The Gentlemen Ransomware Claims 202 Attacks in Three Months

A ransomware group called “The Gentlemen” has emerged as one of the most prolific ransomware operators in 2025, claiming 202 attacks in the first quarter alone — second only to the Qilin group’s 353 claims, according to Comparitech research. The ransomware-as-a-service (RaaS) outfit first appeared in mid-2025 and has rapidly scaled operations using sophisticated tactics that impressed security researchers.

Check Point Research this week published findings showing The Gentlemen operates a botnet of more than 1,570 victims, with infection profiles suggesting “a focus on corporate and organizational environments rather than opportunistic consumer targeting.” The group uses double extortion attacks, combining file encryption with data theft threats.

Sophisticated Attack Infrastructure

The Gentlemen deploys advanced malware including SystemBC, which Check Point described as “a proxy malware frequently leveraged in human‑operated ransomware operations for covert tunneling and payload delivery.” The group’s toolkit includes antivirus killers and complex infection chains that demonstrate technical sophistication beyond typical ransomware operations.

Victim telemetry connected to SystemBC’s command and control servers revealed the scope of The Gentlemen’s operations. NCC Group tracking found the group responsible for 34 attacks in January and 67 in February, placing it among the top ransomware operators despite its recent emergence.

The rapid scaling has caught security researchers’ attention. Unlike many new ransomware groups that struggle to gain affiliates or maintain consistent operations, The Gentlemen has demonstrated both technical capability and operational persistence.

Ransomware Infighting Exposes Operations

While established groups like The Gentlemen gain prominence, newer ransomware operations have engaged in destructive feuds that benefit defenders. Two emerging groups, 0APT and KryBit, recently attacked each other and exposed operational data that provided rare insights into ransomware infrastructure.

Halcyon Ransomware Research Center documented the conflict, which began when 0APT emerged in late January with nearly 200 fabricated victim claims. After months of inactivity, 0APT reemerged in mid-April claiming attacks against other ransomware operators including KryBit, Everest, and RansomHouse.

KryBit launched in late March offering RaaS kits targeting Windows, Linux, ESXi, and network-attached storage devices using an 80/20 affiliate model. The group published 10 legitimate victims in its first two weeks before becoming embroiled in the 0APT feud.

The ransomware-on-ransomware attacks exposed infrastructure details and operational methods that security researchers rarely observe, providing valuable intelligence for defensive strategies.

Critical Flaws in Emerging Ransomware

Some new ransomware variants contain fundamental flaws that make them more destructive than intended. Vect 2.0, which first appeared in December 2025, contains a critical design error that causes it to act as a wiper rather than traditional ransomware for files larger than 128KB.

Check Point Software analysis revealed that Vect 2.0’s ChaCha20-IETF encryption scheme encrypts four independent chunks of large files using four random 12-byte nonces, but only stores the final nonce. This flaw affects Windows, Linux, and VMware ESXi versions, making recovery impossible even if victims pay ransom demands.

“This effectively makes Vect a wiper for virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups included,” Check Point researchers noted. The flaw has been deployed against victims of TeamPCP supply chain attacks.

The technical error highlights the risks organizations face from both sophisticated groups like The Gentlemen and flawed operations like Vect 2.0, where paying ransom provides no recovery guarantee.

Corporate Attacks Target Trusted Relationships

Beyond ransomware, email-based attacks increasingly exploit behavioral vulnerabilities rather than technical flaws. Analysis of nearly 800,000 email attacks across 4,600 organizations shows attackers targeting trusted relationships and routine workflows.

Abnormal AI’s 2026 Attack Landscape Report found phishing accounts for 58% of email attacks, with business email compromise (BEC) comprising 11%. More than 60% of BEC attacks use vendor email compromise (VEC) tactics that exploit established business relationships.

Attackers now tailor lures to specific industries and roles. File-sharing attacks target sectors where document exchange is routine, while brand impersonation aligns with target organizations’ software environments. More than 20% of phishing attacks use redirect chains to obscure malicious destinations, with tinyurl (31.6%) and t.co (26.6%) dominating link shorteners.

The shift represents a fundamental change in attack methodology. “The same structures, workflows, and relationships that define how an organization operates also define where an attack can blend in undetected,” the Abnormal AI report stated.

Energy Infrastructure Targeted

Critical infrastructure remains a prime target, with energy and water management firm Itron revealing unauthorized system access on April 13. The company, which serves more than 8,000 customers across 100 countries, disclosed in an SEC filing that operations continued “in all material respects” despite the breach.

Itron took action to remediate unauthorized activity and reported no subsequent compromise of corporate systems or customer-hosted portions of its infrastructure. The company expects insurance to cover significant incident response costs and does not anticipate material business impact.

No known ransomware or extortion group has claimed responsibility for the Itron attack. The incident demonstrates ongoing threats to critical infrastructure providers that manage essential utilities and services.

What This Means

The ransomware landscape shows clear stratification between sophisticated operations like The Gentlemen and flawed newcomers like Vect 2.0. Established groups are scaling rapidly using advanced techniques, while newer operations either self-destruct through infighting or deploy fundamentally broken encryption.

Organizations face a dual threat: technically sophisticated ransomware groups targeting corporate environments and increasingly subtle email attacks exploiting trusted business relationships. The shift toward behavioral exploitation means traditional security awareness training focused on obvious phishing indicators may prove insufficient.

Critical infrastructure attacks like the Itron breach highlight persistent threats to essential services, even as specific attribution remains unclear. The combination of sophisticated ransomware operations, flawed but destructive wipers, and relationship-based email attacks creates a complex threat environment requiring multi-layered defensive strategies.

FAQ

How quickly did The Gentlemen ransomware group scale operations?
The Gentlemen emerged in mid-2025 and claimed 202 attacks in just the first quarter, making it the second-most prolific ransomware group after Qilin. Check Point Research identified over 1,570 victims in their botnet.

What makes Vect 2.0 ransomware particularly dangerous?
Vect 2.0 contains a critical flaw that causes it to permanently delete files larger than 128KB instead of encrypting them. This makes recovery impossible even if victims pay ransom demands, effectively turning it into destructive wiper malware.

How are email attacks evolving beyond traditional phishing?
Attackers now exploit trusted business relationships and routine workflows rather than relying on technical vulnerabilities. Analysis shows 60% of business email compromise attacks use vendor impersonation, while phishing lures are tailored to specific industries and software environments.