A recent in-depth analysis of The Gentlemen ransomware reveals that the group has targeted 478 victims. Initially working as an affiliate under various ransomware-as-a-service (RaaS) programs such as LockBit and Medusa, the group has evolved significantly in its operations.
Origins and Leadership
According to PRODAFT, a cybersecurity firm, the group known as Phantom Mantis is spearheaded by a Russian-speaking cybercriminal identified as LARVA-368. This individual, using multiple aliases, initiated The Gentlemen as an independent entity in July 2025, breaking away from any RaaS dependencies. Notably, artificial intelligence plays a critical role in their operations, from ransomware development to post-exploitation strategies.
Before establishing The Gentlemen, LARVA-368 was a part of another ransomware group called Embargo. However, a dispute over payments with Qilin led to the formation of The Gentlemen, following allegations of deceit and financial misconduct by the RaaS provider.
Ransomware Operations
Reports from cybersecurity teams, like Cybereason, describe The Gentlemen as a swift and adaptive operation, utilizing a blend of mature ransomware techniques and affiliate support systems. The group’s activities accounted for 10% of ransomware incidents in April 2026, with attacks primarily focusing on enterprises through vulnerable services or stolen credentials.
Geographically, The Gentlemen’s impact is felt mostly outside the U.S., with major targets in Thailand, the U.K., Brazil, Germany, and India. They employ sophisticated methods such as encryption bypass techniques and command-and-control (C2) tools, ensuring a high degree of adaptability during attacks.
Technical Tactics and Tools
The Gentlemen’s arsenal includes a variety of tools designed for reconnaissance, privilege escalation, and defense evasion. The group uses a hybrid encryption scheme, leveraging advanced cryptographic methods, and their ransomware is reportedly written in the Go programming language, allowing it to spread like a worm across networks.
Microsoft has identified them under the name Storm-2697, noting their malware’s capability to propagate autonomously. Additionally, recent leaks from an internal database provide insights into the group’s structure and use of known vulnerabilities in major software systems.
Future Implications
The Gentlemen continues to be a formidable force in the cyber threat landscape, refining their tactics and expanding their reach. As they target more organizations globally, understanding their methodologies becomes crucial for potential victims to bolster defenses and mitigate risks.
