A ransomware crew that nobody had heard of a year ago is now keeping pace with the most established extortion brands on the planet. The Gentlemen posted 20 new victims to its dark web leak site in the past seven days, according to IntelFusions incident tracking data, placing it just behind long running operations like LockBit and Qilin for the week.
The claims arrived in three distinct batches (June 4, June 8, and June 11), a rhythm that suggests scheduled publication rather than a steady drip, and they span 13 countries across the Americas, Europe, Asia, and the Middle East. The full list is browsable on the IntelFusions incident tracker. As with all leak site data, these are criminal claims rather than independently confirmed breaches.
Healthcare in the crosshairs
Five of the 20 alleged victims are healthcare providers: a pediatrics practice in Arkansas, a surgical hospital and a Michigan surgical center in the United States, a clinic in the United Kingdom, and a Polish medical company. Manufacturers, schools, logistics firms, and technology companies make up most of the rest. That sector mix matches what researchers have documented from the group's confirmed intrusions, where manufacturing, construction, and healthcare dominate.
Who are The Gentlemen
Trend Micro first profiled The Gentlemen in September 2025 as a previously undocumented operation that arrived unusually well equipped. Rather than relying on generic antivirus evasion, the crew studies each target's specific defenses and tailors its tooling accordingly, abusing legitimate signed drivers to shut down security software and hijacking Windows Group Policy to push its encryptor across entire domains. Trend Micro's initial count of 27 victims across 17 countries, concentrated in Thailand and the United States, led its researchers to assess the group is either a rebrand of experienced operators or a well funded new entrant, as laid out in the original report.
The trajectory has continued since. Check Point's first quarter 2026 ransomware data counted The Gentlemen among the four groups, alongside Qilin, Akira, and a resurgent LockBit, that together claimed 41 percent of all leak site victims, a sign of the ransomware economy reconsolidating around a few high volume brands.
What you should do
The group's documented playbook gives defenders concrete things to watch. Enable Microsoft's vulnerable driver blocklist and alert on new kernel driver installations, monitor for unexpected Group Policy Object changes (a favorite distribution mechanism), tightly limit domain administrator accounts, and segment backup infrastructure from the production domain. Healthcare and manufacturing organizations in particular should treat leak site listings naming peers in their sector as a prompt to hunt for the group's tradecraft rather than as someone else's problem.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.