The ransomware crew known as The Gentlemen has vaulted into the top tier of extortion gangs by dangling an almost unheard of incentive in front of criminal partners: a 90 percent cut of every ransom they help collect. In a new profile of the group, Palo Alto Networks' Unit 42 says the operation has become the second most active ransomware as a service program of 2026, trailing only the established heavyweights.
According to Unit 42 researcher Matt Brady, The Gentlemen (also tracked as Storm-2697) has been running as a service since at least July 2025, and its operators were likely active even earlier as an affiliate crew called ArmCorp working under the Qilin ransomware operation. Around September 2025 the roughly 20 person team spun up its own service, and it has been climbing ever since.
An affiliate model built to recruit
Most ransomware as a service programs hand affiliates a 70 to 80 percent share of paid ransoms. The Gentlemen's 90 percent offer is designed to poach talent from rivals, and it appears to be working. In May 2026 the group announced a partnership with a well known cybercrime forum to recruit affiliates, penetration testers and initial access brokers. Unit 42 notes that an alleged insider leaked the group's internal database that same month, exposing details of how the operation is run.
Growth by the numbers
The scale of the surge is stark. Through July 7, one tracker had counted 580 victims claimed by The Gentlemen across 77 countries since the group emerged, with manufacturing the single most targeted sector at 103 victims. Comparing the last six months of 2025 with the first half of 2026, claimed victims jumped by more than six times, and June 2026 was the group's busiest month yet with 117 claims. These figures are self reported extortion claims posted to the gang's leak site, not independently confirmed breaches, so they should be read as an indicator of activity rather than a verified victim count.
How they break in
The Gentlemen lean on the same initial access playbook as other big game hunters: exploiting vulnerabilities in internet facing firewalls and VPNs, brute forcing logins, buying stolen credentials and working with access brokers. Unit 42 flags several flaws the crew is known to abuse, including bugs in Fortinet's FortiOS (CVE-2024-55591), the Erlang/OTP SSH server (CVE-2025-32433) and the Windows SMB client (CVE-2025-33073), plus a vulnerable ThrottleStop driver (CVE-2025-7771) used to escalate privileges. Their encryptors are written in both C and Go so they can hit Windows, Linux and virtual infrastructure, and the group fields a custom Go backdoor and an EDR killing tool dubbed GentleKiller to blind security software before deploying ransomware.
What defenders should do
Unit 42 urges organizations to patch the exploited edge device flaws above as a priority, enforce phishing resistant multi factor authentication, treat virtualization platforms such as VMware ESXi as tier zero infrastructure, and maintain validated offline backups. Watch for suspicious scheduled tasks and for tools like Advanced IP Scanner being used to map internal networks. IntelFusions has previously detailed the crew's custom backdoor and network spying and its GentleKiller EDR killer suite, and profiles the group alongside its Qilin parent on our threat actor pages.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.