No Manners Here: The Ruthless Rise of The Gentlemen Ransomware
The Gentlemen ransomware is a Ransomware-as-a-Service (RaaS) operation active since at least July 2025, rapidly growing through an affiliate model offering a high payout to affiliates. It uses custom tooling written in C and Go to target multiple operating systems and virtual infrastructure. The group employs diverse initial access techniques including exploitation of edge device vulnerabilities, brute force, stolen credentials, and collaboration with initial access brokers. They also use a custom backdoor, an EDR-killing framework, and possibly zero-day exploits to evade defenses. The ransomware has claimed hundreds of victims globally across many industries, with a sharp increase in activity in 2026. The operators have partnered with BreachForums to recruit affiliates and penetration testers. Unit 42 recommends immediate patching of known exploited vulnerabilities, enhanced monitoring, and strict controls on lateral movement and credential access.
AI Analysis
Technical Summary
The Gentlemen ransomware (aka Storm-2697) is a rapidly expanding RaaS program that emerged from an affiliate of Qilin RaaS. It supports multiple platforms via C and Go variants and uses a wide range of initial access methods including exploitation of vulnerabilities in firewalls, VPNs, and other edge devices, brute force, stolen credentials, and collaboration with initial access brokers. The group employs custom tools such as a Go-based backdoor and an EDR evasion framework called GentleKiller, and may leverage zero-day exploits. Since its official RaaS launch in September 2025, The Gentlemen has dramatically increased its victim count, reaching 580 victims across 77 countries by mid-2026, with a notable focus on manufacturing. The ransomware operators offer affiliates a 90% cut of ransoms, higher than typical RaaS models, aiding rapid recruitment. They have also partnered with BreachForums for affiliate recruitment. Unit 42’s analysis includes detailed recommendations for patching exploited vulnerabilities, monitoring for indicators of compromise, and enforcing network segmentation and credential hygiene.
Potential Impact
The Gentlemen ransomware has caused widespread impact with over 580 victims across 77 countries, including critical sectors like manufacturing. Its use of multi-platform ransomware variants and custom tools enables broad targeting and effective defense evasion. The high affiliate payout incentivizes rapid expansion and increased attacks. The ransomware’s ability to exploit multiple initial access vectors and use zero-day vulnerabilities increases the risk of successful intrusions. The operational scale and sophistication pose a significant threat to enterprise organizations’ availability and data integrity.
Mitigation Recommendations
Unit 42 recommends immediate patching of known exploited vulnerabilities including CVE-2024-55591 (Fortinet FortiOS and FortiProxy), CVE-2025-32433 (Erlang/OTP SSH server), CVE-2025-33073 (Windows SMB Client), CVE-2025-55182 (React2Shell), and CVE-2025-7771 (ThrottleStop.sys driver). Organizations should maintain robust visibility on internet-facing systems such as firewalls, VPNs, and remote access gateways, and audit for prior exploitation indicators. Implement high-severity SIEM alerts for scheduled tasks matching 'gentlemen*'. Enable EDR tamper protection and monitor for unsigned or vulnerable driver loads. Deploy phishing-resistant multi-factor authentication and regularly audit credentials. Enforce strict SMB signing, disable SMBv1, restrict lateral movement, and secure ESXi hosts management interfaces. Monitor for anomalous outbound traffic and behavioral indicators of ransomware activity such as deletion of volume shadow copies. Maintain and validate offline backups for recovery. These mitigations address specific tactics used by The Gentlemen ransomware as detailed by Unit 42.
No Manners Here: The Ruthless Rise of The Gentlemen Ransomware
Description
The Gentlemen ransomware is a Ransomware-as-a-Service (RaaS) operation active since at least July 2025, rapidly growing through an affiliate model offering a high payout to affiliates. It uses custom tooling written in C and Go to target multiple operating systems and virtual infrastructure. The group employs diverse initial access techniques including exploitation of edge device vulnerabilities, brute force, stolen credentials, and collaboration with initial access brokers. They also use a custom backdoor, an EDR-killing framework, and possibly zero-day exploits to evade defenses. The ransomware has claimed hundreds of victims globally across many industries, with a sharp increase in activity in 2026. The operators have partnered with BreachForums to recruit affiliates and penetration testers. Unit 42 recommends immediate patching of known exploited vulnerabilities, enhanced monitoring, and strict controls on lateral movement and credential access.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Gentlemen ransomware (aka Storm-2697) is a rapidly expanding RaaS program that emerged from an affiliate of Qilin RaaS. It supports multiple platforms via C and Go variants and uses a wide range of initial access methods including exploitation of vulnerabilities in firewalls, VPNs, and other edge devices, brute force, stolen credentials, and collaboration with initial access brokers. The group employs custom tools such as a Go-based backdoor and an EDR evasion framework called GentleKiller, and may leverage zero-day exploits. Since its official RaaS launch in September 2025, The Gentlemen has dramatically increased its victim count, reaching 580 victims across 77 countries by mid-2026, with a notable focus on manufacturing. The ransomware operators offer affiliates a 90% cut of ransoms, higher than typical RaaS models, aiding rapid recruitment. They have also partnered with BreachForums for affiliate recruitment. Unit 42’s analysis includes detailed recommendations for patching exploited vulnerabilities, monitoring for indicators of compromise, and enforcing network segmentation and credential hygiene.
Potential Impact
The Gentlemen ransomware has caused widespread impact with over 580 victims across 77 countries, including critical sectors like manufacturing. Its use of multi-platform ransomware variants and custom tools enables broad targeting and effective defense evasion. The high affiliate payout incentivizes rapid expansion and increased attacks. The ransomware’s ability to exploit multiple initial access vectors and use zero-day vulnerabilities increases the risk of successful intrusions. The operational scale and sophistication pose a significant threat to enterprise organizations’ availability and data integrity.
Mitigation Recommendations
Unit 42 recommends immediate patching of known exploited vulnerabilities including CVE-2024-55591 (Fortinet FortiOS and FortiProxy), CVE-2025-32433 (Erlang/OTP SSH server), CVE-2025-33073 (Windows SMB Client), CVE-2025-55182 (React2Shell), and CVE-2025-7771 (ThrottleStop.sys driver). Organizations should maintain robust visibility on internet-facing systems such as firewalls, VPNs, and remote access gateways, and audit for prior exploitation indicators. Implement high-severity SIEM alerts for scheduled tasks matching 'gentlemen*'. Enable EDR tamper protection and monitor for unsigned or vulnerable driver loads. Deploy phishing-resistant multi-factor authentication and regularly audit credentials. Enforce strict SMB signing, disable SMBv1, restrict lateral movement, and secure ESXi hosts management interfaces. Monitor for anomalous outbound traffic and behavioral indicators of ransomware activity such as deletion of volume shadow copies. Maintain and validate offline backups for recovery. These mitigations address specific tactics used by The Gentlemen ransomware as detailed by Unit 42.
Technical Details
- Article Source
- {"url":"https://unit42.paloaltonetworks.com/the-gentlemen-ransomware/","fetched":true,"fetchedAt":"2026-07-10T22:11:46.134Z","wordCount":1459}
Threat ID: 6a516e2268715ace4345de60
Added to database: 07/10/2026, 22:11:46 UTC
Last enriched: 07/10/2026, 22:11:57 UTC
Last updated: 07/10/2026, 22:27:52 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.