Emerging as a significant player in the cybersecurity landscape, Gentlemen ransomware is characterized as a rapidly operationally mature Ransomware-as-a-Service (RaaS) operation. Launched in mid-2025, it employs a double-extortion model that includes data exfiltration before file encryption, and threatens to publish sensitive information on a dedicated Tor site if ransoms are not fulfilled.
Its timeline reveals that the first known victim was JN Aceros, a steel company based in Peru, compromised on June 30, 2025. The group made its presence widely known by August 2025, when its leak site became operational and began listing targets. “The rapid progression in victim count—over 130 confirmed victims by early February 2026—highlights the group's aggressive tactics,” said a cybersecurity analyst familiar with ransomware trends.
As of now, the operational velocity of Gentlemen is striking, having listed 48 victims within the initial two months of its leak site going live. This rate aligns with affiliate-driven RaaS models, indicating multiple operators are executing simultaneous attacks under a common umbrella.
%20(1)%20(1).webp)
Research into the group's origins suggests a particular individual, operating under the moniker “hastalamuerte,” is linked to the operation. This actor was previously detected on underground forums, seeking access to various established RaaS programs, including infamous names like LockBit and Medusa before creating their proprietary platform. “This experimentation stage appears to have played a pivotal role in refining their operations and approach,” noted a cybersecurity expert.
Separately, another alias, “Zeta88,” surfaced on the RAMP cybercrime forum in September 2025, promoting the Gentlemen RaaS. Notably, the group's operational guidelines prohibit attacking entities in Russia or the CIS countries, an indication of adherence to certain regional and ethical dynamics within the ransomware ecosystem.
The field of targets remains broad, with the group focusing distinctly on key sectors such as manufacturing, technology, financial services, and healthcare. “Their choice of targeting indicates a crucial strategy, as the high-value data from these sectors promises substantial ransoms,” observed a cyber threat researcher. Other affected industries include education, construction, and energy, reflecting a willingness to engage with critical infrastructure.
Gentlemen ransomware predominantly aims at medium to large enterprises using centralized Active Directory systems. Hospitals, school districts, and multinational corporations have all fallen prey to its tactics, enabling rapid domain-wide encryption due to centralized control points. Analysts have noted that the United States ranks highest among targeted countries, with others in Asia-Pacific, South America, and Europe also affected. “The wide geographic span, coupled with their exclusion strategy for CIS states, suggests opportunistic targeting rather than a focused regional approach,” remarked a threat intelligence professional.
The operation's RaaS model further underlines its sophistication. Gentlemen provides affiliates with tailored builds that can be configured to suit various environments, including Windows and Linux systems. “Affiliates are given the tools to sustain and grow their operations efficiently, sharing a revenue model of 90% for the affiliate and 10% retained by the group,” explained a cybersecurity financial analyst.
With such a model, the operations have grown not just in numbers but also in complexity. This evolution raises a crucial question: where do we go from here? As Gentlemen ransomware continues to adapt and pierce through the defenses of numerous sectors, it emphasizes the growing need for robust cybersecurity measures across the board. The evolution of cyber threats demands a proactive response from organizations worldwide if they hope to mitigate this increasingly sophisticated landscape.