Skip to main content
Emerging ThreatsMalware & Ransomware

The Gentlemen Ransomware Expands Reach with Lucrative Affiliate Model

Dimly lit server closet with cluttered computer equipment and cables.

The Gentlemen “offer an unprecedented 90% payout” to affiliates — a single fact that helps explain how a handful of operators scaled into one of 2026’s most active ransomware-as-a-service (RaaS) programs in less than a year.

A rapid, lucrative ascent: from ArmCorp affiliate to a standalone RaaS

Unit 42 traces The Gentlemen (also tracked as Storm-2697) to activity as an affiliate known as ArmCorp of Qilin RaaS (tracked as Spikey Scorpius) months before July 2025, and records public activity dating back to at least July 2025. The group reportedly morphed from a private entity into a RaaS model around September 2025, with roughly 20 operators involved in its core organization. The shift to a service model included unusually generous economics for affiliates — a 90% share of paid ransoms versus the more typical 70%–80% split — a change Unit 42 and other researchers say underwrote rapid expansion.

Custom tooling and evasive techniques: GentleKiller, backdoors, and a suspected zero-day

The Gentlemen deploy multiple bespoke tools. Unit 42 observed variants of their encryptors written in both C and Go, enabling broader reach across operating systems and virtual infrastructure. Researchers also identified a custom Go-based backdoor and an EDR-killer framework the report dubs “GentleKiller.” In addition, Unit 42 and others suspect The Gentlemen have used an unspecified zero-day exploit to amplify defense evasion. These capabilities sit alongside a varied set of initial-access methods: exploitation of edge-device and remote-access vulnerabilities (including firewalls and VPNs), brute-force attacks, use of leaked or stolen credentials, and collaboration with initial access brokers (IABs).

Scale and impact: 580 victims, 77 countries, and industrial exposure

Unit 42 and other security researchers report a sharp acceleration in victim counts in 2026. Through July 7, one reputable source had counted a total of 580 victims claimed by The Gentlemen across 77 countries since their inception; of those 580 victims, 103 operated within the manufacturing industry. Unit 42 documents that when comparing the last six months of 2025 to the first six months of 2026, the number of victims claimed by The Gentlemen rose by slightly more than sixfold. June 2026 represented their peak month to date with 117 claimed victims — nearly four times January 2026’s total — and Unit 42 characterizes The Gentlemen as the second most active RaaS program of 2026 by victim count, behind legacy big-game hunting programs such as Qilin and Akira (tracked as Howling Scorpius).

Immediate defensive actions Unit 42 recommends

Unit 42 lays out specific technical mitigations tied to The Gentlemen’s observed tactics and exploited vulnerabilities. For initial access, defenders should immediately scope for and patch CVE-2024-55591 (Fortinet FortiOS/FortiProxy), CVE-2025-32433 (Erlang/OTP SSH server), CVE-2025-33073 (Windows SMB Client), and CVE-2025-55182 (React2Shell), while maintaining strong visibility into internet-facing systems and auditing for prior exploitation of edge devices and RDP endpoints. For privilege escalation, scope for and patch CVE-2025-7771 (ThrottleStop.sys driver).

Operational detection and containment guidance includes creating high-severity SIEM alerts for scheduled tasks matching the string gentlemen*, enabling EDR tamper protection, and implementing behavioral alerts for use of wevtutil (to clear logs), vssadmin and wmic (to delete Volume Shadow Copies). Unit 42 also urges deployment of phishing-resistant multi-factor authentication, regular credential audits and rotations, monitoring for internal use of tools such as Advanced IP Scanner, enforcing strict SMB signing and disabling SMBv1, and treating ESXi management as tier‑0 infrastructure with SSH disabled by default and restricted to isolated management VLANs. Finally, defenders should monitor for anomalous outbound traffic over non-standard ports and traffic matching SystemBC communication signatures, and maintain and validate offline backup and recovery capabilities.

What this means for technologists, procurement leaders, and affected enterprises

  • Technologists and security teams: expect heightened focus on patching and detection for edge devices and hypervisor management interfaces, monitoring for the specific CVEs Unit 42 lists, and deploying behavioral alerts tied to Gentlemen tradecraft such as wevtutil and scheduled tasks named with “gentlemen*.”
  • Procurement and third‑party risk managers: The Gentlemen’s recruitment push — including a May 2026 announcement of a partnership with HasanBroker’s BreachForums — underscores the need to enforce strict security requirements for vendors and to monitor for breaches in third‑party tools and platforms.
  • Affected enterprises and backup owners: given the group’s emphasis on defense impairment and shadow-copy deletion, organizations should validate offline backups and recovery plans and ensure offline copies are isolated from hosts that operators could reach during an incident.

The Gentlemen’s combination of high affiliate payouts, custom tooling (GentleKiller and a Go backdoor), exploitation of multiple CVEs, and active recruitment via criminal forums has translated into rapid growth and a burdensome operational tempo for defenders. The leak of an internal database in May 2026 has already yielded additional intelligence, but Unit 42’s recommendations make clear that rapid patching, focused detection rules, and validated offline recovery remain the most immediate defenses against this emerging RaaS threat.

Original Unit 42 report