All incidents

Gentlemen ransomware gang compromises 580 victims worldwide

campaignopenJun 29, 2026 — Jul 10, 2026
Gentlemen ransomware gang compromises 580 victims worldwide

THE Gentlemen ransomware gang has encrypted systems at 580 organisations spread across 77 countries, with a clear focus on manufacturing firms, according to a recent Unit 42 analysis published today.

The group operates as a ransomware‑as‑a‑service offering affiliates up to ninety percent of each ransom payment, a split that has driven rapid recruitment since its debut in 2025. Its developers produce variants in both Go and C, allowing them to tailor binaries to specific environments. Initial access is gained through a mix of exploited vulnerabilities, bought credentials from access brokers and brute‑forced remote services.

Once inside a network, the attackers move laterally using PowerShell scripts and PsExec to execute commands on remote hosts. They also load vulnerable drivers to terminate security processes and disable endpoint protections. The ransomware payload itself is delivered in either Go‑based or C‑based form, with encryption routines that adapt to the target’s file system according to Securelist.

The campaign has been active from mid-2026, with the group’s victim count climbing steadily as it added new affiliates and refined its toolset. Although no new CVEs have been directly tied to the ransomware, the operators frequently exploit known flaws in public‑facing applications and rely heavily on stolen credentials purchased from underground markets. Their focus on manufacturing has resulted in production line downtime and supply chain disruptions in several regions.

Defenders should watch for sudden spikes in PowerShell execution, especially when scripts are launched from unusual user accounts or via scheduled tasks. Limiting the use of PsExec to approved admin workstations and logging every invocation can hinder lateral movement. Enforcing multi-factor authentication on all remote access points and rotating privileged passwords regularly reduces the chance that stolen credentials succeed. Network segmentation that isolates production equipment from corporate IT limits the blast radius of any successful encryption. Keeping device drivers up to date and blocking known vulnerable driver versions prevents the ransomware from disabling security tools. Finally, deploying behaviour-based detection that flags abnormal file‑encryption patterns adds an extra layer of defence. See the Unit 42 analysis for more details.

Organisations should also maintain offline, immutable backups and test restoration procedures on a regular basis to ensure they can recover without paying a ransom. Sharing indicators of compromise with trusted ISACs and industry peers helps build collective defence against the gang’s evolving tactics. Conducting periodic tabletop exercises that simulate a ransomware incident improves response times and highlights gaps in existing controls. For additional technical details, see the Securelist overview here.

Intelligence briefing updated Jul 10, 2026

The Gentlemen
Timeline Coverage

Swipe to explore timeline