Credential Theft
- DumpBrowserSecrets
- Hydra
- KslDump
- KslKatz
- XenAllPasswordPro
The Gentlemen is a human-operated ransomware-as-a-service operation, also tracked as Storm-2697, that emerged in mid-2025 and rapidly became one of the most active ransomware brands by victim volume in 2026.
Profile source: Mallory opens in a new tabThe Gentlemen
The Gentlemen is a human-operated ransomware-as-a-service operation, also tracked as Storm-2697, that emerged in mid-2025 and rapidly became one of the most active ransomware brands by victim volume in 2026. Multiple reports assess it as having roots in the Qilin ecosystem, including prior activity under the ArmCorp name, before evolving into an independent affiliate program with an unusually aggressive revenue split favoring affiliates. The operation is associated with Russian-speaking operators and follows a double-extortion model that combines data theft with file encryption and public leak-site pressure.
The malware family is notable for cross-platform ransomware development and aggressive enterprise-scale propagation. Its primary Windows encryptor is written in Go and has been described as obfuscated with Garble, while associated variants have also targeted Linux, NAS, BSD, and VMware ESXi environments, including a C-based ESXi locker. The ransomware uses hybrid cryptography based on Curve25519 or X25519 key exchange with XChaCha20 file encryption, commonly applies partial encryption to larger files for speed, and drops a ransom note associated with the operation. Some builds require a password at launch, which appears intended to hinder sandboxing and automated analysis.
A distinguishing feature of The Gentlemen is its worm-like spreading capability. When enabled, the malware can stage itself over SMB, enumerate reachable systems, and attempt numerous remote execution methods per host, including PsExec, scheduled tasks, services, WMI, WinRM, PowerShell remoting, and Group Policy-based deployment. Reporting also describes domain-wide propagation through NETLOGON and malicious GPO changes. This propagation logic, combined with pre-encryption defense weakening on remote hosts, allows a single foothold to escalate into broad network encryption.
The operation consistently demonstrates strong defense-evasion tradecraft. Observed behavior includes disabling Microsoft Defender, adding exclusions, deleting shadow copies, clearing Windows event logs, deleting forensic artifacts, stopping backup, database, virtualization, and security-related processes and services, and optionally wiping free space or self-deleting after execution. The group is also associated with dedicated security-killing tooling, including the GentleKiller framework and other EDR-killer utilities, as well as bring-your-own-vulnerable-driver techniques used to terminate protected security products. At least one intrusion involved suspected zero-day exploitation to disable endpoint defenses.
The Gentlemen’s intrusion lifecycle extends well beyond encryption. Reported operations include exploitation of internet-facing edge infrastructure, brute-force activity, use of stolen or leaked credentials, cooperation with initial access brokers, Active Directory reconnaissance, credential theft, privilege escalation, lateral movement, persistence through scheduled tasks and autoruns, and data exfiltration prior to ransomware deployment. Associated tooling and infrastructure have included custom Go backdoors, proxy malware, remote administration utilities, and common post-exploitation frameworks.
Initial access is most strongly associated with exploitation of exposed perimeter systems rather than phishing-centric delivery. Repeated reporting links the group to exploitation of edge-device vulnerabilities, especially in VPN and firewall appliances, as well as credential abuse against remote access services. The operation has also been linked to brute-force campaigns, NTLM relay-related activity, and use of compromised enterprise credentials and session material obtained from stealer ecosystems.
Victimology indicates broad global targeting across dozens of countries, with recurring impact in manufacturing, business services, technology, healthcare, transportation, financial services, construction, logistics, and other enterprise sectors. Manufacturing is repeatedly highlighted among the most affected sectors, consistent with the group’s focus on organizations where operational disruption increases ransom pressure. The Gentlemen’s combination of cross-platform lockers, rapid propagation, mature affiliate support, and strong anti-defense tradecraft makes it a high-impact ransomware threat to Windows-centric enterprise networks and mixed Windows-Linux-ESXi environments.
Ransomware.live
Ransomware.live
F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098Ec12c4d58541cc4f75ae19b65295a52c559570054c0979ec20b87084317d1bfa50405f7149c3b5c5fdf249727c12741ca176d5f1ccba3ce188a546d28e00293ce0eb534874efd615ae590cf6aa3858ba4Ransomware.live
Reported operators
The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS.
The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS.
The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025.
The Gentlemen is one of the most rapidly escalating ransomware threats observed in 2026... the group has evolved into a full-spectrum, human-operated Ransomware-as-a-Service (RaaS) operation.
The Gentlemen is one of the most rapidly escalating ransomware threats observed in 2026... the group has evolved into a full-spectrum, human-operated Ransomware-as-a-Service (RaaS) operation.
This year saw the emergence of The Gentlemen, a prominent example of a group operating under the ransomware-as-a-service (RaaS) model.
In an analysis of the ransomware in late last year, LevelBlue's Cybereason team described The Gentlemen as a "highly adaptive, fast-moving ransomware operation" that combines mature ransomware techniques with RaaS features, double extortion, cross-platform lockers, and flexible propagation, and affiliate support.
The Gentlemen за неполный год из осколка Qilin превратился во второго по активности RaaS-оператора в мире. Microsoft Threat Intelligence ведёт их инфраструктуру как Storm-2697.
The Gentlemen is an active ransomware and extortion operation that emerged publicly in the second half of 2025 and rapidly scaled into a high-volume threat actor.
Exploited software
MITRE ATT&CK
Reporting
The Gentlemen, a ransomware-as-a-service operation founded in mid-2025, overtook Qilin to become the most active ransomware group, responsible for 17% of published attacks compared with Qilin’s 11%.
The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS.
For related cleanup planning, see Trojan Killer’s RAT, backdoor, and stealer cleanup hub, the PipeMagic backdoor removal guide, and our coverage of The Gentlemen ransomware worm-spread cleanup.
The Gentlemen is one of the most rapidly escalating ransomware threats observed in 2026... the group has evolved into a full-spectrum, human-operated Ransomware-as-a-Service (RaaS) operation.
A new ransomware strain called The Gentlemen has emerged as one of the more aggressive threats tracked this year, combining strong encryption with a self-spreading worm engine that can take down an entire corporate network from a single infected machine.
The Gentlemen are a relatively new ransomware group who first emerged in July of 2025. In an incident investigated by Expel, the group used a zero-day vulnerability to disable the target’s EDR, preventing it from intervening in their ransomware attack.
The Gentlemen surfaced as a ransomware operation in September 2025 and by June 13, 2026 had listed 483 victims on their dark-web leak site, 380 of them in 2026 alone.
The Gentlemen is a ransomware as a service operation that emerged in mid 2025. The first encryptor sample was uploaded to VirusTotal on July 17 2025 and already contained the leak site address.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.