THE Gentlemen Ransomware Expands With Rapid Affiliate Growth reports that the operation has claimed more than 320 victims, with the majority of attacks occurring in early 2026, according to Check Point. The group, known as The Gentlemen, has gained traction among affiliates and is increasingly targeting enterprise environments using modular tooling and cross‑platform payloads.
First identified in mid‑2025, the operation promotes its services on underground forums and recruits technically skilled partners, with affiliates provided ransomware variants written in Go that support Windows, Linux, NAS and BSD systems, plus a separate ESXi encryptor developed in C.
The toolkit enables built‑in lateral movement, credential reuse and Group Policy‑based deployment to trigger rapid, domain‑wide encryption, and attackers have shown capabilities such as disabling endpoint protections and using scheduled tasks and registry changes to maintain persistence. Telemetry from a related C2 server showed more than 1,570 infected systems globally, with a concentration in the US, UK and Germany, suggesting focus on organisational targets rather than consumer infections.