The Gentlemen ransomware-as-a-service group has emerged as a major threat actor in 2026, deploying custom malware tools and sophisticated techniques against large corporations and critical infrastructure globally. Kaspersky researchers tracking the group since February 2026 have uncovered previously undocumented tactics, including custom-developed backdoors and network reconnaissance methods. Public reports indicate The Gentlemen ranked among the top 10 ransomware actors by victim announcements in the first half of 2026.

The group typically gains initial access by exploiting vulnerabilities in internet-facing devices such as hardware VPNs and firewalls, using stolen or default credentials. Evidence suggests The Gentlemen collaborates with initial access brokers, as some attacks show access established long before ransomware deployment using tactics inconsistent with the group's typical methods. Once inside networks, attackers conduct thorough reconnaissance using tools like SharpADWS for Active Directory enumeration, NetScan and Advanced IP Scanner for network mapping, and Microsoft's netsh utility to capture network packets containing sensitive information.

The group deploys two custom Go-based tools: a backdoor implant and the ransomware itself. The backdoor, installed one day before ransomware attacks, establishes persistent communication with command-and-control servers, executes remote commands, and creates SOCKS proxy connections for network pivoting. The ransomware binary features a previously unknown Go obfuscator and requires a password (currently "CbdU8EgF") to execute, preventing analysis in sandbox environments. It includes multiple operational parameters controlling encryption speed, target selection, and deployment methods.

To disable security products, The Gentlemen employs Bring Your Own Vulnerable Driver (BYOVD) techniques, exploiting seven different vulnerable drivers including those from Safetica, WatchDog, and Paragon software. The group also uses open-source tools like Windows Kernel Explorer and OpenArk64 to intercept system calls and remove security drivers. Additional methods include registry modifications to disable Windows Defender and PowerShell commands to add exclusions and disable real-time monitoring.

Organizations should prioritize patching internet-facing devices, enforce strong authentication on VPN and firewall systems, and monitor for unusual Active Directory queries and network scanning activity. Security teams should block known vulnerable drivers, restrict PowerShell execution, and monitor for unauthorized Group Policy modifications and PsExec usage. Network segmentation and behavioral monitoring can help detect lateral movement attempts before ransomware deployment occurs.

Source: https://securelist.com/the-gentlemen-raas/120447/