Black Basta: Inside The Gentlemen Data Breach

Black Basta: Inside The Gentlemen Data Breach

The Gentlemen Ransomware Group Rises to Global Threat #2, Accounting for 10% of Attacks in 2024

A new report from cybersecurity firm KELA reveals that The Gentlemen has rapidly ascended to become the world’s second-most prolific ransomware group, responsible for 10% of all global ransomware victims this year. The findings highlight the group’s aggressive expansion, fueled by sophisticated tactics including upselling, discount schemes, and psychological manipulation during ransom negotiations.

The group’s rise coincides with growing concerns over industrial cybersecurity, particularly in manufacturing, where legacy infrastructure and AI-driven automation create new vulnerabilities. Recent leaks, including the 2025 Black Basta breach, have been weaponized by threat actors as training exercises, further refining their attack strategies. Notably, The Gentlemen has exploited unpatched systems, remote access tools, and even AI-powered data theft to compromise targets including corporate mailboxes and plant-floor robotics.

The report also underscores the broader risks facing operational technology (OT) environments, where outdated Ethernet systems and delayed patch management leave critical infrastructure exposed. While autonomous patching adoption is accelerating, it remains insufficient to counter the pace of emerging threats. The group’s tactics reflect a shift in ransomware operations, where financial pressure such as prioritizing $20 million payouts from utilities is used to maximize leverage.

As industrial sectors grapple with these challenges, the incident serves as a stark reminder of the evolving threat landscape, where ransomware groups increasingly target high-value, interconnected systems with far-reaching consequences.

Source: https://www.mbtmag.com/cybersecurity/news/22967991/inside-the-gentlemen-data-breach

KELA - Cyber Threat Intelligence cybersecurity rating report: https://www.rankiteo.com/company/kela-cyber

"id": "KEL1780440089",
"linkid": "kela-cyber",
"type": "Ransomware",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': ['Manufacturing', 'Utilities'],
                        'type': 'Manufacturing, Utilities'}],
 'attack_vector': ['Unpatched systems',
                   'Remote access tools',
                   'AI-powered data theft'],
 'data_breach': {'type_of_data_compromised': ['Corporate mailboxes',
                                              'Plant-floor robotics data']},
 'date_publicly_disclosed': '2024',
 'description': 'A new report from cybersecurity firm KELA reveals that *The '
                'Gentlemen* has rapidly ascended to become the world’s '
                'second-most prolific ransomware group, responsible for 10% of '
                'all global ransomware victims this year. The group’s '
                'aggressive expansion is fueled by sophisticated tactics '
                'including upselling, discount schemes, and psychological '
                'manipulation during ransom negotiations. The rise coincides '
                'with growing concerns over industrial cybersecurity, '
                'particularly in manufacturing, where legacy infrastructure '
                'and AI-driven automation create new vulnerabilities. Recent '
                'leaks, including the 2025 *Black Basta* breach, have been '
                'weaponized by threat actors as training exercises. *The '
                'Gentlemen* has exploited unpatched systems, remote access '
                'tools, and AI-powered data theft to compromise targets '
                'including corporate mailboxes and plant-floor robotics. The '
                'report underscores broader risks facing operational '
                'technology (OT) environments, where outdated Ethernet systems '
                'and delayed patch management leave critical infrastructure '
                'exposed. The group’s tactics reflect a shift in ransomware '
                'operations, prioritizing high-value targets like utilities '
                'for $20 million payouts.',
 'impact': {'data_compromised': 'Corporate mailboxes, plant-floor robotics '
                                'data',
            'operational_impact': 'Exposure of critical infrastructure',
            'systems_affected': ['Manufacturing systems',
                                 'Operational technology (OT) environments']},
 'initial_access_broker': {'high_value_targets': 'Utilities, Manufacturing'},
 'lessons_learned': 'The evolving threat landscape requires accelerated '
                    'adoption of autonomous patching and enhanced security '
                    'measures for legacy and OT systems to counter '
                    'sophisticated ransomware groups like *The Gentlemen*.',
 'motivation': 'Financial gain',
 'post_incident_analysis': {'root_causes': ['Unpatched systems',
                                            'Legacy infrastructure '
                                            'vulnerabilities',
                                            'Delayed patch management']},
 'ransomware': {'data_exfiltration': 'AI-powered data theft',
                'ransom_demanded': '$20 million (prioritized from utilities)',
                'ransomware_strain': 'The Gentlemen'},
 'recommendations': ['Accelerate autonomous patching adoption',
                     'Enhance monitoring of OT environments',
                     'Improve security for legacy infrastructure',
                     'Implement network segmentation',
                     'Strengthen remote access security'],
 'references': [{'date_accessed': '2024',
                 'source': 'KELA Cybersecurity Report'}],
 'threat_actor': 'The Gentlemen',
 'title': 'The Gentlemen Ransomware Group Rises to Global Threat #2, '
          'Accounting for 10% of Attacks in 2024',
 'type': 'Ransomware',
 'vulnerability_exploited': ['Legacy infrastructure',
                             'Outdated Ethernet systems',
                             'Delayed patch management']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.