How infostealers and AI are powering the rise of the Gentlemen ransomware
A ransomware group that surfaced in September 2025 has become one of the most active operations in less than a year, listing 483 victims across 66 countries by mid-2026. The Gentlemen relied heavily on stolen credentials harvested by commodity infostealers, AI-assisted tools for data analysis, and an aggressive affiliate program that hands external operators 90% of ransom payments. Internal chat logs leaked in May 2026 offer an unusually detailed look inside the group’s operations—revealing a small core team managing the ransomware and negotiation panel, while external affiliates carry out intrusions and reap most of the profits.
A different approach to targeting
Unlike many ransomware groups, The Gentlemen did not focus on U.S. organizations. Only about 15% of listed victims were in the United States, with the majority spread across Thailand, Brazil, the United Kingdom, France, India, Germany, Italy, Japan, Taiwan, and Spain. According to the report, operators prioritized what they called Tier 1 to 3 countries and Latin America, favoring targets where operational disruption would halt business quickly—even if potential payouts were smaller. Manufacturing emerged as the top targeted sector, followed by technology, business services, and healthcare.
The role of infostealers and AI
Initial access was the group’s main focus. Operators scanned for internet-facing vulnerabilities, including the FortiOS authentication-bypass flaw CVE-2024-55591, as well as older Active Directory weaknesses like ZeroLogon and PetitPotam. When exploits weren’t available, they turned to valid credentials stolen from compromised Outlook Web Access mailboxes—often using them to find VPN logins or send phishing emails from trusted internal accounts. The infostealer connection was central: researchers cross-referenced victim lists with stealer logs and found live corporate logins and active session tokens already exposed before the victims appeared on the group’s leak site. One example cited was a Philippine logistics firm that had six employee logins, seven customer logins, and 38 active session tokens exposed in stealer data.
Lessons for defense
The leaked chats reveal how closely The Gentlemen studied past ransomware operations, copying phishing and mailbox-abuse workflows from the February 2025 Black Basta leaks. The group’s tactics underscore a broader trend: stolen session cookies now pose as significant a risk as unpatched vulnerabilities. Monitoring dark-web activity and infostealer data should be treated with the same urgency as patch management, according to researchers.
Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.