IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia
Flux result 1e23a761 65d0 4869 a6e2 4e71877cf2a6
#
Malware
#
Firewalls
#
DR

The Gentlemen becomes second most active ransomware group

Wed, 22nd Apr 2026 (Yesterday)
Author image
By Sean Mitchell, Publisher

Check Point Research says the ransomware group The Gentlemen has become the second most active operation of its kind in 2026 by victim count. The cyber security firm says the group has publicly claimed more than 320 victims since mid-2025.

Researchers recorded 240 of those attacks in 2026 alone, a pace that has pushed the group up the rankings among ransomware operations. Based on publicly listed victims, it now trails only one rival this year.

During an incident response engagement, Check Point Research gained access to a command-and-control server linked to one of the group's affiliates. That access revealed a botnet of more than 1,570 likely corporate victims, exceeding the group's own public tally.

The finding suggests the operation may be larger than the number of organisations named on its leak site. The systems observed appeared tied to business environments, including domain-joined machines and corporate credentials.

Affiliate model

The group operates a ransomware-as-a-service model in which core operators maintain the malware and infrastructure while affiliates carry out attacks. In return, affiliates share ransom proceeds with the operators.

According to the research, The Gentlemen offers affiliates 90% of each ransom payment, compared with a more typical 80% share elsewhere in the criminal market. That difference appears to be drawing experienced attackers away from established programmes.

Rather than relying on new techniques, the group appears to combine established methods with a more attractive commercial arrangement for affiliates. Researchers say that approach has helped it expand across Windows, Linux and ESXi environments.

Targets chosen

The attacks are described as largely opportunistic. The group appears to target exposed internet-facing systems such as VPNs, firewalls and remote access gateways, then use those weaknesses as an entry point into corporate networks.

Manufacturing and technology companies account for the largest share of observed victims, according to the research. Healthcare is the third most frequently targeted sector, suggesting the group is not avoiding critical services that some ransomware operators have historically treated more cautiously.

The United States accounts for the highest number of identified victims, with the UK and Germany also heavily represented. Those patterns were drawn from both the group's public leak site and telemetry linked to the server accessed by Check Point Research.

Attack speed

In one incident examined by researchers, the attackers already had domain-level administrative access when they were observed. The intrusion then moved quickly through credential validation, lateral movement across multiple hosts, the disabling of security tools and ransomware deployment across the domain using Group Policy.

That sequence meant every connected machine could be hit at the same time. The operation appeared structured rather than improvised, with affiliates following a documented and repeatable process.

The report argues that the group's rise reflects a broader shift in the ransomware market. A well-organised operation no longer needs novel exploits or unusual methods to expand rapidly if it can offer affiliates better financial terms and maintain a functioning leak site and locker.

For defenders, the research points to long-standing weaknesses rather than new ones. Internet-facing devices remain a central point of entry, while credential compromise, poor segmentation and weak backup arrangements continue to increase the impact of attacks once intruders are inside.

Check Point Research urges organisations to prioritise patching exposed VPNs, firewalls and remote access systems, while strengthening multi-factor authentication and privileged access controls. It also recommends testing isolated backups and improving monitoring for lateral movement inside networks, where there may still be time to interrupt an attack before encryption is triggered.

"Most ransomware groups make noise when they launch and then disappear. 'The Gentlemen' are different. They've cracked the affiliate recruitment problem by offering a better deal than anyone else in the criminal ecosystem. When we got inside one of their operators' servers, we found over 1,570 compromised corporate networks that hadn't even made the news yet. The real scale of this operation is significantly larger than what's publicly known, and it is still growing," said Eli Smadja, Group Manager, Check Point Research.

Related stories
MacPaw survey finds green concerns may drive file cleanups
Alteryx launches AI Insights Agent on Google Cloud
Thrive launches Abacode compliance services after deal
Thales launches Imperva for Google Cloud in controlled availability
Anthropic & OpenAI split on cyber AI release strategy

Top stories

Apricorn launches 32TB offline encrypted desktop drive
VIPRE report says attackers shift to trusted services
Temenos report says five trends will reshape banking
Datadog launches GPU Monitoring to curb AI cloud costs
NetApp deepens Google Cloud tie-up with Gemini rollout