Better Economics for Criminals
Understanding why The Gentlemen are attracting affiliates so quickly requires understanding how the RaaS business model works. Ransomware operators build the tools and infrastructure; affiliates carry out the attacks and share the ransom proceeds with the operator.
The Gentlemen are offering affiliates a 90% share of every ransom paid, versus the 80% that most competing programs offer. In a criminal ecosystem driven by financial incentive, that 10% difference matters. It is pulling experienced operators away from established brands and into The Gentlemen’s program, bringing their skills, their access to corporate networks, and their track record with them.
The result is rapid scaling. The group is not growing because they invented a fundamentally new attack. Most of their techniques are actually well-established. They are growing because their business model is more attractive, and because they have built a program capable of supporting a large and expanding affiliate base across Windows, Linux, and ESXi environments.
Who Is Getting Hit
The Gentlemen’s attacks are largely opportunistic rather than targeted. They look for organizations with exposed, vulnerable internet-facing infrastructure (think: VPNs, remote access gateways, firewall management portals) and use those as their entry points.
Manufacturing and technology companies make up the largest share of victims, which is consistent with the broader ransomware landscape. More notable is the presence of healthcare as the third most frequently targeted sector. Some ransomware groups, as a matter of informal policy or self-preservation, avoid attacking hospitals. The Gentlemen show no indication of observing that limit.
Geographically, the USA accounts for the largest number of victims, with the UK and Germany also heavily represented. CPR confirmed this pattern from the group’s public leak site and from independent telemetry obtained from an affiliated attacker’s server.
What CPR Found Inside an Attacker’s Server
During an incident response engagement, Check Point Research investigators discovered that a Gentlemen affiliate had deployed infrastructure connected to a much larger operation than a single incident would suggest. By gaining access to the command-and-control server in question, the researcher was able to observe a botnet of over 1,570 likely corporate victims. These were organizations whose systems had been quietly compromised and were awaiting further action.
That number is significant for two reasons. First, it exceeds the group’s own publicly claimed victim count, suggesting the true scale of their activity is larger than what appears on their leak site. Second, the profile of the victims (enterprise systems, domain-joined machines, corporate credentials) confirms this is not opportunistic consumer targeting. These are organizations, and their data was likely already staged for exfiltration.
Speed Is the Defining Characteristic
In the incident CPR responded to, the attacker arrived with domain-level administrative access already established. From that point, the intrusion escalated rapidly: credential validation across the environment, lateral movement to dozens of hosts, disabled security tools, and ultimately a domain-wide ransomware deployment triggered through Group Policy, hitting every connected machine simultaneously.
The speed and coordination of this attack reflects a group that has refined its playbook. Affiliates are not improvising; they are executing a documented, tested process designed to maximize impact before defenders can respond.
What Security Leaders Should Do
The Gentlemen are not exploiting novel zero-days or bypassing security through exotic means. Their initial access relies overwhelmingly on unpatched or misconfigured internet-facing devices. These are the same vulnerabilities that defenders have been advised to prioritize for years.
The fundamentals remain the most important defensive investments:
- Patch internet-facing infrastructure first: VPNs, firewalls, and remote access gateways are the primary entry point. These devices must be treated with the same urgency as public-facing web applications
- Assume credential compromise: The Gentlemen affiliates move quickly from initial access to domain-level control. Multi-factor authentication and privileged access controls are non-negotiable
- Test your backup and recovery capability: A functioning, isolated backup is the single most effective tool for limiting ransomware impact. Many organizations discover their backup strategy is inadequate during an incident, not before
- Monitor for lateral movement, not just perimeter breach: By the time ransomware detonates, the attacker has typically been present for some time. Detection at the lateral movement stage provides the best opportunity to interrupt an attack in progress
- Segment your network: Domain-wide encryption via Group Policy is only possible when an attacker has domain controller access and can reach every endpoint. Network segmentation limits both the attacker’s reach and the blast radius of a successful intrusion
The Bigger Picture
The Gentlemen’s rise illustrates a structural challenge in the ransomware landscape: the barrier to standing up a professional RaaS operation has fallen considerably. A compelling revenue split, a capable locker, and a leak site are enough to attract affiliates who bring their own access and expertise. The operation does not need to be technically groundbreaking to be damaging at scale.
CPR will continue monitoring this group as it evolves. For the complete technical analysis, including the full attack timeline from our incident response engagement, detailed malware behavior, and indicators of compromise, read the full report.
Check Point customers are protected from this threat via Threat Emulation and Harmony Endpoint.
Click Here For The Original Source.
