A new investigation by cybersecurity firm PRODAFT has shed light on the evolution of The Gentlemen, one of the fastest-growing ransomware groups currently operating in the cybercrime ecosystem.
According to the report, the group initially functioned as a ransomware affiliate conducting double-extortion attacks while leveraging infrastructure and resources from established ransomware-as-a-service (RaaS) operations, including LockBit, Qilin, and Medusa. However, by mid-2025, the group had transformed into an independent ransomware enterprise with its own affiliate program and infrastructure.
From Affiliate to Independent Ransomware Empire
PRODAFT tracks the operation under the name Phantom Mantis and attributes its leadership to a Russian-speaking cybercriminal known as LARVA-368.
The threat actor reportedly operates under multiple online aliases, including:
- hastalamuerte
- ArmCorp
- zeta88
- nobody0
- santamuerte
Researchers believe LARVA-368 was previously associated with the Embargo ransomware group before launching an independent operation known as ArmCorp. In July 2025, the operation was rebranded as The Gentlemen, marking its transition from a ransomware affiliate to a standalone RaaS platform.
Since its launch, The Gentlemen has claimed responsibility for approximately 478 victims worldwide, making it one of the most active ransomware groups currently in operation.
AI Plays a Significant Role in Operations
One of the most notable findings from PRODAFT’s research is the group’s extensive use of artificial intelligence.
According to researchers, LARVA-368 utilizes AI technologies to assist with:
- Ransomware development
- Tool maintenance
- Post-exploitation activities
- Operational efficiency improvements
The increasing use of AI within ransomware operations highlights how cybercriminal groups are adopting advanced technologies to accelerate attacks and improve effectiveness.
Leadership Identity Linked to Russian National
The alleged identity behind LARVA-368 has reportedly been linked to Alexander Andreevich Yapaev, a 36-year-old individual from Izhevsk, Russia.
Cybersecurity journalist Brian Krebs previously identified the individual, and PRODAFT stated that its own intelligence aligns with that assessment with a high degree of confidence.
Dispute With Qilin May Have Triggered the Split
The transition from Phantom Mantis affiliate operations to The Gentlemen’s independent ransomware program appears to have been influenced by internal disputes within the ransomware ecosystem.
Researchers noted that LARVA-368 publicly accused the Qilin ransomware operation of withholding approximately $48,000 in payments and allegedly scamming affiliates.
While these allegations remain unverified, PRODAFT suggests the accusations may have also served as a recruitment strategy aimed at attracting dissatisfied affiliates from competing ransomware programs.
One of the Most Active Ransomware Groups in 2026
Security researchers have observed a rapid rise in The Gentlemen’s activity.
Recent intelligence suggests the group accounted for nearly 10% of all ransomware activity during April 2026, making it one of the most dominant cybercriminal operations globally.
Analysts describe The Gentlemen as a highly adaptive ransomware organization that combines:
- Double extortion tactics
- Cross-platform ransomware
- Affiliate support programs
- Enterprise-focused targeting
- Rapid malware development cycles
The group frequently adapts its techniques during attacks, allowing operators to bypass security controls and maximize the impact of intrusions.
How The Gentlemen Targets Organizations
The ransomware operation primarily targets enterprise environments by exploiting internet-facing infrastructure and compromised credentials.
Common targets include:
- VPN appliances
- Firewalls
- Remote access services
- Edge networking devices
Researchers observed a particular focus on technologies from:
- Cisco
- Fortinet FortiGate
- VMware environments
Once access is established, attackers deploy a variety of offensive security tools to perform:
- Active Directory discovery
- Privilege escalation
- Credential theft
- Network reconnaissance
- Lateral movement
The group also uses specialized utilities designed to disable security software and evade endpoint detection systems.
Advanced Ransomware Capabilities
The Gentlemen provides affiliates with multiple ransomware variants tailored for different operating environments, including:
- Windows
- Linux
- VMware ESXi
- Windows XP+
- Logical Volume Manager (LVM) systems
The ransomware uses a modern encryption approach that combines:
- X25519 key exchange
- XChaCha20 encryption
Microsoft researchers have noted that the malware is written in the Go programming language and can function as a self-propagating worm when specific options are enabled.
Additional features include:
- Automatic network spreading
- Data encryption
- Event log deletion
- Microsoft Defender tampering
- Antivirus exclusion creation
- Secure artifact wiping
These capabilities significantly increase the difficulty of recovery following an attack.
Affiliate Program Offers Aggressive Revenue Sharing
To attract affiliates, The Gentlemen offers one of the most favorable revenue-sharing models in the ransomware market.
Under the program:
- Affiliates retain 90% of ransom payments
- Operators receive 10%
Prospective affiliates must also provide at least 1 GB of stolen victim data before being granted access to the affiliate portal, a requirement designed to prevent researchers and law enforcement agencies from infiltrating the platform.
The affiliate infrastructure includes tools for:
- Victim management
- Payload generation
- Target configuration
- Campaign monitoring
Victims Spread Across Multiple Countries
Unlike many ransomware groups that heavily target North American organizations, only around 13% of The Gentlemen’s victims are located in the United States.
Researchers report higher concentrations of victims in:
- Thailand
- United Kingdom
- Brazil
- Germany
- India
The group’s focus on global targets demonstrates a broad operational reach across multiple industries and regions.
Internal Leak Exposes Group Operations
In May 2026, a leaked internal Rocket.Chat database provided rare insight into the group’s internal communications.
The leaked data reportedly contained more than 3,300 messages exchanged between members over several months.
The conversations revealed:
- Clear division of responsibilities among operators
- Active tracking of newly disclosed vulnerabilities
- Discussions around attack planning
- Exploitation strategies targeting enterprise software
Researchers found evidence that the group monitored and weaponized vulnerabilities affecting VMware, Cisco, Fortinet, and Microsoft technologies.
Open Directory Leak Revealed Full Attack Toolkit
Earlier this year, researchers uncovered an exposed server that contained a complete ransomware toolkit linked to a The Gentlemen affiliate.
The archive reportedly included tools covering nearly every stage of the attack lifecycle, including:
- Reconnaissance
- Privilege escalation
- Credential theft
- Defense evasion
- Lateral movement
- Persistence mechanisms
- Pre-encryption preparation
The discovery provided security teams with valuable insight into the techniques and tools used by affiliates operating within the ransomware program.
The Growing Threat of The Gentlemen
PRODAFT concludes that LARVA-368 has been involved in extortion-focused cybercrime activities since at least 2020 and has leveraged years of experience gained through partnerships with established ransomware groups.
Today, The Gentlemen represents a mature and rapidly evolving ransomware operation that combines technical sophistication, aggressive affiliate recruitment, AI-assisted development, and enterprise-focused targeting.
As ransomware groups continue to evolve into highly organized criminal enterprises, The Gentlemen serves as another example of how modern cybercriminal organizations are adapting their tactics to remain effective and profitable in an increasingly competitive underground economy.
