The Latest on The Gentlemen Ransomware: A Fast Evolving Threat Manufacturers Cannot Ignore
The Gentlemen ransomware operation has rapidly become one of the most aggressive and technically sophisticated cybercrime groups targeting global organizations. What began as a small affiliate crew has evolved into a full‑scale ransomware‑as‑a‑service (RaaS) enterprise, responsible for 478 confirmed victims across multiple countries. Recent intelligence paints a clearer picture of how the group operates, who leads it, and why its attacks are becoming harder to defend against.
Below is a breakdown of the newest findings and what they mean for manufacturers and mid‑market businesses.
A Ransomware Group Built on RaaS Roots
New analysis shows The Gentlemen originally operated as an affiliate leveraging other RaaS platforms, including LockBit, Qilin, and Medusa. In July 2025, the group broke away and rebranded itself as an independent partnership program, no longer dependent on other ransomware operators.
This independence allowed them to scale quickly and aggressively.
The Leader Identified: LARVA‑368
The group is led by a Russian‑speaking cybercriminal known as LARVA‑368, who has used multiple aliases across underground forums. Investigations have linked this individual to prior ransomware groups and ultimately identified him as Alexander Andreevich Yapaev, a 36‑year‑old from Izhevsk, Russia.
This level of attribution is rare in ransomware operations, and underscores how active and visible the group has become.
AI‑Enhanced Ransomware Development
One of the most concerning revelations: The Gentlemen relies heavily on artificial intelligence to develop and maintain its ransomware tools.
This includes:
- Automated code generation
- AI‑assisted post‑exploitation
- Rapid iteration and patching cycles
This explains why the group was able to release a same‑day patch after a decryptor briefly exposed a weakness in April 2026.
A Worm‑Capable Encryptor
Microsoft’s latest analysis reveals that The Gentlemen ransomware includes a self‑propagating worm mode. When launched with the –spread argument, the malware attempts to deploy itself across every reachable system on the network.
This dramatically increases the blast radius of an attack, especially in flat or poorly segmented networks.
The ransomware also supports a –wipe mode that destroys recovery artifacts after encryption, making restoration significantly harder.
A Global Victim Profile
While many ransomware groups focus heavily on U.S. targets, only 13% of The Gentlemen’s victims are U.S.-based. The majority are in:
- Thailand
- The U.K.
- Brazil
- Germany
- India
This global spread suggests a broad affiliate network and a willingness to exploit vulnerabilities wherever they appear.
A Highly Structured Criminal Enterprise
Leaked internal chat logs, more than 3,366 messages, reveal a well‑organized operation with clear roles, responsibilities, and internal support channels.
Key insights include:
- Dedicated support staff for affiliates
- Use of Tox, SimpleX, and Ricochet for secure communications
- A strict requirement that affiliates provide 1GB of stolen data before gaining access to the panel, to keep out researchers and law enforcement
- A 90/10 profit split, heavily favoring affiliates and incentivizing rapid growth
This is not a loose collective; it is a structured business.
A Full Toolkit Covering Every Stage of Attack
Researchers recently discovered an exposed directory containing 126 files tied to a Gentlemen affiliate, including tools for:
- Reconnaissance
- Privilege escalation
- Credential theft
- Lateral movement
- Defense evasion
- Pre‑encryption preparation
This toolkit spans every phase of the intrusion lifecycle.
The group also uses red‑team‑style utilities such as NetExec, RelayKing, TaskHound, and CertiHound to move through Active Directory environments and escalate privileges.
Initial Access: Edge Devices and Known Vulnerabilities
The Gentlemen frequently target:
- VPN appliances
- Firewalls
- Internet‑facing systems
- Cisco and Fortinet devices in particular
They also actively track and exploit modern vulnerabilities, including CVE‑2024‑55591, CVE‑2025‑32433, and CVE‑2025‑33073, combining them with backup abuse and NTLM relay techniques for flexible exploitation paths.
Why This Matters for Manufacturers
Manufacturers are especially vulnerable because:
- Many rely on flat networks
- Legacy systems are difficult to patch
- Remote access is common
- OT/IT convergence increases attack surface
- VMware infrastructure — a known target — is widely used in production environments
The Gentlemen’s worm‑capable encryptor and AI‑driven development cycle make it uniquely dangerous in environments where uptime is critical and segmentation is limited.
How 2W Tech Can Help
Ransomware groups like The Gentlemen thrive in environments with legacy systems, weak segmentation, and inconsistent monitoring, all shared challenges in manufacturing. 2W Tech helps organizations close these gaps by combining modern cybersecurity architecture, Zero Trust principles, and OT‑aware security practices. We assess your current environment, identify high‑risk vulnerabilities, harden remote access, deploy advanced monitoring, and build a practical roadmap aligned with NIST and CMMC requirements. With 2W Tech as your partner, you can strengthen your defenses, reduce dwell time, and ensure your business is prepared for the next wave of ransomware threats.
Read More: