ACCORDING to SOCRadar, The Gentlemen Ransomware first appeared in 2025 and was clearly observed in active campaigns from August 2025, with indications some development activity may date back to July 2025. The group operates a double-extortion model, exfiltrating data before encryption and threatening publication on Dark Web leak sites if demands are not met, while using Go for the main ransomware with Windows, Linux, and ESXi targets.
In September 2025, a Dark Web forum post advertised The Gentlemen’s RaaS, offering affiliates 90% of ransom proceeds and central control over infrastructure, with communication primarily via TOX and a minimal service footprint. The operation targets medium to large organisations globally, across at least 17 countries, with the United States leading at 9 victims, Brazil 7, Thailand 6, and the United Kingdom 4, spanning manufacturing, technology, and other sectors.
Notable recent claims include data-theft incidents such as 1.5 terabytes reportedly stolen tied to Solumek, and individual victims like Dongguan HYX Industrial, Rogers Capital, and Warka Bank for Investment and Finance appearing in early January 2026. The ransomware family claims to support Windows, Linux, NAS, BSD, and ESXi, with features like hybrid encryption using XChaCha20 and Curve25519, password-protected builds, and a .7mtzhh extension for encrypted files alongside README-GENTLEMEN[.]txt ransom notes.