- Home
- Cybercrime
- The Gentlemen: When Ransomware-as-a-Service Becomes an Industry
The Gentlemen: When Ransomware-as-a-Service Becomes an Industry
The rise of a new cybercriminal group
Emerging in mid-2025, The Gentlemen is a ransomware-as-a-service (RaaS) group attributed to Russian-speaking cybercriminals. In less than a year, it established itself as one of the most active players in the cybercriminal ecosystem thanks to a model based on a vast network of affiliates recruited through dark web forums, to whom it provides its ransomware infrastructure.
The group’s claimed victims are spread across more than 70 countries and mainly belong to the industrial, healthcare, insurance, and services sectors. Known for its aggressive tactics and strong capacity for adaptation, the group claims more than 340 victims and relies on malware developed in Go (Golang) capable of targeting Windows, Linux, NAS, and ESXi environments. Its business model is based on double extortion: before encrypting systems, the attackers exfiltrate sensitive data in order to threaten its publication should the victim refuse to pay.
According to researchers at Check Point Research, 1,570 corporate networks have reportedly been compromised by The Gentlemen, a figure far exceeding the number of victims publicly claimed on its leak site. This discrepancy suggests that a significant proportion of intrusions neither result in the publication of stolen data nor in an official claim, indicating operational activity that is far more extensive than what the publicly listed victims alone suggest.
The level of threat posed by The Gentlemen was notably demonstrated during the attack against Mackay Sugar, Australia’s second-largest raw sugar producer. The incident disrupted part of the company’s sugar mill operations in Queensland for nearly a week, demonstrating the group’s ability to cause cyber-physical disruptions directly affecting critical industrial infrastructure. Australia now ranks fourth among the countries most frequently targeted by the RaaS group.
An industrialized attack chain
The Gentlemen’s modus operandi follows a highly standardized sequence. The attack begins with the compromise of Internet-exposed services or administrative accounts, followed by a reconnaissance phase aimed at mapping the network and identifying critical systems. The attackers then progressively take control of the environment by using legitimate administration tools, a technique that helps them minimize detection.
Once elevated privileges have been obtained, they disable security solutions, deactivate antivirus and detection tools, and automate the propagation of the ransomware across the entire Windows domain. In line with the double extortion model, sensitive data is first exfiltrated before systems are encrypted. Finally, the cybercriminals sabotage recovery mechanisms, erase their traces, and deploy the ransomware in order to maximize operational disruption and increase pressure on the victim.
This organization reflects a high level of maturity. Far from being an improvised attack, The Gentlemen applies a methodical and repeatable attack chain, where each stage is optimized to maximize operational efficiency and the profitability of the ransomware-as-a-service model.
When a compromise becomes a showcase of the group’s capabilities
While The Gentlemen devotes considerable effort to preserving its anonymity and operational security, the group itself became the victim of a compromise. Following an attack targeting its hosting provider, 4VPS, more than 8,200 lines of internal conversations, screenshots, Bitcoin wallets, and numerous technical artifacts were leaked.
This breach represents an intelligence source of exceptional value. Beyond the anecdotal aspect of “hackers being hacked,” it reveals the inner workings of a criminal organization whose operating model increasingly resembles that of a ransomware company. Contrary to the traditional image of a hacking group conducting its own attacks, The Gentlemen adopts the ransomware-as-a-service (RaaS) model. Developers design and maintain the ransomware, administer the technical infrastructure, and ensure its continuous evolution, while affiliates recruited through dark web forums are responsible for compromising victims’ networks, deploying the malware, and negotiating ransom payments. In return, they pay a commission to the platform operators.
To attract these affiliates, The Gentlemen relies on an especially aggressive compensation policy. The group pays 90% of ransom proceeds to operators using its infrastructure, compared with approximately 80% in most competing RaaS programs. In 2026, it pushed this strategy even further by offering 97% of the revenue for extortion campaigns based solely on data theft, without encrypting systems. This strategy reflects the evolution of ransomware business models, where extortion is gradually taking precedence over encryption.
This pricing policy represents a genuine competitive advantage within the underground economy. The objective is clear: to attract experienced cybercriminals, particularly those coming from competing programs such as LockBit, by offering them higher financial rewards. Recruitment takes place primarily on dark web forums, where the group publishes advertisements detailing the performance of its malware, the tools available to affiliates, and the financial conditions offered. This competitive approach, focused on recruitment, retention, and revenue sharing, illustrates how ransomware has evolved into a true platform economy, in which developers and affiliates divide responsibilities across a well-established value chain.
Ultimately, the most significant revelation of this leak is not technical but organizational. The Gentlemen illustrates a profound transformation of cybercrime: the lone hacker is gradually giving way to a structured economy in which developers, affiliates, initial access brokers, and ransom negotiators occupy specialized roles within a genuine criminal platform. The principles of legitimate businesses—recruitment, innovation, competitive advantage, and revenue sharing—now lie at the very core of ransomware-as-a-service business models.
the newsletter
the newsletter