Shift in the Ransomware Landscape: The Rise of The Gentlemen
In a notable transformation within the ransomware ecosystem, a new group has recently emerged as a leading actor in cyber extortion campaigns. The Gentlemen ransomware gang has quickly ascended to prominence, becoming the most prolific threat actor responsible for a substantial number of attacks over the past few months.
Recent analysis conducted between March and May 2026 revealed that this group was linked to an alarming total of 300 incident reports. This significant figure positions The Gentlemen as a formidable player, overtaking the once-dominant Qilin ransomware affiliate operation, which had maintained its stature as the most active group in previous quarters. The data indicates that Qilin’s attacks during the same timeframe decreased to 289 incidents, thus demoting it to the second most prolific gang in recent months.
This detailed examination of ransomware activities was carried out by cybersecurity researchers at ReliaQuest and was disseminated publicly through a report published on July 16, 2026. The report paints an extensive picture of the ransomware landscape, tracking a total of 1,368 claims from victims attributed to 11 different ransomware groups. These incidents spanned across 99 countries, highlighting the global nature of this cyber threat.
The disparity in the number of ransomware incidents associated with The Gentlemen and Qilin compared to other notorious operators is striking. Groups such as DragonForce, Akira, and LockBit logged between 150 and 100 attacks each during the same period, clearly falling behind the leaders in the ransomware domain. These three groups have been responsible for some of the most significant cyber incidents in recent years; however, the rise of The Gentlemen signifies a notable shift in the competitive landscape of ransomware providers.
Tristano Di Liberto, a security analyst at ReliaQuest, noted that The Gentlemen’s rapid ascension can largely be attributed to their aggressive recruitment of affiliates and the provision of a well-designed intrusion kit. This proactive approach effectively lowers the barrier for entry for new cybercriminals wishing to join the operation. Di Liberto expressed confidence that the pressure exerted by The Gentlemen is likely to continue into the third quarter of 2026, indicating the group’s sustained influence on the ransomware ecosystem.
Central to The Gentlemen’s success is the availability of pre-packaged, user-friendly tools designed to facilitate the execution of attacks. These resources include a comprehensive playbook that serves as a valuable guide for affiliates, outlining the entire attack chain and workflow processes. Additionally, the playbook offers specific suggestions on which edge devices to target for exploitation, instructions for using lightweight tunneling tools connected to command servers, and guidance on deploying Single-host Server Message Block (SMB) encryption.
Intriguingly, recent leaks of internal communication suggest that The Gentlemen, like some other cybercriminal enterprises, are increasingly integrating artificial intelligence (AI) tools into their operations. This utilization of AI has enabled them to accelerate the development of new features and enhancements more swiftly than their competitors, who may not yet be harnessing the potential of AI in their operations. Such advancements could entice affiliates currently aligned with other groups to switch allegiance to The Gentlemen.
When discussing the factors contributing to this shift, Di Liberto explained, “It runs proven affiliate throughput, ships tools faster than most rivals through its AI-accelerated build pipeline, and offers a pre-packaged intrusion kit that shortens ramp-up.” The combined effect of these innovations leads to an increasingly attractive proposition for new recruits looking for a lucrative platform within the criminal underworld.
In response to the rising challenges posed by ransomware attacks, ReliaQuest has put forth several recommendations aimed at equipping cybersecurity leaders with tools to fortify their networks against common techniques employed by intruders. These measures include:
- Restricting Remote Desktop Protocol (RDP) and other remote access avenues.
- Enforcing Microsoft’s vulnerable-driver block list to minimize potential exploits.
- Monitoring blockchain Remote Procedure Call (RPC) and session messenger egress.
- Strengthening identity protection against voice phishing (vishing) and Adversary-in-the-Middle (AiTM) attacks.
Collectively, these strategies emphasize the urgent need for organizations to adapt and enhance their cybersecurity protocols in light of the evolving threats within the ransomware landscape. The emergence of The Gentlemen as a leading player underscores the dynamic and unpredictable nature of cyber threats, urging organizations to remain vigilant and proactive in their defenses.
