Security researchers have identified a new ransomware group known as Gentlemen that has carried out extortion attacks against organisations in multiple regions. Investigators reported activity linked to the group in at least 17 countries across North America, South America, the Asia Pacific region, and the Middle East. The scope of the campaign suggests the group is operating at scale and is capable of sustaining coordinated attacks against a wide range of targets.
The Gentlemen group first appeared in mid-2025 and quickly began claiming victims across several industries. Reported targets include organisations in manufacturing, construction, healthcare, and insurance. Analysts said these sectors often rely on continuous system availability and manage sensitive data, making them attractive to ransomware operators seeking to maximise pressure during extortion attempts.
The group uses a double extortion model that combines file encryption with data theft. After gaining access to a network, attackers encrypt critical systems and exfiltrate sensitive information. Victims are then threatened with public disclosure of the stolen data if payment demands are not met. Researchers said this approach increases leverage by creating both operational disruption and potential legal or reputational consequences.
Investigations into the group’s methods indicate a high level of technical capability. Analysts observed the use of legitimate system drivers to bypass security controls and customised tools designed to disable protective software. The attackers also conduct detailed reconnaissance of target networks before deploying ransomware, allowing them to adapt their techniques to the environment they encounter. This flexibility has made detection and containment more difficult for affected organisations.
The Gentlemen operation is believed to utilize a ransomware-as-a-service model. Under this structure, core operators develop and maintain the malware while affiliates provide access to victim networks or assist with deployment. In exchange, affiliates receive a share of ransom payments. Researchers said this model enables rapid expansion by allowing multiple actors to participate without having to build their own infrastructure from scratch.
Victims reported significant disruption following attacks attributed to the group. Encrypted systems have halted business operations and forced organisations to suspend services while recovery efforts were underway. In cases involving data theft, organisations faced additional risks related to data exposure, regulatory compliance, and loss of trust. Analysts said that even when systems are restored, the threat of leaked data can persist.
Cybersecurity specialists said the emergence of Gentlemen highlights ongoing changes in ransomware activity. Groups are increasingly combining technical sophistication with refined extortion tactics to improve success rates. Experts advised organisations to focus on preventative measures such as regular offline backups, strict access controls, and continuous monitoring for unusual activity. They also stressed the importance of incident response planning to limit damage if an intrusion occurs.
Researchers said the campaign demonstrates that ransomware remains a persistent and evolving threat. The spread of new groups like Gentlemen reflects a broader trend in which cybercriminal operations quickly adapt and expand, requiring sustained attention from organisations across all sectors.