The Gentlemen: Inside the Fastest-Rising Ransomware-as-a-Service Operation of 2026

Ransomware in 2026 no longer looks like a lone operator with a clever crypter. It looks like a software business, complete with a product roadmap, a sales funnel for recruiting talent, and a support team. The clearest illustration this year is a brand that calls itself The Gentlemen. A little over a year ago almost nobody had heard the name. By mid-June 2026 it had become one of the most active extortion operations on record, second only to Qilin by published victim count. For Indian CISOs and business owners, the interesting question is not who these particular criminals are. It is what their rise tells us about how the ransomware-as-a-service economy now works, and why organisations in India are increasingly on the receiving end.

Who The Gentlemen are, and why their speed matters

The group surfaced as a distinct ransomware brand in late 2025. By June 2026 it had listed roughly 478 victims on its dark-web leak site, with the large majority of those claims falling in the first half of 2026. Halcyon, which published a threat assessment on the operation, described it as scaling faster than any group it had tracked. Group-IB attributes the operation to a Russian-speaking actor it labels Phantom Mantis, led by an individual using the handle hastalamuerte who previously worked as an affiliate inside LockBit, Qilin, and Medusa programmes.

Two caveats matter before anyone repeats those numbers in a board deck. First, the ~478 figure is self-reported by the gang on its leak site. Extortion crews routinely inflate their counts to attract affiliates and pressure victims, so treat it as a claim, not an audited total. Second, leak-site listings only capture victims who refused to pay quietly; the true reach is likely higher in some respects and padded in others. What is not in dispute, because it shows up consistently across Halcyon, Bitdefender, Check Point Research, and Group-IB, is the trajectory: a near-vertical rise in under twelve months. That speed is the story, and the reason for it is the business model.

How the RaaS affiliate model actually works

Ransomware-as-a-service splits the work the way any platform business does. The operator builds and maintains the product: the encryptor, the data-exfiltration tooling, the negotiation portal, the leak site, and the payment plumbing. The affiliate is the person who actually breaks into a victim, moves laterally, steals the data, and detonates the payload. Many affiliates do not even do their own break-ins; they buy ready-made network access from a third role, the initial access broker, who sells working credentials or footholds by the unit.

The economics explain the recruitment. Most RaaS programmes have historically offered affiliates somewhere between 70% and 80% of proceeds. The Gentlemen reportedly advertise a 90/10 split in the affiliate’s favour, a level only RansomHub had previously matched, per reporting from Security Affairs and others. In a market where skilled intruders are the scarce resource, an extra ten or twenty points is a powerful poaching tool. Pay the talent more, attract more break-ins, list more victims, look more credible to the next affiliate. That flywheel is precisely what produced the 2026 spike.

The 2026 ransomware reality: theft over encryption, edge over phishing

Three shifts define modern tradecraft, and The Gentlemen embody all three.

Data theft is the real leverage

The headline weapon is no longer encryption; it is double extortion. Attackers steal data first, then encrypt, then threaten to publish on the leak site if the victim does not pay. For organisations with good backups, encryption is recoverable. The threat of dumping patient records, financial data, or contracts is not. Group-IB’s analysis of The Gentlemen describes exactly this: encrypted exfiltration as a core phase, with selective file encryption almost as an afterthought.

Edge devices and VPNs are the front door

Phishing still happens, but the volume initial-access vector in 2026 is the internet-facing appliance. Halcyon reported The Gentlemen brute-forcing roughly a thousand Fortinet VPNs, reusing passwords such as gentlemen25 across victims, and leaning on a FortiOS authentication-bypass flaw (CVE-2024-55591) as a primary way in. This is the same pattern Check Point Research described in June 2026 around CVE-2026-50751, a Check Point VPN authentication-bypass zero-day that a Qilin affiliate exploited to walk past passwords entirely. The lesson generalises: your VPN concentrator and your firewall management interface are now the most attacked surface you own.

EDR-killers and BYOVD

Once inside, affiliates expect you to have endpoint detection, so they bring tools to switch it off. The technique is BYOVD, bring your own vulnerable driver: load a legitimately signed but flawed kernel driver and abuse it to terminate protected security processes. Bitdefender’s threat debrief and Dark Reading both documented The Gentlemen using a renamed ThrottleStop driver (carrying CVE-2025-7771) to kill antivirus and EDR at the kernel level, alongside PowerShell commands to disable Defender. An EDR you cannot see being disabled is worth very little.

Why India is increasingly in the firing line

This is the part Indian leaders should not skim. Reporting on The Gentlemen’s victimology places India inside the top-five most-targeted geographies, alongside Thailand, Brazil, Germany, and the UK, with the US a surprisingly small share at roughly 13%. The reason is unflattering but actionable: the targeting follows the vulnerable hardware. India has a large installed base of FortiGate and similar edge appliances, and patching cadence on those devices is often slow. The attackers are not strategically singling out India; they are scanning the internet for exploitable boxes, and a lot of them happen to be here. One reported intrusion hit an Indian hospital with hundreds of gigabytes of patient data exfiltrated, a reminder that healthcare and manufacturing, not just banks, are squarely in scope.

The defence playbook

None of the controls below are novel. That is the point. The gangs win on operational speed and target abundance, not on exotic technique, so disciplined fundamentals beat them more reliably than any single product.

A few specifics for the Indian context. First, treat your VPN and firewall like crown-jewel assets, because attackers do; subscribe to vendor advisories and patch out-of-band when a remotely exploitable auth bypass lands. Second, backups only count if they are immutable and you have restored from them in a drill within the last quarter. Third, the EDR-killer reality means detection has to be watched by humans around the clock; an alert that fires at 2am into an empty inbox is not detection. If you are weighing how to staff that, our breakdown of MDR vs SOC vs SIEM for Indian SMBs lays out the trade-offs. Fourth, because double extortion turns a breach into a data-protection and disclosure event, you need a breach playbook that includes legal and regulatory steps; our CERT-In directions guide covers the six-hour incident-reporting obligation that applies to Indian organisations. Finally, cyber insurance has become a board-level control rather than a nice-to-have, both for transferring residual risk and because the underwriting process itself forces a maturity assessment; see our practical look at cyber insurance in India for 2026.

Frequently Asked Questions

Is the 478 victim count accurate?

Treat it as a claim, not a verified figure. The ~478 number comes from The Gentlemen’s own dark-web leak site, and extortion crews routinely inflate counts to attract affiliates and intimidate victims. The figure is corroborated as roughly the right order of magnitude by Halcyon, The Hacker News, and others, and it makes them the second most prolific operation of 2026 by published listings, but the precise total is gang-reported.

What is a 90/10 affiliate split and why does it matter?

In ransomware-as-a-service, the ransom is divided between the operator who builds the malware and the affiliate who carries out the attack. The Gentlemen reportedly give affiliates 90% and keep 10%, well above the typical 70 to 80% affiliates earn elsewhere. That generous cut is essentially a recruitment campaign, drawing skilled intruders away from rival programmes, which is the main engine behind the group’s rapid growth.

How does the worm-like capability change the risk?

Reporting indicates The Gentlemen can propagate automatically across a network, encrypting entire environments within minutes once a foothold exists. This compresses the window defenders have to respond and makes flat, unsegmented networks especially dangerous. Network segmentation, least-privilege administration, and fast containment matter far more against a self-spreading payload than against one deployed host by host.

What should an Indian organisation do first?

Start with the front door. Inventory every internet-facing VPN, firewall, and remote-access appliance, confirm it is on a patched firmware version, and enforce MFA on all remote and administrative access. In parallel, verify you have immutable backups you have actually restored from recently. Those two steps neutralise the most common path The Gentlemen and similar crews use to get in and to force payment.

The Gentlemen are a symptom, not the disease. The disease is a mature criminal supply chain that pays intruders generously, buys access wholesale, and industrialises the break-in. That model is not going away, but it is also not unbeatable, because it relies on you leaving the front door unpatched. If you want a clear-eyed assessment of where your edge exposure, backup resilience, and detection coverage stand against this class of threat, talk to RingSafe and we will help you close the gaps before an affiliate finds them.