The Gentlemen Ransomware: 478 Victims and Worm-Like Spread

Robert Moore · 2026-06-11

A new deep dive into The Gentlemen ransomware operation has uncovered that this financially motivated group didn't start out as a standalone threat. Instead, they began as an affiliate running double extortion attacks, borrowing tools and tactics from major ransomware-as-a-service (RaaS) outfits like LockBit (Tenacious Mantis), Qilin (Pestilent Mantis), and Medusa (Venomous Mantis). That's a lot of mantises in one kitchen, and it tells us something important: The Gentlemen are opportunists, not innovators. According to a detailed report, the group has already claimed 478 victims. That's not a small number by any stretch. And here's the scary part—they can spread like a worm, moving laterally across networks without much friction. So if you're in cybersecurity or just someone trying to keep their business safe, you need to understand what you're up against. ### Who Are The Gentlemen? The Gentlemen aren't your typical ransomware crew. They're a hybrid: part affiliate, part independent operator. They started by piggybacking on established RaaS platforms, which gave them access to proven encryption methods and negotiation playbooks. Think of it like a startup using an established franchise's supply chain. It's cheaper, faster, and less risky than building everything from scratch. But here's the twist: they've now evolved. The group has developed its own worm-like propagation capability, meaning they don't need human intervention to spread once they breach a network. That's a game-changer because it increases the speed and scale of attacks dramatically. ### How Does the Worm-Like Spread Work? Worm-like spread is exactly what it sounds like. Once The Gentlemen gain initial access—often through phishing emails or exploiting unpatched vulnerabilities—they deploy a payload that automatically scans for other connected devices on the network. It doesn't wait for a command. It just moves, like a virus in a crowded room. This is different from traditional ransomware, which usually requires manual lateral movement by an attacker. The Gentlemen's approach is faster and harder to stop. If you have one infected workstation, you could have a hundred within minutes. ### Double Extortion: The Real Teeth Double extortion is their bread and butter. They don't just encrypt your files; they exfiltrate them first. Then they threaten to leak sensitive data if you don't pay up. This puts victims in a bind: even if you have backups, you still face the risk of a public data breach. The group has been known to demand ransoms ranging from $50,000 to over $1 million, depending on the target's size and industry. Healthcare, finance, and manufacturing have been hit hardest. ### What Can You Do to Protect Yourself? Here are a few practical steps to reduce your risk: - Patch regularly. The Gentlemen often exploit known vulnerabilities. Keep your software up to date. - Segment your network. If one part gets infected, segmentation can stop the worm from spreading everywhere. - Use strong endpoint detection and response (EDR) tools. They can catch worm-like behavior early. - Train your team. Phishing is still their favorite entry point. Make sure everyone knows how to spot a suspicious email. - Have an incident response plan. If you get hit, every second counts. ### The Bottom Line The Gentlemen ransomware is a wake-up call. It shows how threat actors are combining the best (or worst) of different attack methods to create something more dangerous. They're not just copying; they're adapting. And with 478 victims already, they're not going away anytime soon. Stay vigilant. Stay patched. And remember: in the world of cybersecurity, complacency is the real enemy.