Ransomware

The Gentlemen Ransomware: Custom EDR/AV Killers Fuel Rapid Global Expansion

dark6 8 July 2026
Read Time:3 Minute, 13 Second

A ransomware operation calling itself The Gentlemen has become one of the fastest-scaling threats of 2026, expanding from a mid-2025 offshoot of the Qilin Ransomware-as-a-Service (RaaS) program into a full-spectrum, human-operated crime operation that Microsoft now tracks under the designation Storm-2697. Within its first year as an independent group, The Gentlemen has claimed more than 500 victims across over 70 countries, accounting for roughly 10% of all global ransomware activity recorded in April 2026.

Origins in a Payment Dispute

The Gentlemen reportedly splintered from the Qilin RaaS ecosystem following an internal payment dispute, a familiar pattern in the ransomware underground where affiliate disagreements over profit-sharing frequently spawn new, competing operations. Rather than remaining a minor player, the group rapidly built out its own infrastructure, tooling, and affiliate program, positioning itself as a serious rival to established RaaS brands.

Custom EDR/AV Killer Infrastructure

What distinguishes The Gentlemen from typical ransomware crews is not just its growth rate but its investment in operator-maintained evasion tooling. The group markets an in-house framework called GentleKiller directly to affiliates, folding together at least three previously separate evasion utilities — reportedly including components known as ThrottleBlood and HavocKiller — into a single, standardized suite built to blind or disable endpoint detection and response (EDR) and antivirus products before encryption begins.

This modular evasion suite is paired with a Go-based, self-propagating worm encryptor that uses hybrid Curve25519/XChaCha20 cryptography, a combination that gives the group both strong encryption guarantees and the ability to spread automatically across a compromised network with minimal manual operator intervention.

A Tier-1 Threat to Critical Sectors

Security researchers now classify The Gentlemen as a Tier-1 threat to manufacturing, healthcare, financial services, and operational technology (OT) environments worldwide — sectors where downtime carries outsized real-world consequences and where victims are historically more likely to pay to restore operations quickly.

The “Rocket” Leak

A significant intelligence breakthrough came in May 2026, when an internal backend database used by the group, referred to as “Rocket,” was leaked. The exposure included:

  • Over 3,300 internal chat messages between operators and affiliates
  • Operator identities and role assignments within the group
  • More than 1,570 confirmed victim records
  • Ransom negotiation transcripts
  • Details of the group’s full technical toolchain

This leak has given defenders and threat intelligence teams — including ESET Research, Microsoft Threat Intelligence, Check Point Research, Trend Micro, and Huntress — an unusually detailed window into the group’s operations, organizational structure, and technical methods, which in turn is informing faster detection and response guidance across the industry.

Why This Group Is Scaling So Quickly

Several factors are converging to fuel The Gentlemen’s rapid growth: a mature, easy-to-use affiliate toolkit that lowers the technical bar for less-skilled affiliates, purpose-built evasion tooling that increases the odds of successful encryption before defenders can respond, and self-propagating worm capabilities that let a single initial foothold cascade into a network-wide incident without constant operator hands-on-keyboard activity.

Defensive Recommendations

Given the group’s focus on disabling EDR/AV before encryption, organizations in high-risk sectors should prioritize:

  • Tamper-protection features on EDR/AV agents that prevent unauthorized service termination or uninstallation.
  • Network segmentation to limit the blast radius of a self-propagating worm encryptor.
  • Offline, immutable backups tested for rapid restoration, given the group’s affiliate-driven speed of encryption.
  • Monitoring for known GentleKiller/ThrottleBlood/HavocKiller indicators of compromise as they are published by threat intelligence vendors.
  • Reviewing remote access and initial-access vectors, a common entry point for human-operated RaaS affiliates.

With the group already responsible for a tenth of global ransomware activity just a year after splitting from Qilin, defenders should expect The Gentlemen’s affiliate base and its victim count to keep climbing through the rest of 2026.

Leave a Reply

💬 [[ unisciti alla discussione! ]]


Se vuoi commentare su The Gentlemen Ransomware: Custom EDR/AV Killers Fuel Rapid Global Expansion, utilizza la discussione sul Forum.
Condividi esempi, IOCs o tecniche di detection efficaci nel nostro 👉 forum community