The Gentlemen ransomware group has rapidly emerged as a significant threat in the cybersecurity landscape of 2026. Originating from a payment conflict within the Qilin RaaS program in mid-2025, this group has transformed into a formidable Ransomware-as-a-Service (RaaS) operation, monitored by Microsoft as Storm-2697.
Global Impact and Sophisticated Tactics
Within its inaugural year, The Gentlemen has impacted over 500 targets across more than 70 nations, contributing to about 10% of global ransomware activity by April 2026. Distinguished by its operator-maintained infrastructure, the group markets its EDR/AV killer system, known as GentleKiller, to affiliates. This framework includes eight different vulnerable driver variants, capable of disabling security processes from 48 vendors.
The group further integrates third-party EDR killers like HexKiller and ThrottleBlood into a modular evasion suite. Paired with a self-propagating worm encryptor using advanced cryptography, The Gentlemen poses a severe threat to sectors such as manufacturing, healthcare, and financial services globally.
Organizational Structure and Strategies
Following a significant data breach in May 2026, detailed insights into The Gentlemen’s operations were revealed. The leak exposed over 3,366 internal communications, shedding light on the group’s hierarchy and methods. The core team consists of around nine operators, with various affiliate IDs coordinating attacks.
The Gentlemen operates under a strict policy of excluding Commonwealth of Independent States (CIS) countries, aligning with norms observed in Russian-linked threat actors. The group’s recruitment strategy actively targets penetration testers and access brokers on underground forums, with a revenue model that generously favors affiliates.
Operational Tactics and Defense Evasion
The Gentlemen’s attack lifecycle is meticulous, avoiding typical phishing methods for initial access. Instead, they exploit vulnerabilities in internet-facing infrastructure, such as FortiGate VPNs and Cisco ASA devices. A notable feature of their methodology is the deployment of the GentleKiller suite before encryption, focusing on disabling security measures.
Additionally, The Gentlemen employs a complex cryptographic scheme for encryption, ensuring extensive data exfiltration and system disruption. Their extensive use of third-party tools and custom frameworks for reconnaissance, privilege escalation, and lateral movement further complicates defense efforts.
Future Outlook and Defensive Measures
The threat posed by The Gentlemen is expected to persist as they continue to refine their techniques and expand their global reach. Organizations are advised to implement robust security measures, including regular patching of vulnerabilities, deploying multi-factor authentication, and maintaining comprehensive data backups.
As cybersecurity experts continue to analyze and counteract these threats, staying informed and vigilant remains crucial in protecting against such sophisticated cybercriminal operations.
