Gentlemen ransomware operation using compromised credentials and exposed services
Malware Activity
Summary
Hide ▲
Show ▼
Gentlemen ransomware is actively extorting victims by using compromised credentials and Internet-exposed services to enter networks. It encrypts files, drops README-GENTLEMEN.txt notes, and appends the .7mtzhh extension. Its Tor data leak site has expanded to nearly four dozen victims, showing ongoing criminal reach.
Related Happenings
The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth
Threat Actor Meta
H score26
First: 10.06.2026 17:03
Last: 10.06.2026 17:03
Sources 1
How related:
A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims.
About this happening:
**The Gentlemen** ransomware group has become a high-volume **RaaS** operation, using a **90/10 affiliate split** to attract operators and expand its reach. The group now ranks as...
The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth
Threat Actor MetaHow related: A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims.
About this happening: **The Gentlemen** ransomware group has become a high-volume **RaaS** operation, using a **90/10 affiliate split** to attract operators and expand its reach. The group now ranks as...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
Campaign
H score53
First: 20.04.2026 23:02
Last: 20.04.2026 23:02
Sources 1
How related:
The Gentlemen ransomware operation surfaced in August and is known for using compromised credentials and targeting Internet-exposed services to gain initial access to victims' networks.
About this happening:
The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
CampaignHow related: The Gentlemen ransomware operation surfaced in August and is known for using compromised credentials and targeting Internet-exposed services to gain initial access to victims' networks.
About this happening: The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor Meta
H score11
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor MetaAbout this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
Aleksey Olegovich Volkov sentenced in Yanluowang ransomware case
Law Enforcement
H score35
First: 24.03.2026 15:06
Last: 24.03.2026 15:06
Sources 1
About this happening:
The **Justice Department** said **Aleksey Olegovich Volkov** was **sentenced to 81 months** in prison for serving as an **initial access broker** in **Yanluowang ransomware** atta...
Aleksey Olegovich Volkov sentenced in Yanluowang ransomware case
Law EnforcementAbout this happening: The **Justice Department** said **Aleksey Olegovich Volkov** was **sentenced to 81 months** in prison for serving as an **initial access broker** in **Yanluowang ransomware** atta...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
H score25
First: 19.03.2026 18:00
Last: 19.03.2026 18:00
Sources 1
About this happening:
**hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor MetaAbout this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
Timeline
-
29.12.2025 16:26 3 articles · 6mo ago
Gentlemen ransomware operation using compromised credentials and exposed services
Initial DisclosureAt emergence in **August**, the operation focused on breaking into networks through **compromised credentials** and **Internet-exposed services**. Early activity centered on encrypting documents and using **README-GENTLEMEN.txt** ransom notes.
Show sources
- Romanian energy provider hit by Gentlemen ransomware attack — www.bleepingcomputer.com — 29.12.2025 16:26
- Romanian energy provider hit by Gentlemen ransomware attack — www.bleepingcomputer.com — 29.12.2025 16:26
- Who Runs the Ransomware Group ‘The Gentlemen?’ — krebsonsecurity.com — 10.06.2026 17:03