A new ransomware-as-a-service (RaaS) operation called “The Gentlemen” has claimed 202 victims in just three months, making it the second-most active ransomware group behind Qilin’s 353 attacks, according to Comparitech research. The group emerged in mid-2025 and has rapidly scaled operations using sophisticated tactics including antivirus killers and complex infection chains.
Check Point Research this week revealed that The Gentlemen operates a botnet of more than 1,570 victims through SystemBC proxy malware, which enables covert tunneling and payload delivery in corporate environments. The group’s infection profile indicates a deliberate focus on organizational targets rather than consumer systems.
Rapid Growth Trajectory Alarms Researchers
The Gentlemen’s ascent has been nothing short of remarkable for such a new operation. NCC Group tracking data shows the group claimed 34 attacks in January 2026 and 67 in February, placing it among the top-tier ransomware operations alongside established groups.
The gang employs typical double extortion tactics, combining file encryption with data theft threats to maximize pressure on victims. However, researchers note their technical sophistication sets them apart from many newer entrants to the ransomware ecosystem.
Check Point’s analysis of SystemBC command and control servers revealed victim telemetry spanning multiple industries, with a clear emphasis on corporate and organizational environments. This targeting strategy suggests coordinated reconnaissance and selective victim identification rather than opportunistic mass infections.
Healthcare Sector Faces Continued Pressure
The ransomware threat to healthcare organizations remains severe, as demonstrated by Sandhills Medical Foundation’s recent disclosure of a breach affecting nearly 170,000 individuals. The South Carolina healthcare provider discovered the ransomware attack on May 8, 2025, but only publicly disclosed the incident nearly one year later.
The Inc Ransom group claimed responsibility for the Sandhills attack, listing the organization on its leak website in June 2025 before making stolen files available for download. Compromised data included names, Social Security numbers, driver’s licenses, financial information, and protected health information.
Sandhills Medical told the Maine Attorney General’s Office that 169,986 individuals were affected by the breach. The delayed disclosure timeline highlights ongoing challenges healthcare organizations face in incident response and regulatory compliance.
Ransomware Groups Turn on Each Other
In an unusual development, two newer ransomware operations—0APT and KryBit—have engaged in attacks against each other, inadvertently exposing their own infrastructure and operational data. Halcyon Ransomware Research Center documented the feud, which began when 0APT claimed attacks against KryBit and other established groups including Everest and RansomHouse.
0APT initially emerged in January 2026 with a fabricated victim list of nearly 200 organizations, failing to gain traction or recruit affiliates before going dormant. The group reemerged in April with legitimate attacks targeting other ransomware operators, marking an unusual shift in tactics.
KryBit launched in March 2026 with ransomware kits targeting Windows, Linux, ESXi, and network-attached storage devices using an 80/20 affiliate revenue model. The group published 10 verified victims in its first two weeks before becoming embroiled in the conflict with 0APT.
Technical Flaws Undermine Ransomware Effectiveness
Some emerging ransomware variants contain critical technical flaws that inadvertently benefit defenders. The Vect 2.0 ransomware, deployed in TeamPCP supply chain attacks, contains a design error that causes it to function as a wiper rather than traditional ransomware for files larger than 128KB.
Check Point Software analysis revealed that Vect 2.0’s ChaCha20-IETF encryption implementation discards three of four decryption nonces required for files above 131,072 bytes. This flaw affects the ransomware’s Windows, Linux, and VMware ESXi variants, making recovery impossible even if victims pay the ransom.
The technical defect essentially transforms Vect 2.0 into a destructive wiper for enterprise assets including virtual machine disks, databases, documents, and backups. This unintended behavior complicates the attackers’ extortion model while creating irreversible damage for victims.
Supply Chain Attacks Enable Data Theft
The Checkmarx security company confirmed that attackers stole source code, employee databases, API keys, and database credentials through a supply chain attack targeting its KICS open source project. The March 23, 2026 compromise was attributed to the TeamPCP hacking group and connected to the broader Trivy supply chain attack.
Lapsus$ extortion group added Checkmarx to its leak site over the weekend, suggesting potential collaboration with TeamPCP for monetization purposes. The attackers initially gained access through compromised GitHub credentials, then poisoned multiple software packages including OpenVSX plugins and GitHub Actions workflows.
Despite Checkmarx’s remediation efforts—including credential rotation and infrastructure blocking—the attackers regained access on April 22 and published additional malicious code. The second wave compromised a DockerHub KICS image, GitHub actions, VS Code extensions, and the popular Bitwarden CLI NPM package.
What This Means
The rapid emergence of sophisticated ransomware groups like The Gentlemen demonstrates the continued evolution and professionalization of the ransomware ecosystem. Their ability to scale operations and target corporate environments within months of launching indicates robust affiliate recruitment and technical capabilities.
The healthcare sector remains particularly vulnerable, with delayed breach disclosures like Sandhills Medical’s highlighting both the persistence of threats and challenges in incident response. Organizations must prioritize rapid detection and disclosure processes to minimize regulatory and reputational damage.
Supply chain attacks represent an escalating threat vector, as demonstrated by the TeamPCP campaign’s broad impact across multiple software ecosystems. The compromise of trusted development tools and repositories creates cascading risks that can affect thousands of downstream users and organizations.
FAQ
How quickly has The Gentlemen ransomware group grown since launching?
The Gentlemen emerged in mid-2025 and claimed 202 victims in just the last quarter, making it the second-most active ransomware group. The group operates a botnet of over 1,570 infected systems and has shown sophisticated targeting of corporate environments.
What makes the Vect 2.0 ransomware particularly dangerous for victims?
Vect 2.0 contains a critical flaw that causes it to permanently delete files larger than 128KB instead of encrypting them, making recovery impossible even if victims pay the ransom. This effectively turns the ransomware into a destructive wiper for most enterprise data.
How did the Checkmarx supply chain attack spread beyond the initial compromise?
Attackers used stolen GitHub credentials from the Trivy compromise to poison Checkmarx’s KICS project, then leveraged that access to compromise additional packages including Bitwarden CLI tools. The attack demonstrated how single supply chain compromises can create cascading effects across software ecosystems.
Related news
Sources
- ‘The Gentlemen’ Rapidly Rises to Ransomware Prominence – Dark Reading
- Sandhills Medical Says Ransomware Breach Affects 170,000 – SecurityWeek
- Feuding Ransomware Groups Leak Each Other’s Data – Dark Reading
- Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error – Dark Reading
- Checkmarx Confirms Data Stolen in Supply Chain Attack – SecurityWeek
