The Gentlemen ransomware gang claimed 202 attacks in Q1 2026, making it the second-most prolific ransomware operation behind only Qilin’s 353 attacks, according to Comparitech research. The ransomware-as-a-service (RaaS) outfit first emerged in mid-2025 and has rapidly scaled operations using sophisticated tactics including antivirus killers and complex infection chains.
Check Point Research this week published findings showing The Gentlemen operates a botnet of more than 1,570 victims through SystemBC malware, which serves as “a proxy malware frequently leveraged in human‑operated ransomware operations for covert tunneling and payload delivery.” The infection profile suggests corporate targeting rather than opportunistic consumer attacks.
Ransomware Groups Target Each Other in Unprecedented Feud
Two newer ransomware operations, 0APT and KryBit, attacked each other in April 2026, exposing infrastructure and operational data that provided rare insight into ransomware operations. Halcyon Ransomware Research Center documented the feud, which left both groups in shambles.
0APT initially emerged in late January with a fabricated list of nearly 200 victims before going quiet for months. The group reemerged in mid-April, deleting its fake victim list and claiming attacks against established ransomware operators including KryBit, Everest, and RansomHouse.
KryBit launched in late March offering RaaS kits targeting Windows, Linux, ESXi, and network-attached storage devices using an 80/20 affiliate model. The group published 10 legitimate victims in its first two weeks before becoming embroiled in the 0APT conflict.
Vect 2.0 Ransomware Contains Critical Design Flaw
The Vect 2.0 ransomware variant contains a critical flaw that causes it to act as a wiper rather than traditional ransomware, permanently destroying files larger than 128KB instead of encrypting them. Check Point Software confirmed the flaw exists across Windows, Linux, and VMware ESXi versions.
The malware encrypts four independent chunks of each “large file” using four randomly generated 12-byte nonces but only appends the final nonce to the encrypted file on disk. This discards three of four decryption nonces required for recovery, making files permanently unrecoverable even with payment.
“This effectively makes Vect a wiper for virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups included,” according to the Check Point report. The flaw complicates ransom demands since attackers cannot actually decrypt compromised files.
Energy Management Firm Itron Suffers Security Breach
US-based energy and water management solutions provider Itron detected unauthorized access to some systems on April 13, 2026, according to an SEC filing. The company serves more than 8,000 customers across 100 countries, providing utilities and cities with energy and water management services.
Incident Response and Impact
Itron stated that “operations have continued in all material respects” following the breach. The company took immediate action to remediate and remove unauthorized activity and has not observed subsequent unauthorized access within corporate systems.
No unauthorized activity was detected in customer-hosted portions of Itron’s systems. The attacker’s motivation and whether customer or sensitive information was compromised remains unclear. No known ransomware or extortion groups have claimed responsibility for the attack.
Itron expects insurance to cover a significant portion of incident response costs and does not anticipate material business impact. The company is evaluating required legal filings and regulatory notifications based on ongoing investigation findings.
Email Attackers Shift to Behavioral Exploitation
Cybercriminals are abandoning technical vulnerability exploitation in favor of targeting behavioral and organizational weaknesses through tailored email attacks. Analysis of nearly 800,000 email attacks across more than 4,600 organizations shows attackers exploiting trusted relationships and routine workflows.
Abnormal AI’s 2026 Attack Landscape Report found phishing accounts for 58% of all email attacks, with business email compromise (BEC) comprising 11% and vendor email compromise (VEC) representing more than 60% of BEC attacks.
Advanced Evasion Techniques
More than 20% of phishing attacks now use redirect chains to obscure final malicious pages from users and security tools. Just over 10% employ link shorteners, with tinyurl (31.6%) and t.co (26.6%) dominating usage.
File-sharing lures target industries where document exchange is common, while brand impersonation aligns with target organizations’ software complexity. Attackers design lures to blend into existing workflows and tools that employees regularly use.
“The same structures, workflows, and relationships that define how an organization operates also define where an attack can blend in undetected,” the report states.
What This Means
The ransomware landscape shows increasing sophistication and internal conflict. The Gentlemen‘s rapid rise demonstrates how quickly new groups can scale operations using proven RaaS models and advanced techniques. The 0APT-KryBit feud represents unprecedented transparency into ransomware operations, potentially benefiting defenders.
Vect 2.0’s critical flaw highlights the technical complexity of ransomware development and how coding errors can fundamentally alter attack outcomes. Organizations should be aware that paying ransoms may not guarantee file recovery, particularly with newer or less established groups.
The shift toward behavioral targeting in email attacks requires updated security awareness training. Traditional indicators like typos and suspicious formatting are no longer reliable detection methods. Organizations must focus on verifying requests through alternative communication channels and implementing zero-trust verification processes.
FAQ
How quickly did The Gentlemen ransomware group scale operations?
The Gentlemen emerged in mid-2025 and claimed 202 attacks in Q1 2026, making it the second-most active ransomware group behind Qilin. Check Point Research identified over 1,570 victims in their botnet, demonstrating rapid scaling within months of initial operations.
Why is the Vect 2.0 ransomware flaw significant for victims?
Vect 2.0 permanently destroys files larger than 128KB instead of encrypting them due to a design flaw that discards three of four required decryption nonces. This makes recovery impossible even if victims pay the ransom, effectively turning the ransomware into a destructive wiper.
What makes modern email attacks harder to detect than traditional phishing?
Modern email attacks exploit trusted relationships and routine workflows rather than relying on obvious technical indicators. Attackers use redirect chains, legitimate link shorteners, and context-appropriate lures that blend into normal business operations, making detection significantly more challenging.
Sources
- ‘The Gentlemen’ Rapidly Rises to Ransomware Prominence – Dark Reading
- Feuding Ransomware Groups Leak Each Other’s Data – Dark Reading
- Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error – Dark Reading
