Gentlemen ransomware operation using compromised credentials and exposed services
Malware Activity
Summary
Hide ▲
Show ▼
Gentlemen ransomware is actively extorting victims by using compromised credentials and Internet-exposed services to enter networks. It encrypts files, drops README-GENTLEMEN.txt notes, and appends the .7mtzhh extension. Its Tor data leak site has expanded to nearly four dozen victims, showing ongoing criminal reach.
Related Happenings
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
Campaign
First: 20.04.2026 23:02
Last: 20.04.2026 23:02
Sources 1
How related:
The Gentlemen ransomware operation surfaced in August and is known for using compromised credentials and targeting Internet-exposed services to gain initial access to victims' networks.
About this happening:
The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
CampaignHow related: The Gentlemen ransomware operation surfaced in August and is known for using compromised credentials and targeting Internet-exposed services to gain initial access to victims' networks.
About this happening: The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Sicarii ransomware per-execution RSA key generation breaks decryption
Malware Activity
First: 28.01.2026 00:15
Last: 28.01.2026 00:15
Sources 1
About this happening:
The **Sicarii ransomware** now stands out for a **broken decryption process** that generates a new **RSA key pair** on each execution and discards the private key, leaving victims...
Sicarii ransomware per-execution RSA key generation breaks decryption
Malware ActivityAbout this happening: The **Sicarii ransomware** now stands out for a **broken decryption process** that generates a new **RSA key pair** on each execution and discards the private key, leaving victims...
XWorm backdoor with expanded ransomware plugins
Malware Activity
First: 06.10.2025 14:42
Last: 06.10.2025 14:42
Sources 1
About this happening:
The **XWorm** **Windows backdoor** is being redistributed in **phishing campaigns**, and newer builds **6.0, 6.4, and 6.5** expand its reach from theft to **remote control**, **fi...
XWorm backdoor with expanded ransomware plugins
Malware ActivityAbout this happening: The **XWorm** **Windows backdoor** is being redistributed in **phishing campaigns**, and newer builds **6.0, 6.4, and 6.5** expand its reach from theft to **remote control**, **fi...
Timeline
-
29.12.2025 16:26 2 articles · 4mo ago
Gentlemen ransomware operation using compromised credentials and exposed services
Initial DisclosureAt emergence in **August**, the operation focused on breaking into networks through **compromised credentials** and **Internet-exposed services**. Early activity centered on encrypting documents and using **README-GENTLEMEN.txt** ransom notes.
Show sources
- Romanian energy provider hit by Gentlemen ransomware attack — www.bleepingcomputer.com — 29.12.2025 16:26
- Romanian energy provider hit by Gentlemen ransomware attack — www.bleepingcomputer.com — 29.12.2025 16:26