The Gentlemen Ransomware: What Organizations Need to Know
The ransomware landscape continues to evolve at an alarming pace, and one of the most significant emerging threats is The Gentlemen (also tracked as Storm-2697). Since first appearing in mid-2025, the group has rapidly expanded into one of the most active Ransomware-as-a-Service (RaaS) operations, with hundreds of confirmed victims across multiple industries.
Unlike many newer ransomware groups, The Gentlemen appear to have entered the market with mature operational capabilities, extensive infrastructure, and a sophisticated affiliate program. Their rapid growth, combined with a substantial inventory of pre-compromised systems, makes them a critical threat for organizations worldwide.
Executive Summary
The Gentlemen have been active since at least July 2025 and are believed to be a splinter group that emerged from the Qilin ransomware operation following an alleged payment dispute between affiliates and operators.
Unusually for a ransomware operation, researchers have gained considerable insight into the group’s internal operations after an insider leaked one of its internal databases in early May. The leaked information revealed valuable intelligence regarding its infrastructure, operational methods, affiliate program, and victim targeting.
One of the group’s most notable differentiators is its aggressive affiliate compensation model. While most Ransomware-as-a-Service platforms pay affiliates between 70% and 80% of ransom proceeds, The Gentlemen reportedly offer an industry-leading 90% payout, making the platform highly attractive to experienced ransomware operators.
Operational analysis also shows the group employs mature tradecraft, including:
- Encrypted data exfiltration using tools such as WinSCP
- Multiple persistence mechanisms through AnyDesk, PsExec, and Windows Registry modifications
- Sophisticated endpoint detection and response (EDR) evasion techniques
- Rapid post-compromise deployment methods
Researchers also believe that many members operate on Moscow Standard Time, potentially complicating ransom negotiations for organizations in certain jurisdictions.
Rapid Growth During 2026
The Gentlemen’s expansion has been remarkable.
While the group claimed approximately 72 victims during 2025, that figure has already exceeded 450 confirmed victims during 2026, with attack volumes increasing significantly since February.
A Massive Stockpile of Pre-Compromised Fortinet Devices
Perhaps the most concerning intelligence surrounding The Gentlemen is the discovery that operators reportedly maintain access to approximately 14,700 compromised FortiGate devices worldwide.
Researchers have also identified nearly 1,000 brute-forced FortiGate VPN credentials under the group’s control.
This pre-positioned access provides a significant operational advantage. Rather than compromising new networks for every campaign, operators can simply select existing footholds, allowing them to launch attacks more quickly while reducing the likelihood of detection during initial compromise.
Organizations using Fortinet edge devices should consider this threat particularly serious.
Industries and Countries Most at Risk
The Gentlemen target organizations across multiple sectors but have shown a clear preference for industries where operational disruption translates into financial pressure.
Top Targeted Industries
| Industry | Reported Victims |
|---|---|
| Manufacturing | 104 |
| Business Services | 72 |
| Technology | 68 |
| Healthcare | 54 |
| Consumer Services | 46 |
Manufacturing remains the group’s primary focus, while attacks against healthcare organisations continue to demonstrate a willingness to disrupt critical infrastructure. Food production targets are also increasing.
Top Targeted Countries
| Country | Reported Victims |
|---|---|
| United States | 95 |
| Thailand | 37 |
| France | 31 |
| Germany | 29 |
| United Kingdom | 22 |
There is also increasing activity in the Asia-Pacific region with recent victims such as Royal foods in Australia.
Initial Access Techniques
Current investigations indicate The Gentlemen primarily gain initial access by exploiting vulnerable internet-facing systems, particularly:
- Fortinet firewalls
- Remote Desktop Protocol (RDP)
- Exposed VPN services
Researchers have linked the group to exploitation of several high-profile vulnerabilities, including:
- CVE-2024-55591 – Fortinet FortiOS and FortiProxy (primary initial access vector)
- CVE-2025-32433 – Erlang/OTP SSH Server
- CVE-2025-33073 – Windows SMB Client
- CVE-2025-55182 – React2Shell
- CVE-2025-7771 – ThrottleStop.sys driver
The high use of these 2024/2025 vulnerabilities and the explosion of victims in 2026 suggest the compromised organisations have a insufficent or non-existant vulnerability management process.
Following initial compromise, the attackers rapidly establish persistence, conduct Active Directory reconnaissance, SMB scanning, disable security tooling, and prepare systems for ransomware deployment.
Advanced Tradecraft
The Gentlemen demonstrate a mature operational approach rarely seen in newly emerged ransomware groups.
Observed techniques include:
- Encrypted data exfiltration using WinSCP
- Persistence via AnyDesk remote access software
- PsExec deployment across Windows environments
- Registry modifications for redundant persistence
- Active Directory enumeration and privilege escalation
- Aggressive attempts to disable or bypass Endpoint Detection and Response (EDR) solutions
The group’s ability to neutralise security software before deploying ransomware significantly increases the likelihood of successful encryption across enterprise environments.
Mitigation Strategies
Reducing exposure to The Gentlemen requires a layered security approach focused on preventing initial compromise while detecting attacker activity before ransomware deployment.
Key recommendations include:
- Secure all internet-facing services and remove unnecessary external access.
- Apply security updates promptly, particularly for Fortinet appliances and other edge devices.
- Enforce multi-factor authentication (MFA) for all privileged and administrative accounts.
- Monitor Active Directory for unusual account enumeration, Group Policy changes, and NETLOGON modifications.
- Harden endpoints against driver abuse and attempts to terminate security services.
- Restrict application execution from user download folders and temporary directories commonly used to stage attacker tools.
- Maintain offline, immutable, and regularly tested backups to support rapid recovery.
Final Thoughts
The Gentlemen have rapidly evolved into one of the most capable ransomware operations currently active. Their extensive inventory of compromised Fortinet infrastructure, highly attractive affiliate model, mature operational security, and accelerating victim count make them a significant threat to organisations across all sectors.
Enterprises relying heavily on Active Directory, operating internet-facing Fortinet devices, or working within manufacturing, retail, agriculture and food production, technology, healthcare, and other critical industries should prioritise proactive vulnerability management, identity security, and continuous monitoring to reduce the likelihood of becoming the group’s next victim.