News

The Gentlemen emerging as key ransomware player

An emerging ransomware crew known as The Gentlemen is becoming a force to be reckoned with, according to NCC’s latest monthly threat data

Alex Scroxton
By
Published: 27 May 2026 9:00

An emerging ransomware gang known as The Gentlemen is beginning to attract more attention as it becomes one of the more active extortion groups in the cyber criminal underground, according to the latest monthly threat data from NCC Group.

First identified in the summer of 2025, The Gentlemen is an adept group that can easily and systematically bypass enterprise defences, leveraging tools from generic anti-AV utilities, according to Trend Micro, which was one of the first to track the gang last year.

NCC said the gang is quickly evolving into a highly operational ransomware-as-a-service (RaaS) operation with advanced tooling and proxy infrastructure to accelerate its attacks.

The double extortion gang supports a broad set of target platforms, including Windows, Linux, NAS, BSD and VMware ESXi. Its ransomware uses XChaCha20 and Curve25519 encryption, which allows it to lock its victims’ files faster and at scale, with secure key generation through modern elliptic curve cryptography, which suggests the work of a sophisticated and established actor with “impeccable” ransomware nous.

Analysts are now also observing the use of proxy and backdoor malware known as SystemBC by The Gentlemen’s affiliates to enhance the efficacy of their attacks.

SystemBC infected systems serve as SOCKS6 proxies that enable cyber criminals to tunnel traffic through compromised hosts, which makes command and control (C2) activity much harder to trace, and improves its users’ ability to move laterally, or pivot in their victims’ environments.

Additionally, modular download-and-execute functionality enables rapid, effective delivery of follow-on-payloads.

  • Analysis of a form of ransomware called Vect has uncovered a serious flaw that breaks its core functionality and turns it from a locker to a wiper.
  • Ransomware exponents can target identity, bypassing technical defences. Boards should prioritise identity security, align investments, and embed cyber risk in governance.
  • Ransomware-as-a-service operations are increasingly seeking to forge connections with employees, contractors and trusted partners of their target organisations as an alternative to straight-up hacking, says NCC.

In this way, The Gentlemen’s affiliates navigate around IT systems without relying on potentially-exposed external infrastructure, and can conduct repeatable, industrialised intrusions more easily, quickly, resiliently and stealthily. This fundamentally changes incident dynamics.

“The rise of groups like The Gentlemen demonstrates how affiliates are now combining shared tooling, stealth infrastructure and repeatable intrusion methods to accelerate attacks at scale,” said NCC vice-president of cyber intelligence and response, Matt Hull.

“Techniques such as covert tunnelling and rapid domain-wide deployment are shrinking the window that defenders have to detect and respond before encryption occurs.”

Indeed, according to NCC’s latest monthly data, The Gentlemen are known to have been behind 73 cyber attacks in April 2026 alone, 10% of the total seen, and have now hit over 230 organisations this year.

In a month that saw overall ransomware attack volumes up slightly year-on-year, but down slightly compared with month, Qilin remained the dominant actor, accounting for 107 attacks, or 14% of the total observed. With The Gentlemen placing second on the chart, the top five most active gangs also included DragonForce, with 63 attacks, Akira with 52, and Coinbase Cartel with 42.

Also appearing in the top 10 were familiar names such as LockBit5, with 36 attacks, INC Ransom with 27, and ShinyHunters with 20.

Humans and robots

The April data demonstrates how human-operated ransomware attacks such as those orchestrated by The Gentlemen’s affiliates are shrinking cyber attack timelines by giving cyber pros a briefer window in which to identify and respond to them, but this is not the only factor ratcheting up the tempo; automation and artificial intelligence (AI) are also in play.

In its latest report, NCC’s analysts also explored the growing industry debate around AI-assisted cyber capabilities, which reached deafening levels in the past few weeks following the debut of Anthropic’s frontier model, Claude Mythos.

While access to Claude Mythos remains restricted and its full implications on the cyber profession are unclear, NCC’s team said its true impact will almost certainly fall at the midway point between the claims of sceptics who dismiss it as marketing hype and those who say it will “mark the end of cyber security as we know it”.

“Developments around AI models such as Claude Mythos suggest AI-assisted vulnerability discovery and exploitation could further compress attacker timelines in the future,” said Hull. “However, the industry should remain cautious about overstating current capabilities, particularly where testing has been limited to controlled environments.”

NCC said that when mainstream access to Mythos is opened up, or an equivalent model emerges, there will be more pressure on defenders to rethink their working practices. Surging volumes of vulnerabilities will push security teams towards continuous vulnerability and attack surface management, and remediation and patching will become more bespoke, dynamic practices depending on the specific risk profile of each environment. Context-aware remediation strategies, said NCC, will be key.

Broadly, and in a similar way to what is happening with sophisticated ransomware gangs such as The Gentlemen, AI highlights the need for structural change in cyber – moving from reactivity to proactivity, incorporating security-by-design best practice.

NCC acknowledged this approach would drive up costs and may slow innovation, but boards should weigh these trade-offs against the long-term benefits of improving resiliency. Security leaders can make these conversations easier by showing AI can also be used defensively in areas such as code security testing, alert triage and automated response mechanisms.

“Organisations can no longer rely on reactive security measures alone,” said Hull. “Continuous attack surface management, strong identity controls and rapid detection of suspicious behaviour are becoming essential to reducing cyber risk.”

Read more on Data breach incident management and recovery