The Gentlemen has rapidly escalated into a Tier-1 ransomware threat since its emergence in mid-2025. Operating primarily as a highly aggressive Ransomware-as-a-Service (RaaS), the group distinguishes itself through an unprecedented 90/10 affiliate revenue split, aggressive recruitment campaigns, lasting affiliate loyalty and the distribution of an advanced, centralized endpoint detection and response (EDR) killer suite known as GentleKiller.

This intelligence assessment from Shieldworkz confirms that The Gentlemen poses a critical and imminent risk to global enterprises and critical infrastructure everywhere. The encryptor possesses autonomous, worm-like lateral movement capabilities, enabling it to move rapidly and compromise active directories and connected operational technology (OT) environments within mere hours of initial access. Recent incidents, including the June 2026 disruption of Mackay Sugar, demonstrate the group’s capacity to trigger severecyber-physical downtime. Security teams and leaders must urgently prioritize defense evasion countermeasures, strict IT/OT segmentation, and credential hygiene to mitigate this rapidly proliferating threat.

Threat actor overview

• Origin: Emerged in mid-2025 as a private cybercrime cell before transitioning to a formal RaaS model in September 2025.

• Aliases: Storm-2697 (Microsoft), Zeta88 / Hastalamuerte (Suspected administrator).

• Formation: Believed to be established by a disgruntled former Qilin affiliate (which explains the affiliate oriented revenue sharing model), absorbing operators from Embargo, LockBit, Medusa, and BlackLock.

• Ransomware family: Custom Go-based encryptor, obfuscated with Garble.

• Affiliations: Established an official partnership with the BreachForums marketplace to recruit penetration testers and initial access brokers (IABs).

• Geographic footprint: Global impact with a concentrated focus on Southeast Asia, South America, Western Europe, and Australia. Operations explicitly prohibit the targeting of Commonwealth of Independent States (CIS) countries.

• Operational maturity: Highly mature technical tooling, but mixed operational security (OPSEC). The group recently suffered a significant breach of its own backend leak site, exposing internal correspondence and affiliate data.

 What makes The Gentlemen unique?

The Gentlemen exhibits several distinguishing characteristics that elevate it above contemporaries like LockBit, Akira, or Black Basta:

• Aggressive revenue model: The group offers a 90/10 revenue split (compared to the industry standard 80/20). This highly lucrative model has triggered a mass migration of top-tier affiliates from competing RaaS programs.

• Centralized defense evasion: Rather than relying on affiliates to bring their own defense evasion tools, The Gentlemen provides GentleKiller, a standardized, highly maintained suite of EDR-terminating tools. This significantly lowers the barrier to entry for affiliates.

• Autonomous propagation: The Go-based encryptor includes integrated, parallel self-propagation capabilities. Upon execution, it launches automated lateral movement sub-routines across adjacent subnets, eliminating the need for manual administrative deployment scripts (such as custom PsExec or Group Policy Objects).

• Rapid BYOVD weaponization: The group consistently operationalizes newly disclosed Bring Your Own Vulnerable Driver (BYOVD) proof-of-concept exploits within days of their public release.

• Extended silent periods: This group is known to lay dormant after a series of attacks only to surface again and announce new victims.

Several characteristics indicate that The Gentlemen is trying to position itself as the successor to LockBit rather than simply another ransomware operation. It has moved in to occupy the space vacated largely by LockBit.

Its aggressive affiliate economics, rapid operationalization of public exploit research, centralized EDR impairment tooling and heavy recruitment of experienced operators suggest an effort to consolidate displaced ransomware talent (and tactics) following increased law-enforcement disruption of legacy RaaS ecosystems.

Unlike many emerging ransomware groups that rely heavily on branding and sensational disclosures, The Gentlemen appears to compete on operational efficiency.

The standardized GentleKiller framework reduces affiliate dependency on custom tooling, resulting in more consistent attack chains and potentially faster deployment timelines.

If current recruitment trends continue, the group's operational tempo and victim count are likely to increase during the next 6–12 months.

Targeting analysis

The Gentlemen operates opportunistically. But has demonstrated a high success rate against organizations with complex, poorly segmented networks.

• Preferred industries: Manufacturing, agri-industrial (sugar production), healthcare, pharmaceuticals, construction, education, and transportation.

• Organization sizes: Mid-market to large Fortune 500 enterprises.

• Critical infrastructure and OT: There is a pronounced trajectory of targeting heavy manufacturing and agri-industrial environments. The recent attack on Mackay Sugar highlights a focus on sectors where downtime directly equals massive financial loss.

• Geographic focus: Over 500 claimed victims to date, heavily concentrated in APAC, Europe, and the Americas.

Attack lifecycle and MITRE ATT&CK mapping

Technical tradecraft (TTP Analysis)

The group’s technical tradecraft is heavily reliant on speed and evasion.

• Command-line execution: The encryptor requires a password for execution, preventing automated sandbox analysis. Operators use specific flags such as --system (local volume encryption via scheduled task) and --shares (network share encryption).

• EDR impairment: The GentleKiller framework incorporates leaked tools like HexKiller, ThrottleBlood, and HavocKiller. It utilizes a shared defense-evasion layer, copying legitimate icons and version information to bypass static heuristics.

• Forensic cleanup: Prior to encryption, the malware systematically disables Microsoft Defender, deletes Volume Shadow Copies (VSS), and clears Windows event logs to inhibit incident response efforts.

• Cryptographic architecture: By generating a unique ephemeral key pair for every file and deriving a shared secret via the operator's embedded public key, the group ensures that decryption is mathematically impossible without the master key.

Indicators of Compromise (IOCs)

Note: Due to the widespread use of ephemeral infrastructure and randomized compilation, defenders should prioritize behavioral detections over static hashes.

• File Extension: .umc16h (appended to encrypted files)

• Scheduled Task: gentlemen_system (created to execute the binary under SYSTEM privileges)

• Command Line Arguments: --system, --shares

• EDR Killer Framework: GentleKiller (Look for unexpected driver loads associated with known vulnerable kernel drivers).

Impact on Operational Technology (OT)

The Gentlemen group does not typically write custom ICS-specific payloads (like PIPEDREAM or TRISIS). However, their impact on OT is severe through indirect disruption.

During the June 2026 Mackay Sugar incident, the threat actors compromised core enterprise systems, cane supply coordination, and logistics platforms. By crippling these IT-side scheduling and historian databases, the attackers forced a physical mill shutdown without directly manipulating a single Programmable Logic Controller (PLC) or variable-speed drive.

• Downtime Implications: When IT systems containing MES (Manufacturing Execution Systems) or SCADA data lakes are encrypted, operators lose the visibility required to run physical processes safely, necessitating a hard shutdown.

• Safety Implications: The rapid, worm-like propagation can inadvertently saturate OT network bandwidth, potentially causing localized denial-of-service conditions on critical engineering workstations.

Detection opportunities

Security teams must optimize visibility to detect the precursor activities of The Gentlemen:

• EDR / SIEM: Alert on the creation of the scheduled task gentlemen_system.

• Behavioral: Monitor for rapid, sequential file permission modifications followed by high-volume disk write activity.

• Kernel Monitoring: Alert on the loading of unsigned drivers or drivers with known CVEs (BYOVD attack vectors).

• Log Evasion: Trigger immediate high-severity alerts upon the execution of vssadmin.exe delete shadowsor the clearing of the Security event log.

Defensive recommendations

Immediate (24–72 Hours)

1. Block Vulnerable Drivers: Implement Microsoft’s Vulnerable Driver Blocklist to neutralize the GentleKiller EDR-impairment framework.

2. Audit Edge Devices: Force credential resets and patch all external-facing VPNs, firewalls, and Fortinet appliances.

Short-term (1–3 Months)

3. Harden Active Directory: Restrict the creation of scheduled tasks across the domain. Implement strict Least Privilege access for service accounts.

4. Enhance OT Visibility: Industrial operators must ensure they have baseline visibility into anomalous behaviors spanning the IT/OT boundary. The Shieldworkz OT Threat Advisories provide continuous, highly relevant intelligence for detecting advanced precursor activity before it bridges into production zones.

Long-term (3–6 Months)

5. Architectural Segmentation: Flat networks are the primary enabler of The Gentlemen’s worm-like propagation. Organizations must implement rigorous IT/OT segmentation. Utilizing the Shieldworkz OT Security Risk Assessment & Gap Analysis provides a structured methodology for identifying and closing these critical segmentation flaws.

6. Regulatory & Ransomware Resilience: Ensure defensive postures align with global compliance mandates by integrating the Shieldworkz Regulatory Playbooks, which offer fresh, accurate, and relevant frameworks for securing critical infrastructure against systemic extortion.

Risk assessment matrix

Executive takeaways

To immediately degrade The Gentlemen's operational capabilities, CISOs should execute the following five directives:

• Neutralize EDR evasion: Enforce strict application control and driver blocklists to prevent the execution of the GentleKiller framework.

• Isolate the OT perimeter: Disconnect non-essential IT/OT bridges immediately. A flat network guarantees total operational failure against this adversary.

• Mandate phishing-resistant MFA: Eliminate single-factor authentication on all external-facing infrastructure, particularly VPNs and edge devices.

• Protect the backups: Ensure offline, immutable backups exist. The Gentlemen actively targets and encrypts network-attached storage and volume shadow copies.

• Assume breach: Shift security operations from perimeter-only defense to proactive internal threat hunting, focusing on anomalous scheduled task creation and unauthorized lateral movement across mapped shares.

Go for a tool-based risk assessment now.

Learn more about our OT NDR solution  

Additional reading

· Shieldworkz Regulatory Playbooks

Link: https://shieldworkz.com/regulatory-playbooks

· Shieldworkz OT Threat Advisories

Link: https://shieldworkz.com/ot-threat-advisories

· Shieldworkz OT Security Risk Assessment & Gap Analysis

Link: https://shieldworkz.com/risk-assessment