THE Gentlemen ransomware group emerged in September 2025 and has quickly become the second most prolific ransomware operation by targeting 483 victims across 66 countries, with 380 of these incidents occurring in 2026 alone. Their success is attributed to the use of stolen infostealer credentials, AI tools, and an aggressive affiliate model offering a 90% cut to external operators.
Unlike typical ransomware, only about 15% of their victims are from the U.S.; significant targets include industries like manufacturing, technology, healthcare, and business services. The group focuses on exploiting internet-facing vulnerabilities and using stolen corporate credentials for access. Notably, they regard their operation as a product team, leveraging AI for decision-making and negotiation processes.
Defense against their tactics emphasizes rapid patch management, treatment of infostealer infections as breaches, and employing stronger authentication methods to mitigate the risks associated with stolen credentials.