Gentlemen
Gentlemen is a ransomware group first identified around August 2025 and described as one of the fastest-growing and most active emerging ransomware threats of 2025. It is referred to as a relatively sophisticated ransomware-as-a-service group in some reporting, while other reporting describes it as a tightly controlled non-affiliate team; high-confidence reporting also states it uses an affiliate model. The group uses double extortion, stealing data before encrypting files, and has been described as Russian-speaking in reporting on attacks affecting Romania. Gentlemen began posting on leak sites in September 2025 and accumulated 408 victims in 246 days. It has maintained a presence on the Rehub forum since September 2025. Gentlemen targets medium and large enterprises globally across at least 17 countries and sectors including healthcare, manufacturing, insurance, construction, and critical infrastructure. Reported victims and claimed targets include Mackay Sugar in Australia, Romania’s Oltenia Energy Complex, and attacks affecting Romanian critical infrastructure more broadly. Initial access and intrusion activity attributed to Gentlemen includes use of compromised credentials, credentials stolen by infostealers, and targeting of Internet-exposed services. Reported tradecraft includes Group Policy modification/manipulation, termination of security and backup services, disabling Windows Defender, stopping services including Veeam, MSSQL, and MongoDB, use of WinSCP for encrypted exfiltration, and use of BYOVD techniques to disable defenses. ESET telemetry confirmed affiliates of Gentlemen used the commercial EDR killer DemoKiller. The ransomware is written in Go and uses anti-analysis and execution controls including a required password argument. It encrypts local drives and network shares, drops README-GENTLEMEN.txt ransom notes, and has been reported to use the .7mtzhh file extension. Encryption behavior described in reporting includes use of X25519 for key exchange and XChaCha20 for file encryption, with selective partial encryption of large files to improve speed. Known alias in the provided content: Gentlemen.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
13 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Claimed responsibility for the cyberattack on Mackay Sugar, added the victim to its data leak site, and is described as a prolific ransomware group operating with an affiliate model and using AI-assisted tooling plus credentials stolen by infostealers.
A newer ransomware operation that emerged after RansomHub went dark and rapidly accumulated victims.
Russian-speaking ransomware group linked in the content to attacks affecting Romanian critical sectors, including water and energy providers.
Ransomware group whose affiliates were observed using the commercial DemoKiller EDR killer.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.