The Gentlemen ransomware used infostealer credentials, AI tools, and affiliates to hit 483 victims across 66 countries in under a year.
The Gentlemen surfaced as a ransomware operation in September 2025 and by June 13, 2026 had listed 483 victims on their dark-web leak site, 380 of them in 2026 alone. That makes them the second most prolific ransomware brand of the year by published victim count, behind only Qilin. A May 2026 leak of the group’s internal chat logs handed researchers at KELA a rare look inside: nine core members, AI-assisted tooling, and an access model built almost entirely on credentials stolen by commodity infostealer malware.
The affiliate model is straightforward and aggressive. A small core team builds and maintains the ransomware and the negotiation panel. External operators carry out the actual intrusions and keep 90% of each ransom, which is a generous split even by current standards. The leaked chats, spanning November 7, 2025 to April 30, 2026, read less like a criminal conspiracy than a small product team arguing about infrastructure choices and which AI model to use for data analysis.
The victim distribution breaks from the typical ransomware pattern. Only about 15% of listed victims are in the United States, well below the 40-50% that US targets represent across most major leak sites.
“The rest are spread across Thailand, Brazil, the United Kingdom, France, India, Germany, Italy, Japan, Taiwan, and Spain. The leaked chats explain why: operators were told to prioritise what they called Tier 1 to 3 countries and Latin America, and to weigh operational pain over raw revenue, reasoning that a 20 million dollar utility can pay faster than a 200 million dollar manufacturer if the lock genuinely halts the business.” reads the report published by The RansomNews research team.
Manufacturing is the top targeted sector, followed by technology, business services, and healthcare with 44 listed victims.
Initial access is where the group concentrates its energy, not encryption. Operators scanned for and exploited internet-facing vulnerabilities including the FortiOS authentication-bypass flaw CVE-2024-55591, alongside older Active Directory weaknesses like ZeroLogon and PetitPotam. When no exploit was available, they used valid credentials stolen from compromised Outlook Web Access mailboxes, both to find VPN logins and to send phishing from trusted internal accounts that recipients had no reason to distrust.
The infostealer connection is the thread that ties the whole operation together. Ransomnews cross-referenced a sample of named Gentlemen victims against the alerts.bar infostealer index, which tracks credentials and session cookies exposed in stealer logs. Several victims had live corporate logins or active session tokens sitting in stealer data before they appeared on the leak site. One example, Philippine logistics firm 2GO, showed six employee logins, seven customer logins, and 38 active session tokens already exposed.
“That is the access pattern the leaked chats describe hunting for, observed in the wild against a real victim.” continues the report. “Stolen session cookies are why dark-web and infostealer monitoring now belongs in the same risk tier as patch management.”
Three things from the leaked chats deserve attention. First, the group studied the February 2025 Black Basta chat leak and treated it as a training manual, copying phishing and mailbox-abuse workflows rather than building their own from scratch. Second, the operation is openly AI-assisted.
“Administrator zeta88 said he ‘vibe-coded’ the negotiation panel in three days, and the crew discussed uncensored or ‘abliterated’ open-weight models, including a stripped-down Qwen variant, for coding and for reasoning over hundreds of gigabytes of stolen data.” continues the report.
This is one of the clearer documented cases of a ransomware crew actually using large language models in day-to-day operations rather than just talking about it.
Third, the extortion approach is willing to get personal. KELA observed operators testing pressure on a victim using sensitive medical content sent from a compromised personal mailbox. Microsoft has separately documented a self-propagating Go-based encryptor attributed to the group, but the real leverage increasingly comes from the stolen data and the victim’s own contact list, not the locked files. Encrypting your files is almost a courtesy at this point.
Nothing about defending against The Gentlemen requires exotic tools. Patch internet-facing devices fast, treat FortiOS CVE-2024-55591 and similar VPN flaws as emergencies rather than scheduled maintenance. When an infostealer infection touches corporate credentials, treat it as a breach and revoke sessions immediately. Move high-value access to hardware-backed or passkey authentication that doesn’t produce replayable session cookies, because stolen cookies defeat SMS and push-based MFA entirely. Harden Active Directory against ZeroLogon and PetitPotam, segment the network so one compromised host can’t reach everything, and keep offline tested backups while assuming data was stolen regardless of whether files were encrypted.
“The Gentlemen are a case study in how cheap it has become to scale a ransomware brand in 2026. They did not need a breakthrough encryptor.” concludes the report. “They needed a generous affiliate split, a steady feed of infostealer-sourced access, a rival’s leaked playbook, and a few open-weight models with the safety filters removed.”
The result is 483 victims across 66 countries in under a year, assembled by a team small enough to share one table. The leak that exposed all of this is also a reminder that these operations are fragile: one disgruntled insider or careless host can turn a crew’s entire workflow into a public document overnight, exactly as happened here.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, The Gentlemen ransomware)
