New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacks
NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
A new threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacks and second only to the notorious Qilin.
Despite only having emerged in July last year, The Gentlemen has quickly evolved into a highly operational RaaS group, according to the NTT, using advanced tooling and proxy infrastructure to accelerate attacks and improve stealth.
With a level of technical maturity that would normally be associated with more established ransomware groups, the researchers believe that the group consists of experienced actors with potential ties to other ransomware ecosystems.
The group's targeting remains focused on industrial organizations, the information technology sector, and some consumer spaces, with notable victims including Synergy France, UK Electronics, and Equity Life.
In terms of target geography, meanwhile, The Gentlemen largely extorts organizations in Europe, with the UK and Germany among the most heavily targeted countries.
Its affiliates are increasingly leveraging SystemBC malware, a proxy and backdoor tool often used in human-operated ransomware attacks, to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments.
The group's rapid growth so far this year, combined with its sophisticated proxy infrastructure and obfuscation techniques, means organizations should expect faster intrusion cycles and reduced dwell times before encryption deployment, NTT said.
"The rise of groups like The Gentlemen demonstrates how affiliates are now combining shared tooling, stealth infrastructure, and repeatable intrusion methods to accelerate attacks at scale," said Matt Hull, VP of cyber intelligence and response at NCC Group.
"Techniques such as covert tunnelling and rapid domain-wide deployment are shrinking the window that defenders have to detect and respond before encryption occurs."
According to NTT, there were 748 ransomware listings worldwide during April, representing a 7% fall from the figure for March. However, ransomware activity in 2026 has been operating at a higher baseline than much of 2025, as the ransomware-as-a-service (RaaS) ecosystem expands and matures.
Claude Mythos – the large language model reportedly capable of autonomously identifying vulnerabilities and developing exploit chains – has yet to make its mark, thanks to restricted access, controlled testing environments, and questions around operational effectiveness at scale.
"Developments around AI models such as Claude Mythos suggest AI-assisted vulnerability discovery and exploitation could further compress attacker timelines in the future," said Hull. "However, the industry should remain cautious about overstating current capabilities, particularly where testing has been limited to controlled environments."
The report also highlighted several geopolitical developments likely to influence cyber activity in the coming months, including China's expanded supply chain security regulations, which consolidate and extend existing controls on import and export activities.
Meanwhile, the strategic significance of NASA's Artemis program is motivating China and other nations to carry out espionage, IP theft activities, and potentially even destructive attacks.
"Numerous other well-resourced countries (and private companies) are pursuing high-stakes interests dependent on the domain of space; including but not exclusive to India, Japan, Israel, South Korea, UAE, Russia, Iran, and North Korea," the researchers warned. "Defenders should avoid being too narrow in their assessments of potential threats."
-
Zyxel NWA240BE reviewReviews Zyxel's affordable tri-band Wi-Fi 7 AP offers businesses a remarkably good performance and great remote management features
-
Don’t throw out BI and data analytics in the race for AIOpinion Analytics and effective data management are even more important as enterprises look for value from their AI investments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recoveryNews Few manage to recover all their data, and many experience business disruption
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in life
News With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacks
News Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Ransomware gangs are sharing virtual machines to wage cyber attacks on the cheap – but it could be their undoingNews Thousands of attacker servers all had the same autogenerated Windows hostnames, according to Sophos
