A rapidly growing ransomware operation known as "The Gentlemen" has compromised at least 483 organizations across 66 countries since surfacing in the threat landscape last year. According to data published on the group's dark-web leak site, the vast majority of these incidents—380 victims—occurred in 2026 alone. This unprecedented velocity marks a significant escalation in the ransomware ecosystem, driven by a combination of aggressive economic incentives and automated infrastructure.
Reporting from Security Affairs details how the group, which emerged in September 2025, has bypassed traditional network perimeter defenses by focusing exclusively on credential theft. Unlike operations that rely on zero-day exploits or complex vulnerability chaining, The Gentlemen primarily gains initial access through infostealer malware. This reliance on stolen login information underscores a shifting paradigm in cybersecurity where digital identities have effectively replaced the network edge as the primary line of defense.
To fuel this rapid expansion, the syndicate utilizes a disruptive revenue-sharing model. Affiliates working with the group receive up to 90 percent of the ransom profits, a stark inversion of standard Ransomware-as-a-Service (RaaS) structures where developers typically retain the larger share. Industry analysts suggest this high commission rate is designed to recruit experienced attackers capable of executing intrusions quickly. By prioritizing volume over individual payout size, the group creates a powerful financial engine that incentivizes speed and scalability.
Operational timelines are further compressed through the integration of artificial intelligence. The gang reportedly deploys AI-driven automation across the entire attack lifecycle, including victim targeting, intrusion execution, and negotiation tactics. This technological force multiplier allows The Gentlemen to process victims far faster than human-only teams could manage. Consequently, the window for traditional incident response is shrinking, with exfiltration and encryption potentially occurring within hours of initial compromise rather than days.
Given this emerging threat model, security leadership is being urged to pivot their defensive strategies toward identity-centric controls. Experts recommend the universal deployment of phishing-resistant multi-factor authentication (MFA), particularly for administrative and privileged accounts, as the most critical step to mitigate credential-based attacks. Continuous monitoring of authentication logs is also essential; automated analytics can identify anomalous patterns, such as impossible travel or off-hours access, indicating the use of compromised credentials in real time.
Furthermore, incident response (IR) protocols require immediate revision to address AI-accelerated threats. Organizations must stress-test their playbooks against scenarios where data loss happens almost instantaneously, ensuring that pre-authorized actions can be executed without bureaucratic delay. As automated systems blur the line between human-operated hacking and machine-speed attacks, defenders must achieve comparable levels of automation to protect organizational assets effectively.
While specific indicators of compromise remain under analysis, the rise of The Gentlemen signals a broader maturation of cybercrime business models. Success in this new environment depends less on hiding sophisticated exploits and more on optimizing recruitment economies and automation. For IT and security teams, the lesson is clear: protecting passwords and tokens is now as critical as patching firewalls.
一個名為『The Gentlemen』的快速擴張勒索軟件運作,自去年在威脅環境中出現以來,已入侵橫跨66個國家的至少483個機構。根據該集團於暗網洩露網站公佈的數據,絕大多數(共380宗)受害者事件僅發生在2026年。這種前所未有的攻擊速度,標誌著勒索軟件生態系統的重大升級,其背後由激進的經濟激勵與自動化基礎設施共同推動。
據《Security Affairs》報導詳述,該集團於2025年9月出現,通過完全專注於憑證盜竊,繞過了傳統的網絡邊界防禦。與依賴零日漏洞利用或複雜漏洞鏈接的運作不同,『The Gentlemen』主要通過資訊竊取惡意軟件獲取初始訪問權限。這種對被盜登入資訊的依賴,凸顯了網絡安全範式的轉變——數碼身分已實際取代網絡邊緣,成為首要防線。
為驅動這種快速擴張,該集團採用顛覆性的收益分成模式。與該集團合作的附屬成員最高可獲取勒索贖金的90%,這與標準勒索軟件即服務(RaaS)結構中開發者通常保留較大份額的情況形成鮮明反差。業內分析師認為,這種高佣金率旨在招募能夠快速執行入侵的經驗豐富攻擊者。通過優先考慮攻擊數量而非單次贖金金額,該集團創建了一個強大的財務引擎,激勵了速度與可擴展性。
運作時間表通過整合人工智能進一步壓縮。據報導,該集團在整個攻擊生命週期(包括受害者定位、入侵執行和談判策略)中部署人工智能驅動的自動化。這種技術力量倍增器使『The Gentlemen』處理受害者的能力遠超僅依賴人力的團隊所能應對的速度。因此,傳統事件響應的窗口正在縮小,數據竊取與加密可能在初始入侵後數小時內發生,而非數天。
鑑於這種新興威脅模式,安全負責人被敦促將防禦策略轉向以身分為中心的控制措施。專家建議普遍部署防釣魚的多重因素身分驗證(MFA),特別是針對管理及特權帳戶,這是緩解基於憑證攻擊的最關鍵步驟。持續監控身分驗證日誌也至關重要;自動化分析可識別異常模式,例如不可能旅行或非工作時間訪問,即時指示被盜憑證的使用情況。
此外,事件響應(IR)協議需立即修訂,以應對人工智能加速的威脅。組織必須針對數據幾乎即時丟失的場景進行壓力測試,確保預先授權的行動可在無官僚延誤下執行。隨着自動化系統模糊了人為操作黑客與機器速度攻擊之間的界限,防禦者必須達到相應的自動化水平,以有效保護組織資產。
儘管具體的入侵指標仍在分析中,但『The Gentlemen』的崛起標誌著網絡犯罪商業模式更廣泛的成熟。在這種新環境中取得成功的關鍵,較少在於隱藏複雜漏洞利用,更多在於優化招募經濟學與自動化。對資訊科技及安全團隊而言,教訓十分明確:保護密碼與 tokens 現已與修補防火牆同樣重要。