The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm

A new analysis of The Gentlemen operation has revealed that the financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis). According to a detailed report

According to The Hacker News and PRODAFT, The Gentlemen is a financially motivated ransomware-as-a-service (RaaS) group that evolved from an affiliate using LockBit, Qilin, and Medusa resources into its own operation, now claiming around 478 victims and offering affiliates a 90% revenue share.[1][3][4] The campaign features cross-platform lockers, double extortion, AI-assisted tool maintenance, and an optional worm-like propagation capability that spreads across networks when enabled.[1][2][3] From a CyberSE.AI perspective, this illustrates how criminal groups are operationalizing AI to harden and scale their tooling, meaning defenders must assume adversaries can rapidly adapt their payloads and TTPs. Organizations should use Continuous AI Red Teaming to simulate AI-augmented ransomware operators, validate detection of early-stage behaviors (e.g., edge-device compromise, infostealer-derived credential use, and lateral movement), and pressure-test backup, segmentation, and incident response plans against fast-spreading, AI-maintained ransomware.