- The Gentlemen ransomware group has increasingly become the most active cybercriminals globally known for targeting hundreds of internet users across many countries.
- Investigators of the group had discovered they depended on stolen credentials from artificial intelligence tools, infostealers malware, and a highly attractive affiliate program that aided hackers to collect ransom payments untracked.
- Cybersecurity experts warn that The Gentlemen`s model and sophistication mode of invasion is reshaping the ransomware ecosystem, thereby making cyberattacks more lucrative and accessible to many criminal affiliates globally.
The Gentleman ransomware group has become the most active cybercrime syndicate in the world with reports of about 483 victims involved across 66 countries of the world in less than a year of its emergence.
The report from KELA and RansonNews research disclosed that the group claims that its activities affected over 380 victims in 2026 alone.
A leak of the group’s internal chat logs in May 2026 gave researchers a rare glimpse into the group’s operations, also it revealed a nine-member core team, a business model, and widespread access built through infostealer malware.
The KELA and RansomNews research results also show how contemporary ransomware groups are increasingly depending on automation, stolen credentials, and affiliate network channels to carry out their operations.
Leaked Chats Reveal Streamlined Ransomware Business Model
The information in the leaked conversation of the group’s activities beginning from November 2025 to April 2026, shows that The Gentlemen operations are majorly within the small core team that are responsible for the development of the ransomware tools and also they maintain the groups negotiation infrastructure.
The actual network invasion execution is through the affiliate, who receive 90% of any ransom payment from victims while the core team shares the remaining 10%.
Cybersecurity researchers describe the ransomware sharing arrangement as the most generous affiliate models available in the contemporary ransomware community.
The chat on the leak website also unveiled a type of ransomware operation that the criminals organized very well to focus on efficiency rather than sophistication.
Similar “as-a-service” models are used in other cybercrime sectors. Google’s lawsuit targets an AI-powered phishing operation that provided ready-made toolkits to criminals, highlighting the professionalization of cybercrime.
Members in the group focus more on infrastructure management, AI-assisted data access acquisition in a manner that looks like a technology setup, more than a mere traditional cybercriminal group gathering.
Stolen Credentials and Session Cookies Drive Initial Access
Unlike what is obtainable in other ransomware groups that depend heavily on the development of malware, The Gentleman concentrates more on its effort of acquiring network access.
Internet security researchers found glaring evidence that the affiliates leverage on vulnerabilities such as FortiOS authentication bypass flaw CVE-2024-55591, as well as older versions of Active Directory lapses including ZeroLogon and PetitPotam.
Furthermore, credentials stealing are through the platform of infostealer malware that serves the same important role of exploiting vulnerabilities.
Reports from RansomNews and several organisations on the list of The Gentlemen`s leak sites is that before they publish any organisation, already their corporate login details and active session cookies are already in circulation on infostealer datasets before the ransomware incident takes place.
The research showed that the Philippine Logistics company 2GO, for instance, which has multiple customer logins, employee accounts, and active session tokens exposure had already taken place before the company was cited on the list of The Gentlemens leak site.
AI Tools and Leaked Criminal Playbooks Accelerate Operations
There are several examples of The Gentlemen integration of artificial intelligence into their daily operations.
Several internal memos from members of the group show the discussion, unveiling the execution of their programs via the use of uncensored large language models, software development, modified AI systems and analysis of large volumes of stolen data.
One of the administrators of the group claimed to have” vibe-coded” the group’s negotiation platform in just three days.
Another discovery on the group’s platform is that they studied the February 2025 Black Basta chat leak and deployed it as a practical guide for phishing campaigns, operational procedures, and mailbox abuse techniques.
KELA researchers report that these ransomware activities represent one of the explicit cases of cybercriminal activities where the crew is actively incorporating AI tools into their routine activities in lieu of experimenting with technology.
By combining the access they get from infostealer malware and hostile affiliate programs, a small team of cybercriminals use these capabilities to build a ransomware operation that affected a massive number of victims globally in less than a year.
