The Gentlemen Ransomware Claims 202 Attacks in Single Quarter

A ransomware gang called “The Gentlemen” claimed 202 attacks in the first quarter of 2026, making it the second-most prolific ransomware operation behind only Qilin’s 353 attacks, according to Comparitech research. The group emerged in mid-2025 but has rapidly scaled operations using sophisticated tactics including antivirus killers and complex infection chains.

Check Point Research discovered The Gentlemen operates a botnet of more than 1,570 victims through SystemBC malware, described as “proxy malware frequently leveraged in human-operated ransomware operations for covert tunneling and payload delivery.” The infection profile suggests the group targets corporate and organizational environments rather than consumers.

Ransomware Groups Turn on Each Other

Two newer ransomware operations, 0APT and KryBit, recently attacked each other in a feud that exposed both groups’ infrastructure and operational data. The Halcyon Ransomware Research Center reported that 0APT emerged in January with nearly 200 fabricated victim claims before going quiet for months.

0APT reemerged in mid-April, targeting established ransomware groups including KryBit, Everest, and RansomHouse. KryBit launched in March offering ransomware-as-a-service kits for Windows, Linux, ESXi, and network-attached storage devices using an 80/20 affiliate payment model. The group published 10 legitimate victims in its first two weeks.

The infighting between ransomware groups provided defenders with rare insight into operational methods and infrastructure that these groups typically keep hidden.

Energy Company Itron Suffers Security Breach

Energy and water management solutions provider Itron detected unauthorized access to some systems on April 13, the company disclosed in an SEC filing. Itron serves more than 8,000 customers across 100 countries, helping utilities and cities manage energy, water, and other services.

The company took immediate action to remediate the unauthorized activity and reported no subsequent breaches in its corporate systems. No unauthorized activity was observed in customer-hosted portions of Itron’s systems, according to the filing.

Itron expects insurance to cover a significant portion of incident response costs and does not anticipate a material business impact. No ransomware or extortion group has claimed responsibility for the attack, and the extent of any data compromise remains unclear.

Email Attacks Shift to Behavioral Exploitation

Cybercriminals are moving away from technical vulnerabilities toward exploiting behavioral and organizational weaknesses in email attacks. Analysis of nearly 800,000 email attacks across more than 4,600 organizations shows attackers now target trusted relationships and routine workflows, according to Abnormal AI’s 2026 Attack Landscape Report.

Phishing accounts for 58% of all email attacks, while business email compromise (BEC) comprises 11%. Vendor email compromise, a BEC subtype, represents more than 60% of all BEC incidents. More than 20% of phishing attacks use redirect chains to obscure malicious pages from users and security tools.

Attack Sophistication Increases

File-sharing lures concentrate on industries where document exchange is common. Brand impersonation aligns with target organizations’ software complexity. Just over 10% of redirect chain attacks use link shorteners, with tinyurl (31.6%) and t.co (26.6%) dominating.

The report notes that “the same structures, workflows, and relationships that define how an organization operates also define where an attack can blend in undetected.”

Security Expert Pleads Guilty to Ransomware Collaboration

Angelo Martino of Florida pleaded guilty to collaborating with the BlackCat ransomware group while working as a ransomware negotiator, SecurityWeek reported. Martino becomes the third US security expert to admit helping ransomware operations.

The case highlights growing concerns about insider threats within the cybersecurity industry, where professionals with access to sensitive information and negotiation processes may abuse their positions for criminal gain.

What This Means

The ransomware landscape shows increasing sophistication and internal conflict. The Gentlemen’s rapid rise demonstrates how quickly new groups can scale operations using established tactics and infrastructure. The 0APT versus KryBit feud reveals that even criminal organizations face internal competition and conflicts that can benefit defenders.

Itron’s breach underscores continued targeting of critical infrastructure providers, though the company’s quick response and lack of customer system compromise suggest effective incident response procedures. The shift toward behavioral exploitation in email attacks indicates that traditional technical defenses alone are insufficient—organizations need comprehensive security awareness training and behavioral analysis capabilities.

The guilty plea by a third security professional working with ransomware groups signals a troubling trend of insider collaboration that undermines the entire cybersecurity ecosystem.

FAQ

How quickly did The Gentlemen ransomware group scale up operations?
The Gentlemen emerged in mid-2025 and claimed 202 attacks in just the first quarter of 2026, making it the second-most active ransomware group behind Qilin. The group operates a botnet of over 1,570 victims.

What happened when ransomware groups attacked each other?
0APT and KryBit engaged in a feud where they attacked each other’s operations, exposing infrastructure and operational data that provided defenders with rare insights into ransomware methods typically kept hidden.

How are email attacks changing in 2026?
Attackers are shifting from exploiting technical vulnerabilities to targeting behavioral and organizational weaknesses. They now focus on trusted relationships and routine workflows, with over 20% of phishing attacks using redirect chains to avoid detection.