Skip to content
Ransomware group EsxiLinuxWindows

The Gentlemen

The Gentlemen is a human-operated ransomware-as-a-service operation, also tracked as Storm-2697, that emerged in mid-2025 and rapidly became one of the most active ransomware brands by victim volume in 2026.

Profile source: Mallory opens in a new tab

The Gentlemen

Family profile

The Gentlemen is a human-operated ransomware-as-a-service operation, also tracked as Storm-2697, that emerged in mid-2025 and rapidly became one of the most active ransomware brands by victim volume in 2026. Multiple reports assess it as having roots in the Qilin ecosystem, including prior activity under the ArmCorp name, before evolving into an independent affiliate program with an unusually aggressive revenue split favoring affiliates. The operation is associated with Russian-speaking operators and follows a double-extortion model that combines data theft with file encryption and public leak-site pressure.

The malware family is notable for cross-platform ransomware development and aggressive enterprise-scale propagation. Its primary Windows encryptor is written in Go and has been described as obfuscated with Garble, while associated variants have also targeted Linux, NAS, BSD, and VMware ESXi environments, including a C-based ESXi locker. The ransomware uses hybrid cryptography based on Curve25519 or X25519 key exchange with XChaCha20 file encryption, commonly applies partial encryption to larger files for speed, and drops a ransom note associated with the operation. Some builds require a password at launch, which appears intended to hinder sandboxing and automated analysis.

A distinguishing feature of The Gentlemen is its worm-like spreading capability. When enabled, the malware can stage itself over SMB, enumerate reachable systems, and attempt numerous remote execution methods per host, including PsExec, scheduled tasks, services, WMI, WinRM, PowerShell remoting, and Group Policy-based deployment. Reporting also describes domain-wide propagation through NETLOGON and malicious GPO changes. This propagation logic, combined with pre-encryption defense weakening on remote hosts, allows a single foothold to escalate into broad network encryption.

The operation consistently demonstrates strong defense-evasion tradecraft. Observed behavior includes disabling Microsoft Defender, adding exclusions, deleting shadow copies, clearing Windows event logs, deleting forensic artifacts, stopping backup, database, virtualization, and security-related processes and services, and optionally wiping free space or self-deleting after execution. The group is also associated with dedicated security-killing tooling, including the GentleKiller framework and other EDR-killer utilities, as well as bring-your-own-vulnerable-driver techniques used to terminate protected security products. At least one intrusion involved suspected zero-day exploitation to disable endpoint defenses.

The Gentlemen’s intrusion lifecycle extends well beyond encryption. Reported operations include exploitation of internet-facing edge infrastructure, brute-force activity, use of stolen or leaked credentials, cooperation with initial access brokers, Active Directory reconnaissance, credential theft, privilege escalation, lateral movement, persistence through scheduled tasks and autoruns, and data exfiltration prior to ransomware deployment. Associated tooling and infrastructure have included custom Go backdoors, proxy malware, remote administration utilities, and common post-exploitation frameworks.

Initial access is most strongly associated with exploitation of exposed perimeter systems rather than phishing-centric delivery. Repeated reporting links the group to exploitation of edge-device vulnerabilities, especially in VPN and firewall appliances, as well as credential abuse against remote access services. The operation has also been linked to brute-force campaigns, NTLM relay-related activity, and use of compromised enterprise credentials and session material obtained from stealer ecosystems.

Victimology indicates broad global targeting across dozens of countries, with recurring impact in manufacturing, business services, technology, healthcare, transportation, financial services, construction, logistics, and other enterprise sectors. Manufacturing is repeatedly highlighted among the most affected sectors, consistent with the group’s focus on organizations where operational disruption increases ransom pressure. The Gentlemen’s combination of cross-platform lockers, rapid propagation, mature affiliate support, and strong anti-defense tradecraft makes it a high-impact ransomware threat to Windows-centric enterprise networks and mixed Windows-Linux-ESXi environments.

Capabilities

  • Brute Force
  • Byovd
  • Credential Theft
  • Defense Evasion
  • Exfiltration
  • Extortion
  • Lateral Movement
  • Persistence
  • Post Exploitation
  • Privilege Escalation
  • Reconnaissance
  • Scanning

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • DumpBrowserSecrets
  • Hydra
  • KslDump
  • KslKatz
  • XenAllPasswordPro

Defense Evasion

  • EDRStartupHinder
  • GFreeze
  • GLinker

Discovery Enum

  • ADFind
  • BloodHound
  • Censys
  • CertiHound
  • MANSPIDER
  • PowerZure
  • Shodan
  • gogo scanner
  • ldapdomaindump

Exfiltration

  • rclone

Networking

  • Chisel-ng
  • ProxyChains
  • Tor / Onion C2
  • openconnect

Offsec

  • Custom Go Locker (Windows/Linux/NAS)
  • NetExec (nxc)
  • PetitPotam
  • PrivHound
  • RegPwn
  • RelayKing
  • Responder
  • TrustedSec Titanis
  • Velociraptor
  • ZeroPulse
  • ntlmrelayx

RMM Tools

  • AnyDesk

Ransomware.live

Published indicators

Full source record ↗

Tox

1 total
  • F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E

Sha1

4 total
  • c12c4d58541cc4f75ae19b65295a52c559570054
  • c0979ec20b87084317d1bfa50405f7149c3b5c5f
  • df249727c12741ca176d5f1ccba3ce188a546d28
  • e00293ce0eb534874efd615ae590cf6aa3858ba4

Ransomware.live

Recent claims

All published claims ↗

Reported operators

Threat actors

9 named in public reporting
Akira

The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS.

Spikey Scorpius

The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS.

HasanBroker

The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025.

Storm-2697

The Gentlemen is one of the most rapidly escalating ransomware threats observed in 2026... the group has evolved into a full-spectrum, human-operated Ransomware-as-a-Service (RaaS) operation.

LARVA-368

The Gentlemen is one of the most rapidly escalating ransomware threats observed in 2026... the group has evolved into a full-spectrum, human-operated Ransomware-as-a-Service (RaaS) operation.

TheGentlemen

This year saw the emergence of The Gentlemen, a prominent example of a group operating under the ransomware-as-a-service (RaaS) model.

phantom_mantis

In an analysis of the ransomware in late last year, LevelBlue's Cybereason team described The Gentlemen as a "highly adaptive, fast-moving ransomware operation" that combines mature ransomware techniques with RaaS features, double extortion, cross-platform lockers, and flexible propagation, and affiliate support.

ArmCorp

The Gentlemen за неполный год из осколка Qilin превратился во второго по активности RaaS-оператора в мире. Microsoft Threat Intelligence ведёт их инфраструктуру как Storm-2697.

Hastalamuerte

The Gentlemen is an active ransomware and extortion operation that emerged publicly in the second half of 2025 and rapidly scaled into a high-volume threat actor.

Exploited software

Vulnerabilities linked to The Gentlemen

9 CVEs

MITRE ATT&CK

The Gentlemen in ATT&CK

88 distinct techniques

Techniques

88 techniques
T1567 Exfiltration Over Web Service T1021.002 SMB/Windows Admin Shares T1562 Impair Defenses T1059.001 PowerShell T1486 Data Encrypted for Impact T1570 Lateral Tool Transfer T1070.004 File Deletion T1485 Data Destruction T1046 Network Service Discovery T1068 Exploitation for Privilege Escalation T1053 Scheduled Task/Job T1021 Remote Services T1543.003 Windows Service T1070.001 Clear Windows Event Logs T1657 Financial Theft T1562.001 Disable or Modify Tools T1490 Inhibit System Recovery T1033 System Owner/User Discovery T1018 Remote System Discovery T1489 Service Stop T1135 Network Share Discovery T1059.003 Windows Command Shell T1007 System Service Discovery T1083 File and Directory Discovery T1053.005 Scheduled Task T1057 Process Discovery T1047 Windows Management Instrumentation T1112 Modify Registry T1069 Permission Groups Discovery T1218.002 Control Panel T1021.006 Windows Remote Management T1003 OS Credential Dumping T1090 Proxy T1059 Command and Scripting Interpreter T1041 Exfiltration Over C2 Channel T1518 Software Discovery T1484.001 Group Policy Modification T1036.005 Match Legitimate Resource Name or Location T1027 Obfuscated Files or Information T1053.003 Cron T1547.009 Shortcut Modification T1573.002 Asymmetric Cryptography T1106 Native API T1491.001 Internal Defacement T1564.003 Hidden Window T1569.002 Service Execution T1036.004 Masquerade Task or Service T1078 Valid Accounts T1562.004 Disable or Modify System Firewall T1105 Ingress Tool Transfer T1189 Drive-by Compromise T1566 Phishing T1090.003 Multi-hop Proxy T1070 Indicator Removal T1203 Exploitation for Client Execution T1491 Defacement T1078.002 Valid Accounts: Domain Accounts T1133 External Remote Services T1190 Exploit Public-Facing Application T1072 Software Deployment Tools T1136 Create Account T1543 Create or Modify System Process T1547 Boot or Logon Autostart Execution T1187 Forced Authentication T1557 Adversary-in-the-Middle T1110 Brute Force T1552 Unsecured Credentials T1555 Credentials from Password Stores T1087 Account Discovery T1087.002 Account Discovery: Domain Account T1482 Domain Trust Discovery T1526 Cloud Service Discovery T1021.001 Remote Services: Remote Desktop Protocol T1021.004 Remote Services: SSH T1563 Remote Service Session Hijacking T1005 Data from Local System T1039 Data from Network Shared Drive T1074 Data Staged T1074.001 Data Staged: Local Data Staging T1114 Email Collection T1048 Exfiltration Over Alternative Protocol T1048.001 Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol T1537 Transfer Data to Cloud Account T1071 Application Layer Protocol T1071.001 Application Layer Protocol: Web Protocols T1219 Remote Access Software T1572 Protocol Tunneling T1573 Encrypted Channel

Reporting

Research mentioning The Gentlemen

Jul 13
Itsecurityguru

UK Cyber Attacks Climb 34% as Ransomware Leadership Shifts, Check Point Research Reveals - IT Security Guru

The Gentlemen, a ransomware-as-a-service operation founded in mid-2025, overtook Qilin to become the most active ransomware group, responsible for 17% of published attacks compared with Qilin’s 11%.

Jul 10
Palo Alto Networks Unit 42

No Manners Here: The Ruthless Rise of The Gentlemen Ransomware

The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS.

Jul 9
Trojan Killer News

GigaWiper Backdoor Can Wipe Disks on Command

For related cleanup planning, see Trojan Killer’s RAT, backdoor, and stealer cleanup hub, the PipeMagic backdoor removal guide, and our coverage of The Gentlemen ransomware worm-spread cleanup.

Jul 7
Cyber Security News

Gentlemen Ransomware Expands Global Attack Campaigns

The Gentlemen is one of the most rapidly escalating ransomware threats observed in 2026... the group has evolved into a full-spectrum, human-operated Ransomware-as-a-Service (RaaS) operation.

Jul 6
Cyber Security News

The Gentlemen Ransomware Uses 21 Remote Execution Techniques to Encrypt Entire Networks

A new ransomware strain called The Gentlemen has emerged as one of the more aggressive threats tracked this year, combining strong encryption with a self-spreading worm engine that can take down an entire corporate network from a single infected machine.

Jun 30
Expel

Not very gentlemanly: Analyzing a zero-day exploit used by The Gentlemen ransomware to disable targets’ EDRs | Expel

The Gentlemen are a relatively new ransomware group who first emerged in July of 2025. In an incident investigated by Expel, the group used a zero-day vulnerability to disable the target’s EDR, preventing it from intervening in their ransomware attack.

Jun 15
Security Affairs

Infostealers, AI, and a 90% Affiliate Cut Fuel The Gentlemen group’s Rise - Security Affairs

The Gentlemen surfaced as a ransomware operation in September 2025 and by June 13, 2026 had listed 483 victims on their dark-web leak site, 380 of them in 2026 alone.

Jun 15
Breachcache

The Gentlemen: An Affiliate's First Day on the Job / breachcache

The Gentlemen is a ransomware as a service operation that emerged in mid 2025. The first encryptor sample was uploaded to VirusTotal on July 17 2025 and already contained the leak site address.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.