InfoSecBulletin Cybersecurity for mankind
The Gentlemen ransomware group has quickly become one of the most active and growing cybercrime threats since it was first seen in late 2025. The Gentlemen is unique because it has the capability to attack with many types of systems, such as Windows, Linux, NAS, BSD, and VMware ESXi.
Attack chains seen in incidents include using open remote services, stealing credentials, and misusing VPN or firewall access.
OpenAI unveils its first custom chip, Named Jalapeño
Bajaj Auto System Hit by a Ransomware Attack
Cisco Unified CM flaw CVE-2026-20230 exploited in attacks
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
Security researchers at Levelblue believe the group is not completely new. It seems to be a continuation of past ransomware activity, linked to the Qilin group and a Russian-speaking person called “hastalamuerte.”
Attackers go into the system, look around the network, gain higher access, disable security tools, and spread ransomware. They also steal data, which is an important part of their double extortion plan.
Ransomware-as-a-Service Model
The Gentlemen runs a planned ransomware-as-a-service (RaaS) system with a special partner panel. This system is said to help create malware, customize ransom notes, track victims, and manage negotiations.
Affiliates may also use external communication tools like Tox or Session, complicating incident tracking.
The group’s ransom note is called “README-GENTLEMEN.txt.” It comes with encrypted files that have endings like “.7mtzhh” or other random types.
The malware is said to be made in Go and needs a password to run. This helps users manage its use and avoid automatic checks. Encryption uses a mixed approach. Small files are completely encrypted, while big files are partly encrypted in pieces to speed up the process.
Before encryption, the malware stops services related to backups, databases, and business apps to make recovery harder. Activity covers more than 70 countries. The biggest portions are in APAC (28.7%), Europe (28.4%), and the Americas.
The United States is at the top, then comes Thailand, France, and Brazil. Russia and CIS countries are missing, which fits usual ransomware patterns.
Recently, hidden online groups have made claims about data that they say is connected to the group, sold for about $10,000 in Bitcoin.
Organizations should focus on securing remote access services, using multi-factor authentication, watching privileged accounts, and making sure to have strong, separate backups.
Early detection strategies should look for strange actions by attackers. This includes unusual admin work, moving sideways in the network, and getting data ready before ransomware strikes.
