“The Gentlemen became the most-active group, powered by aggressive affiliate recruitment and a well-packaged intrusion kit that lowers the bar for new operators,” wrote Tristano Di Liberto, security analyst at ReliaQuest.
The Gentlemen's rise: 300 incidents in a three-month snapshot
Cybersecurity researchers at ReliaQuest reported on July 16 that The Gentlemen ransomware operation was responsible for the most attacks during the three-month period under review, accounting for 300 incidents. That tally put The Gentlemen ahead of the Qilin affiliate operation, which ReliaQuest recorded at 289 incidents “between May and March,” dropping Qilin to the second most prolific group for that window.
ReliaQuest’s tracking identified 1,368 claims of victims from 11 ransomware groups posted on data leak sites, with those alleged victims spread across 99 countries. The Gentlemen’s 300 incidents therefore represent the single largest share of observed leak-site claims in that dataset for the reporting period.
What The Gentlemen’s intrusion kit includes
ReliaQuest’s analysis points to a pre-packaged, easy-to-use suite of tools that affiliates receive from The Gentlemen as a material driver of the group’s growth. The tooling reportedly includes a playbook that maps the attack chain and workflow for operators; guidance on which edge devices to target for exploitation; techniques for using lightweight tunneling tools to maintain access to command servers; and instructions for deploying single-host Server Message Block (SMB) encryption.
ReliaQuest framed those elements as lowering the technical bar for new affiliates, making it easier for less-experienced operators to join or to move from rival providers.
AI-acceleration and affiliate economics
Leaked chat logs examined by ReliaQuest suggest The Gentlemen has incorporated AI tools into its development pipeline. According to the report, that use of AI has sped up the creation of new versions and tooling relative to some rival ransomware groups that have not embraced AI-driven development.
Tristano Di Liberto summed up the operational effect in two linked observations: “It runs proven affiliate throughput, ships tools faster than most rivals through its AI-accelerated build pipeline and offers a pre-packaged intrusion kit that shortens ramp-up.” ReliaQuest warned that these dynamics could encourage affiliates to abandon other providers in favor of The Gentlemen, reinforcing the group’s recruitment-driven growth.
Where Qilin, DragonForce, Akira and LockBit now sit
The report noted that Qilin — the most prolific affiliate operation during each quarter of the previous year — fell to second place for the most-recent three-month period. ReliaQuest recorded Qilin at 289 incidents for the period it described as “between May and March.”
Other notable ransomware crews — DragonForce, Akira and LockBit — were observed at materially lower volumes, with ReliaQuest placing them each in the roughly 100–150 incident range during the same timeframe. ReliaQuest characterized those groups as having been responsible for some of the most significant incidents in recent years, but flagged that they “appear to have been surpassed by a relative newcomer to the scene.”
What this means for cybersecurity leaders, enterprises, and affiliates
- Cybersecurity leaders and defenders: ReliaQuest explicitly recommended steps to strengthen networks and harden users against common intrusion methods — restrict RDP and remote access; enforce Microsoft’s vulnerable‑driver block list; monitor blockchain RPC and session messenger egress; and harden identity against vishing and Adversary‑in‑the‑Middle (AiTM) attacks. Those recommendations target the use-cases and tooling ReliaQuest linked to The Gentlemen’s intrusion kit.
- Enterprises and affected organizations: With 1,368 claims across 99 countries posted to data leak sites during the measured period, organizations should assume that attackers are optimizing both tooling and recruitment to find lower-effort paths to compromise. Monitoring for the specific tactics ReliaQuest highlights — remote access abuse, vulnerable drivers, tunneling egress, and identity-targeting social techniques — aligns with the report’s findings.
- Affiliates and rival ransomware providers: ReliaQuest’s analysis indicates an operational advantage for groups that provide high-throughput affiliate programs and rapid tool iteration. The report warns that affiliates may switch providers if a rival offers faster tooling and a shorter ramp-up via playbooks and pre-packaged kits.
ReliaQuest’s July 16 analysis paints a picture of a ransomware-as-a-service operation that has combined recruitment, commoditized tooling and AI-accelerated development to overtake established affiliates in sheer observed volume. As ReliaQuest’s Tristano Di Liberto warned, “The pressure The Gentlemen applies is likely to persist into Q3,” leaving defenders to decide whether their controls and monitoring are tuned to the specific attack paths the group appears to favor.
https://www.infosecurity-magazine.com/news/the-gentlemen-most-prolific/




