Who Runs the Ransomware Group 'The Gentlemen'?

Security journalist Brian Krebs has published an in-depth investigation into The Gentlemen, a ransomware-as-a-service (RaaS) operation that has rapidly ascended to become the second most active ransomware gang by victim count in 2026. The group has distinguished itself through an unusually generous affiliate payout structure — offering 90 percent of ransom proceeds to affiliates — and an aggressive, selective recruitment strategy that has attracted experienced operators from other shuttered criminal enterprises.

The piece examines clues pointing to the identity of The Gentlemen's core operators, tracing forum activity, cryptocurrency flows, and operational security mistakes that may reveal who is behind one of the year's most prolific cybercriminal organizations.

The Gentlemen: What We Know

The Gentlemen emerged as a notable presence in the ransomware landscape in late 2025, rapidly expanding victim count through 2026 with a combination of speed-to-exploit capabilities and high-quality initial access. Key characteristics of the operation include:

The 90% affiliate payout is a calculated business strategy: traditional RaaS operations typically offer 70-80% to affiliates, retaining 20-30% for the core team as a franchise fee for infrastructure, negotiation support, and the ransomware tooling itself. By offering 90%, The Gentlemen attract the most capable affiliates — experienced operators who have the skills to breach enterprise environments and negotiate large payments — while accepting thinner margins in exchange for higher volume.

Prior Coverage: The SystemBC Connection

Earlier reporting, including coverage on CosmicBytez Labs, documented that The Gentlemen ransomware operation leverages SystemBC for bot-powered attacks. SystemBC is a proxy malware and remote access tool that has been used by multiple ransomware groups to maintain stealthy persistence on victim networks. The use of mature tooling like SystemBC suggests the core team has significant operational experience, either self-developed or through recruitment of experienced operators from other operations.

Forum Trails and OPSEC Failures

KrebsOnSecurity's investigation examines several threads of evidence that may point to the operators:

Forum history: Krebs traces the usernames and posting styles of individuals on cybercriminal forums who began promoting a new "professional" RaaS operation with unusually favorable affiliate terms in mid-2025, cross-referencing against older forum accounts from disbanded operations including prior generations of Conti, REvil, and BlackCat/ALPHV affiliates.

Cryptocurrency analysis: The Bitcoin and Monero addresses used by The Gentlemen's negotiation infrastructure show on-chain patterns consistent with a small core team that has operated ransomware infrastructure before, with mixing behavior and exchange usage patterns that link to prior incidents.

Infrastructure overlap: Several The Gentlemen-linked IP addresses and hosting accounts overlap with infrastructure previously used by other ransomware groups, suggesting the operators did not fully rebuild their operational infrastructure from scratch when launching the new brand.

Why Ransomware Operators Rebrand

The Gentlemen almost certainly emerged from the ruins of prior operations. This is a consistent pattern in ransomware:

Rebranding serves multiple purposes: it resets the reputational damage from successful law enforcement actions, attracts affiliates who won't work with groups that have been "burned," and removes infrastructure that may have been compromised by investigators.

The Victim Profile

The Gentlemen have demonstrated a consistent preference for enterprise targets in Western Europe and North America, with particular concentration in:

• Manufacturing and industrial companies (high operational disruption leverage)
• Professional services firms (lawyers, accountants, consultants) with sensitive client data
• Healthcare-adjacent organizations (high urgency around data recovery)
• Mid-market enterprises with revenues between $50M and $500M (large enough to pay significant ransoms, small enough to lack mature incident response capabilities)

What the Investigation Means for Defenders

The publication of an investigative piece focused on operator attribution serves defenders in two ways:

1. Behavioral intelligence: Understanding that The Gentlemen recruits experienced operators suggests their TTPs will reflect the full range of sophisticated enterprise intrusion techniques — living-off-the-land, credential abuse, lateral movement through Active Directory, deliberate targeting of backup infrastructure before encryption.

2. Pressure on the operation: High-profile investigative journalism that threatens operator identity is a documented motivator for groups to either hunker down in operational security or dissolve and rebrand again.

Mitigation Priorities

Against a technically sophisticated group like The Gentlemen, organizations should prioritize:

Priority 1: Backup protection
  - Offline/immutable backups that ransomware cannot reach
  - Tested recovery procedures — not just backup existence
 
Priority 2: Credential hygiene
  - Privileged account MFA enforcement
  - No shared local admin passwords (LAPS deployment)
  - Monitoring for credential harvesting activity
 
Priority 3: Network segmentation
  - Limit lateral movement from any single compromised endpoint
  - Segment backup infrastructure on its own VLAN
  - Monitor east-west traffic for anomalous patterns
 
Priority 4: Endpoint detection
  - EDR configured to alert on shadow copy deletion
  - Alert on use of known ransomware-associated LOLBins
  - Monitor for SystemBC C2 patterns specifically

References

• KrebsOnSecurity: Who Runs the Ransomware Group 'The Gentlemen'?
• Prior Coverage: The Gentlemen Ransomware Now Uses SystemBC
• Prior Coverage: Tables Turn on The Gentlemen RaaS Gang With Data Leak