A detailed analysis of The Gentlemen ransomware operation has revealed the group has claimed 478 victims and developed a self-propagating worm capability that allows ransomware to spread autonomously across compromised networks. What began as a ransomware affiliate operation leveraging LockBit infrastructure has evolved into a sophisticated, independently operating threat.
Origins as a RaaS Affiliate
The Gentlemen initially operated as an affiliate within established ransomware-as-a-service (RaaS) ecosystems, primarily conducting attacks through LockBit (tracked by some researchers as Tenacious Mantis). In the RaaS model, affiliates lease ransomware infrastructure from developers, conduct their own intrusions and deployments, and split ransom revenues with the platform operators.
This affiliate model gave The Gentlemen access to proven ransomware tooling, payment infrastructure, and negotiation support without requiring the technical investment of building these components from scratch. The group used this period to refine intrusion techniques, victim selection, and extortion tradecraft.
Evolution to Independent Operation
The Gentlemen transitioned from affiliate to independent operator, deploying their own ransomware variant and maintaining their own leak site for double extortion. This transition is common among more capable ransomware affiliates — after developing sufficient operational expertise, they exit the RaaS arrangement to retain full control over ransom revenues and avoid the risks associated with depending on a central platform that may be disrupted by law enforcement.
The group's double extortion model involves encrypting victim systems while simultaneously exfiltrating data, threatening to publish stolen files if the ransom is not paid.
The Worm Capability
The most significant technical finding is The Gentlemen's implementation of worm-like self-propagation. Unlike traditional ransomware that requires an operator to manually deploy payloads across a network after initial access, the worm capability allows the ransomware to:
- Enumerate network shares and connected systems autonomously
- Self-copy to accessible hosts without requiring further attacker intervention
- Execute on newly reached systems to continue the encryption and exfiltration cycle
Worm capabilities dramatically amplify ransomware impact. A single initial access point can result in organization-wide encryption within minutes, before defenders have time to respond. This is the same mechanism that made WannaCry and NotPetya so destructive — though The Gentlemen appears to apply it in targeted attacks rather than indiscriminate mass campaigns.
Victim Profile and Scale
The 478 victims claimed by The Gentlemen span multiple industries and geographies, indicating a broad targeting approach rather than sector-specific focus. The group appears to prioritize:
- Organizations with accessible network shares — the worm capability is most effective in environments with flat network architectures
- Targets with valuable data — double extortion requires data that victims are motivated to suppress
- Entities without robust backup and recovery — increasing the pressure to pay for decryption
Defensive Considerations
The Gentlemen's worm capability makes standard ransomware defensive measures even more critical:
Network segmentation: Flat networks are the worm's best friend. Proper VLAN segmentation and firewall policies can contain self-propagating ransomware to a single network segment, limiting blast radius significantly.
Least privilege access: Ensure service accounts and user accounts cannot access network shares beyond what their role requires. Worms spread via accessible shares — removing unnecessary access removes the fuel.
Endpoint detection: Next-generation EDR with behavioral detection can identify the anomalous file enumeration and lateral movement behavior associated with worm propagation before full-scale encryption occurs.
Offline backups: The 3-2-1-1-0 backup rule (3 copies, 2 media, 1 offsite, 1 offline, 0 errors) provides recovery options that are immune to ransomware encryption regardless of how widely it spreads.
Incident response planning: With worm-capable ransomware, the time between initial compromise and full encryption can be extremely short. Organizations must have pre-authorized containment procedures (network isolation, credential resets) ready to execute without waiting for approvals.
The RaaS Ecosystem Context
The Gentlemen's evolution from LockBit affiliate to independent operator is a microcosm of how the ransomware ecosystem regenerates itself. Law enforcement takedowns of major RaaS platforms like LockBit and ALPHV/BlackCat disrupt operations temporarily, but experienced affiliates who developed capabilities within those ecosystems often re-emerge as independent operators or join competing platforms.
The development of worm capabilities by what was once a simple affiliate represents a concerning maturation of threat actor technical sophistication — a trend consistent with the broader observed upskilling of financially motivated cybercriminal groups.