The Gentlemen Ransomware Operation: A Rising Threat with AI and RaaS Roots
A new analysis by PRODAFT has uncovered the evolution of The Gentlemen, a financially motivated ransomware group that began as an affiliate for established ransomware-as-a-service (RaaS) operations like LockBit, Qilin, and Medusa before launching its own independent program in July 2025. Tracked as Phantom Mantis, the group is led by a Russian-speaking cybercriminal known as LARVA-368 a 36-year-old identified as Alexander Andreevich Yapaev from Izhevsk, Russia, with aliases including hastalamuerte, ArmCorp, and santamuerte.
Since its inception, The Gentlemen has claimed 478 victims, with a surge in activity making it one of the most prolific ransomware actors, responsible for 10% of global ransomware incidents in April 2026. The group’s transition to independence followed a payment dispute with Qilin, where LARVA-368 accused the RaaS operator of an exit scam, allegedly defrauding affiliates of $48,000. PRODAFT noted that Phantom Mantis may have spread disinformation to recruit Qilin affiliates by discrediting the group.
The Gentlemen operates with a sophisticated infrastructure, leveraging AI for ransomware development, tool maintenance, and post-exploitation procedures. Its affiliate program offers a 90/10 profit split, attracting partners with aggressive incentives. Affiliates must provide at least 1GB of stolen victim data to access the panel, a tactic designed to block researchers and law enforcement. The group supports multiple ransomware variants, including Windows, Linux, ESXi, and LVM-targeting strains, and uses open-source messaging platforms like Tox and SimpleX Chat for communication.
Initial access is typically gained through vulnerable edge devices particularly Cisco and Fortinet FortiGate systems followed by Active Directory exploitation using tools like NetExec, RelayKing, and PrivHound. The ransomware employs a hybrid encryption scheme (X25519 key exchange with XChaCha20) and can self-propagate as a worm when executed with the --spread argument. Microsoft, tracking the group as Storm-2697, noted that the Go-based malware is obfuscated with Garble and can wipe recoverable artifacts when run with the --wipe flag.
The Gentlemen’s attacks exhibit a high degree of adaptability, with dwell times ranging from two to six weeks. The group targets VMware infrastructure and employs multi-channel extortion, combining ransomware with email and phone-based pressure tactics. A recent leak of the group’s internal Rocket.Chat database spanning November 2025 to April 2026 revealed a structured criminal enterprise with clear role divisions, exploiting vulnerabilities like CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. In March 2026, an exposed toolkit on a Russian bulletproof host further exposed the group’s full intrusion lifecycle, from reconnaissance to encryption.
Victim distribution is global, with only 13% in the U.S., while the majority are concentrated in Thailand, the U.K., Brazil, Germany, and India. The group’s rapid development cycle was demonstrated in April 2026 when it released a same-day patch after a decryptor was made public. With roots dating back to at least 2020 including prior affiliations with the Embargo ransomware group LARVA-368’s expertise has positioned The Gentlemen as a formidable and evolving threat in the cybercrime landscape.
Source: https://thehackernews.com/2026/06/the-gentlemen-ransomware-claims-478.html
Medusa Group cybersecurity rating report: https://www.rankiteo.com/company/medusagroup
Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco
Operation Gentlemen® cybersecurity rating report: https://www.rankiteo.com/company/operationgentlemen
"id": "MEDCISOPE1781209579",
"linkid": "medusagroup, cisco, operationgentlemen",
"type": "Ransomware",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': '478 victims claimed',
'location': ['Thailand',
'U.K.',
'Brazil',
'Germany',
'India',
'U.S. (13%)'],
'type': 'Global organizations'}],
'attack_vector': ['Vulnerable edge devices (Cisco, Fortinet FortiGate)',
'Active Directory exploitation'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'sensitivity_of_data': 'High (used for extortion)',
'type_of_data_compromised': 'Stolen victim data (including '
'sensitive corporate '
'information)'},
'description': 'A new analysis by PRODAFT has uncovered the evolution of *The '
'Gentlemen*, a financially motivated ransomware group that '
'began as an affiliate for established ransomware-as-a-service '
'(RaaS) operations like LockBit, Qilin, and Medusa before '
'launching its own independent program in July 2025. The '
'group, tracked as *Phantom Mantis*, is led by a '
'Russian-speaking cybercriminal known as *LARVA-368* '
'(Alexander Andreevich Yapaev) and has claimed 478 victims, '
'responsible for 10% of global ransomware incidents in April '
'2026. The group leverages AI for ransomware development, tool '
'maintenance, and post-exploitation procedures, and operates '
'with a sophisticated infrastructure including multiple '
'ransomware variants and hybrid encryption schemes.',
'impact': {'data_compromised': '1GB+ of stolen victim data (minimum '
'requirement for affiliates)',
'operational_impact': 'Multi-channel extortion (ransomware, email, '
'phone-based pressure tactics)',
'systems_affected': ['Windows', 'Linux', 'ESXi', 'LVM']},
'initial_access_broker': {'entry_point': 'Vulnerable edge devices (Cisco, '
'Fortinet FortiGate)',
'high_value_targets': 'VMware infrastructure'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain',
'post_incident_analysis': {'root_causes': ['Payment dispute with Qilin RaaS',
'Exploitation of unpatched '
'vulnerabilities',
'AI-driven ransomware '
'development']},
'ransomware': {'data_encryption': 'Hybrid encryption (X25519 key exchange '
'with XChaCha20)',
'data_exfiltration': True,
'ransomware_strain': ['Windows',
'Linux',
'ESXi',
'LVM-targeting strains']},
'references': [{'source': 'PRODAFT'},
{'source': 'Microsoft (Storm-2697 tracking)'}],
'threat_actor': 'The Gentlemen (Phantom Mantis)',
'title': 'The Gentlemen Ransomware Operation: A Rising Threat with AI and '
'RaaS Roots',
'type': 'Ransomware',
'vulnerability_exploited': ['CVE-2024-55591',
'CVE-2025-32433',
'CVE-2025-33073']}