A new ransomware group called “The Gentlemen” claimed 202 attacks in the first quarter of 2026, making it the second-most active ransomware operation behind only Qilin’s 353 claims, according to Comparitech research. The gang, which emerged in mid-2025, has rapidly scaled operations using sophisticated tactics and a ransomware-as-a-service model.
Check Point Research this week published findings showing The Gentlemen operates a botnet of more than 1,570 victims, with infection patterns targeting “corporate and organizational environments rather than opportunistic consumer targeting.” The group uses double extortion tactics, combining file encryption with data theft threats to maximize ransom payments.
Sophisticated Attack Infrastructure
The Gentlemen deploys advanced malware including SystemBC, which Check Point researchers described as “a proxy malware frequently leveraged in human‑operated ransomware operations for covert tunneling and payload delivery.” This tool allows attackers to maintain persistent access to compromised networks while evading detection.
The gang’s technical capabilities include antivirus killers and complex infection chains that demonstrate a level of sophistication typically seen in more established ransomware operations. NCC Group tracking showed The Gentlemen conducted 34 attacks in January 2026 and 67 in February, placing it among the top-tier ransomware groups despite its recent emergence.
The rapid scaling suggests The Gentlemen either recruited experienced cybercriminals from other operations or developed their capabilities through partnerships with established threat actors in the ransomware ecosystem.
Industry Impact Beyond Ransomware
While The Gentlemen dominated headlines, other security incidents highlighted the evolving threat landscape. Energy and water management firm Itron disclosed unauthorized access to its systems on April 13, affecting a company that serves more than 8,000 customers across 100 countries.
Itron’s SEC filing stated that “operations have continued in all material respects” and that no unauthorized activity was observed in customer-hosted systems. The company expects insurance to cover a significant portion of incident response costs and does not anticipate material business impact.
Separately, security expert Angelo Martino of Florida pleaded guilty to aiding BlackCat ransomware attacks in 2023. Martino worked as a ransomware negotiator starting in April 2023, helping the cybercrime group extract higher ransom payments from victims.
Email Attacks Target Behavioral Weaknesses
Cybercriminals are shifting tactics from exploiting technical vulnerabilities to targeting behavioral and organizational weaknesses, according to Abnormal AI’s 2026 Attack Landscape Report. Analysis of nearly 800,000 email attacks across more than 4,600 organizations revealed this strategic pivot.
Phishing accounts for 58% of all email attacks, while business email compromise (BEC) comprises 11%. Vendor email compromise, a subset of BEC, represents more than 60% of all BEC attacks. More than 20% of phishing attacks now use redirect chains to obscure malicious pages from security tools.
Key attack trends include:
- File-sharing lures targeting industries where document exchange is routine
- Brand impersonation aligned with target organizations’ software environments
- Use of legitimate URL shorteners like tinyurl (31.6%) and t.co (26.6%) to evade detection
- Attacks designed to blend into normal business workflows
The report noted that “the same structures, workflows, and relationships that define how an organization operates also define where an attack can blend in undetected.”
Ransomware-as-a-Service Model Expansion
The Gentlemen’s rapid rise illustrates the continued growth of ransomware-as-a-service operations, where cybercrime groups provide ransomware tools and infrastructure to affiliates in exchange for a percentage of ransom payments. This model allows relatively new groups to achieve significant scale quickly.
The group’s focus on corporate targets aligns with broader industry trends showing ransomware operators prioritizing high-value organizational victims over individual consumers. Corporate targets typically have greater ability to pay large ransoms and face more pressure to restore operations quickly.
Check Point’s telemetry data from SystemBC command and control servers provided researchers with visibility into The Gentlemen’s victim base, revealing the scope of their operations across multiple geographic regions and industry sectors.
What This Means
The Gentlemen’s rapid ascent to second place among ransomware groups demonstrates how quickly new threat actors can achieve significant impact in today’s cybercrime ecosystem. Their sophisticated toolset and corporate focus suggest experienced operators either launched the group or joined from other operations.
For organizations, the shift toward behavioral targeting in email attacks requires security strategies that go beyond traditional technical controls. The blending of attacks into normal business workflows makes detection more challenging and emphasizes the need for user education and behavioral analytics.
The Itron incident highlights how even companies with robust operational continuity can face unauthorized access, while the Martino case shows how insider threats can emerge from unexpected sources within the security industry itself.
FAQ
How quickly did The Gentlemen ransomware group grow?
The Gentlemen emerged in mid-2025 and claimed 202 attacks in Q1 2026, making it the second-most active ransomware group behind Qilin. Check Point Research identified over 1,570 victims in their botnet infrastructure.
What makes The Gentlemen different from other ransomware groups?
The group uses sophisticated tools like SystemBC proxy malware, antivirus killers, and complex infection chains. They focus specifically on corporate and organizational targets rather than opportunistic consumer attacks, using double extortion tactics combining encryption and data theft.
How are email attacks evolving beyond traditional phishing?
Attackers are moving from exploiting technical vulnerabilities to targeting behavioral weaknesses and trusted relationships. Modern attacks use redirect chains, legitimate URL shorteners, and tactics designed to blend into normal business workflows, making them harder to detect through traditional security measures.
Related news
Sources
- ‘The Gentlemen’ Rapidly Rises to Ransomware Prominence – Dark Reading
- Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023 – The Hacker News
- Third US Security Expert Admits Helping Ransomware Gang – SecurityWeek
