The Gentlemen Ransomware
Investigations into The Gentlemen operation reveal that the financially motivated threat group originally functioned as an affiliate conducting double-extortion attacks while leveraging infrastructure and resources provided by multiple Ransomware-as-a-Service (RaaS) ecosystems, including LockBit, Qilin, and Medusa.
The operation is tracked by several researchers under the name Phantom Mantis and is led by a Russian-speaking cybercriminal identified as LARVA-368. This individual has been associated with multiple online aliases, including hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. Active since March 2025, the group has publicly claimed responsibility for 478 victims.
Table of Contents
Emergence of the Threat Group
A major transformation occurred in July 2025 when Phantom Mantis evolved into The Gentlemen, an independent partnership program no longer reliant on external RaaS operators. The transition was accompanied by extensive use of artificial intelligence to support ransomware development, tool maintenance, and post-exploitation activities.
Threat intelligence assessments indicate that LARVA-368 previously operated within the Embargo ransomware group before launching a separate operation under the ArmCorp brand. Four months later, the operation was rebranded as The Gentlemen.
The timing of this transition was closely aligned with a public dispute between LARVA-368 and the Qilin ransomware operation. The threat actor accused Qilin of conducting an exit scam and withholding approximately $48,000 in earnings.
To strengthen market presence within underground communities, Phantom Mantis has invested in premium memberships on cybercriminal forums. Communications and technical support functions are largely managed by a separate Russian-speaking persona known as The Gentlemen Data.
A Mature and Rapidly Growing Ransomware Ecosystem
Security researchers characterize The Gentlemen as a highly adaptive and fast-evolving ransomware operation that combines traditional ransomware techniques with modern RaaS capabilities. Its operational model incorporates double extortion, cross-platform ransomware variants, flexible propagation mechanisms, and extensive affiliate support.
The group has rapidly emerged as one of the most active ransomware actors in the threat landscape, accounting for approximately 10% of all observed ransomware activity during April 2026. Attack campaigns typically follow an enterprise-focused intrusion chain that begins through vulnerable internet-facing services or compromised credentials.
Analysis further suggests that operators can dynamically modify tactics during intrusions. Activities have included manipulating Group Policy Objects (GPOs), compromising privileged accounts, and deploying customized techniques designed to evade endpoint security controls.
Victim distribution indicates a predominantly international focus. Only around 13% of known victims are located in the United States, while the highest concentrations of victims have been observed in Thailand, the United Kingdom, Brazil, Germany, and India.
Affiliate Support and Criminal Business Operations
The Gentlemen maintains a structured affiliate ecosystem supported directly by LARVA-368. Dedicated accounts on The Gentlemen IM platform provide assistance for encryption processes and intrusion-related challenges, including access to EDR bypass tools that leverage Bring Your Own Vulnerable Driver (BYOVD) techniques.
Support services for both The Gentlemen and The Gentlemen Data are available through Tox, SimpleX Chat, and Ricochet Refresh messaging platforms. Prospective affiliates must submit at least 1 GB of stolen victim data before obtaining access to the affiliate portal. This requirement appears intended to prevent researchers and law enforcement agencies from infiltrating the platform by posing as affiliates.
The affiliate management portal enables user administration, target configuration, and ransomware deployment management. To attract participants, the operation promotes an aggressive revenue-sharing structure that allocates 90% of profits to affiliates and 10% to the operators.
Technical Infrastructure and Attack Methodology
The group provides five ransomware variants designed to target Windows, Linux, ESXi, Windows XP and later systems, as well as environments utilizing Logical Volume Manager (LVM). Initial access operations commonly focus on internet-facing infrastructure such as VPN appliances, firewalls, and edge devices.
The intrusion lifecycle incorporates a broad arsenal of offensive tools and techniques:
- Red-team utilities such as NetExec, RelayKing, TaskHound, PrivHound, and CertiHound are used for Active Directory reconnaissance, certificate abuse, privilege escalation, and network-share discovery. Additional tools including EDRStartupHinder, gfreeze, glinker, and DumpBrowserSecrets facilitate defense evasion and credential theft, while Velociraptor supports command-and-control activities.
- Post-compromise actions frequently include clearing Windows System, Application, and Security Event Logs, disabling Microsoft Defender, and creating antivirus exclusions to reduce detection opportunities.
The ransomware employs a hybrid encryption model combining X25519 key exchange with XChaCha20 symmetric encryption. Researchers tracking the activity cluster as Storm-2697 determined that the malware is written in Go and obfuscated using Garble.
A particularly dangerous capability is enabled through the '--spread' parameter, which converts the ransomware from a single-host encryptor into a self-propagating worm capable of distributing itself across reachable network systems. When executed with the '--wipe' argument, the malware performs additional actions intended to eliminate recoverable artifacts after encryption.
Extortion Tactics and Operational Agility
Evidence suggests that The Gentlemen operates a multi-channel extortion strategy that extends beyond ransomware deployment. Victims may also face direct email communications and telephone-based pressure campaigns designed to increase the likelihood of payment.
The group's development cycle demonstrates an unusually high level of responsiveness. One notable example occurred in April 2026 when operators released a patch on the same day that a decryptor became publicly available.
Intrusions typically remain undetected for periods ranging from two to six weeks before encryption is executed. Organizations operating VMware infrastructure appear to be a particular focus of targeting efforts.
Internal Leaks Reveal Organizational Structure
A significant intelligence breakthrough occurred in May 2026 following the exposure of an internal Rocket.Chat database used by the group. The leak contained 3,366 messages exchanged between November 2025 and late April 2026, providing valuable insight into the operation's internal structure and workflows.
The communications revealed a clear division of responsibilities among members and documented the use of vulnerabilities affecting VMware Aria Operations, Fortinet, Cisco, and Microsoft technologies. The records portrayed a well-organized criminal enterprise with specialized roles supporting different phases of attack operations.
The leaked information also showed active monitoring and evaluation of emerging vulnerabilities, including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. These exploits were combined with additional attack pathways involving backup-system abuse, management-controller compromise, and NTLM relay techniques, creating a highly flexible exploitation framework.
Exposure of a Complete Operator Toolkit
In March 2026, cybersecurity researchers identified an exposed directory hosted on the Proton66 bulletproof hosting service. The directory contained 126 files attributed to a The Gentlemen RaaS affiliate and effectively exposed a complete ransomware operator toolkit.
The leaked toolkit covered nearly every stage of the attack lifecycle:
- Reconnaissance and victim profiling
- Privilege escalation
- Defense evasion
- Credential theft
- Lateral movement
- Persistence mechanisms
- Pre-encryption preparation activities
The breadth of the toolkit highlighted the operational maturity of the ecosystem and provided a rare glimpse into the resources available to affiliates.
The Threat Behind the Brand
LARVA-368 has been involved in extortion-focused cybercriminal activity since at least 2020. Experience gained through collaborations with multiple ransomware operations appears to have provided the technical expertise, operational knowledge, and criminal network necessary to establish and scale The Gentlemen into a significant independent RaaS enterprise.
The operation's combination of technical sophistication, affiliate-focused business practices, rapid development cycles, and aggressive extortion tactics has positioned The Gentlemen among the most prominent ransomware threats currently facing organizations worldwide.
