The Gentlemen Rises to Ransomware Peak
A newcomer has displaced established groups to become the most active ransomware threat, fueled by aggressive recruitment and AI.
A fundamental shift is reshaping the digital extortion landscape as emerging players rewrite the rules of engagement. Recent research points to a new, highly active entity that has rapidly scaled its operations, leaving previously dominant ransomware syndicates struggling to maintain their top-tier status.
A Shift in Extortion Dominance
The cyber extortion market has experienced a significant transition during the period between March and May 2026. A group identified as The Gentlemen has emerged as the most prolific threat actor, surpassing the Qilin ransomware affiliate operation, which had consistently led the market throughout the previous year. This rapid ascent reflects a changing environment where newcomers can leverage specialized kits to outpace legacy operations.
The Mechanics of Rapid Growth
The success of this group is attributed to a combination of accessible tooling and aggressive affiliate recruitment strategies. By providing a streamlined intrusion kit, the organization has effectively lowered the barrier to entry for prospective attackers. This, coupled with the integration of AI tools to accelerate development cycles, allows them to push updates and new iterations faster than their competitors.
“The Gentlemen became the most-active group, powered by aggressive affiliate recruitment and a well-packaged intrusion kit that lowers the bar for new operators,”
— Tristano Di Liberto, security analyst at ReliaQuest
The group’s operational model includes comprehensive playbooks that guide affiliates through the entire attack chain. These resources cover critical stages, including identifying target edge devices, managing command server tunneling, and executing SMB encryption. The organization's ability to iterate quickly using AI-accelerated build pipelines creates a compelling incentive for affiliates to migrate away from traditional ransomware-as-a-service providers.
Quantifying the Ransomware Surge
- 300 incidents were attributed to The Gentlemen between March and May 2026.
- 289 incidents were reported for Qilin during the same timeframe.
- 1368 total victim claims were tracked across 11 different ransomware groups.
- 99 countries were affected by these extortion events.
- 150 to 100 incidents each were recorded for groups including DragonForce, Akira, and LockBit.
Implications for Network Defense
For organizations, the primary risk lies in the group's highly effective, pre-packaged intrusion methods. Because these tools are designed to facilitate quick deployments, security teams face a shorter window for detection and response. To counter these threats, experts recommend a rigorous approach to hygiene, such as strictly limiting RDP and remote access, enforcing block lists for vulnerable drivers, and monitoring for suspicious blockchain RPC or session messenger traffic. Defending against such an active and well-resourced adversary requires moving beyond standard security postures to focus on hardening identity systems against common tactics like vishing and Adversary-in-the-Middle (AiTM) attacks.
Continue Reading
GoSerpent Malware’s Deep State Intrusion
A newly identified backdoor is enabling long-term espionage against Southeast Asian government and diplomatic networks.
Ransomware Halt: Fairlife Output Stalled
A cyberattack targeting Fairlife has forced an immediate, temporary suspension of production for the Coca-Cola dairy subsidiary.
Phishing Masks Malware as TrueType Fonts
A persistent phishing operation is weaponizing fake TrueType font files to distribute infostealers and remote access trojans.