
THE Gentlemen ransomware gang has compromised more than 320 organisations worldwide between late June and early July 2026 according to a recent Check Point report.
The group gains initial access by scanning for exposed remote services and leveraging weak or stolen credentials.
Once inside they map the network before launching a Go‑written locker and a newer C‑based ransomware that is still under development.
For lateral movement the attackers rely on PowerShell scripts and PsExec to move between hosts.
They also load vulnerable drivers to disable security tools and avoid detection.
The activity window captured by researchers runs from 29 June 2026 to 2 July 2026.
During this period the gang hit organisations in manufacturing, information technology, healthcare, finance and logistics across Europe, North America and Asia.
The Gentlemen operate as a ransomware‑as‑a‑service platform, offering affiliates access to their locker and ransomware binaries.
Affiliates receive a share of ransom payments in exchange for conducting the intrusions.
Organisations should patch exposed services promptly and enforce strong unique passwords for all accounts.
Enabling multi‑factor authentication and maintaining offline, encrypted backups reduces the impact of encryption.
Network segmentation limits lateral movement while monitoring for anomalous PowerShell or PsExec usage helps detect the gang’s activity.
Security teams ought to update intrusion detection signatures with the group’s known indicators of compromise and share threat intelligence with trusted peers.
Regular tabletop exercises and incident response plan reviews ensure readiness for future ransomware encounters.