Advertisement
Cyber Crime

The Gentlemen Rises to Ransomware Peak

A newcomer has displaced established groups to become the most active ransomware threat, fueled by aggressive recruitment and AI.

··2 hours ago·2 min read
black laptop computer turned on with green screen
Photo by Moritz Erken on Unsplash
Advertisement

A fundamental shift is reshaping the digital extortion landscape as emerging players rewrite the rules of engagement. Recent research points to a new, highly active entity that has rapidly scaled its operations, leaving previously dominant ransomware syndicates struggling to maintain their top-tier status.

A Shift in Extortion Dominance

The cyber extortion market has experienced a significant transition during the period between March and May 2026. A group identified as The Gentlemen has emerged as the most prolific threat actor, surpassing the Qilin ransomware affiliate operation, which had consistently led the market throughout the previous year. This rapid ascent reflects a changing environment where newcomers can leverage specialized kits to outpace legacy operations.

The Mechanics of Rapid Growth

The success of this group is attributed to a combination of accessible tooling and aggressive affiliate recruitment strategies. By providing a streamlined intrusion kit, the organization has effectively lowered the barrier to entry for prospective attackers. This, coupled with the integration of AI tools to accelerate development cycles, allows them to push updates and new iterations faster than their competitors.

“The Gentlemen became the most-active group, powered by aggressive affiliate recruitment and a well-packaged intrusion kit that lowers the bar for new operators,”

— Tristano Di Liberto, security analyst at ReliaQuest

The group’s operational model includes comprehensive playbooks that guide affiliates through the entire attack chain. These resources cover critical stages, including identifying target edge devices, managing command server tunneling, and executing SMB encryption. The organization's ability to iterate quickly using AI-accelerated build pipelines creates a compelling incentive for affiliates to migrate away from traditional ransomware-as-a-service providers.

Quantifying the Ransomware Surge

  • 300 incidents were attributed to The Gentlemen between March and May 2026.
  • 289 incidents were reported for Qilin during the same timeframe.
  • 1368 total victim claims were tracked across 11 different ransomware groups.
  • 99 countries were affected by these extortion events.
  • 150 to 100 incidents each were recorded for groups including DragonForce, Akira, and LockBit.

Implications for Network Defense

For organizations, the primary risk lies in the group's highly effective, pre-packaged intrusion methods. Because these tools are designed to facilitate quick deployments, security teams face a shorter window for detection and response. To counter these threats, experts recommend a rigorous approach to hygiene, such as strictly limiting RDP and remote access, enforcing block lists for vulnerable drivers, and monitoring for suspicious blockchain RPC or session messenger traffic. Defending against such an active and well-resourced adversary requires moving beyond standard security postures to focus on hardening identity systems against common tactics like vishing and Adversary-in-the-Middle (AiTM) attacks.

#ransomware#cybercrime#the gentlemen#infosec#ai

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement