A new ransomware group known as The Gentlemen has become the second most-active group worldwide and is actively targeting enterprises across key sectors, according to new threat intelligence.
NCC Group analysis found The Gentlemen – the name of both the ransomware strain and the group that deploys it – accounted for ten per cent of all worldwide ransomware activity in April 2026.
The Gentlemen has adapted its ransomware for Windows and Linux operating systems, as well as Berkeley Software Distribution (BSD), Network Attached Storage (NAS), and VMware ESXi environments, all of which are widely used by enterprises.
NCC Group warned that the group uses sophisticated attack methodology, breaching victims via internet-facing services or stolen credentials and often adapts its tactics mid-attack to bypass endpoint protection services or take over privileged accounts.
As The Gentlemen ransomware encrypts a victim’s system, the group simultaneously steals sensitive business data. This is used for a ‘double extortion’ attack methodology, a common ransomware tactic in which victims are told that unless they pay, they will not receive decryption keys for their data and it will also be leaked on the dark web.
Affiliated hacking groups can obtain The Gentlemen ransomware via a Ransomware-as-a-Service (RaaS) offering.
In total, NCC Group researchers recorded 748 ransomware attacks over the period, down seven per cent month-on-month, with industrial organisations accounting for 28 per cent of all attacks. Qilin, the group that claimed responsibility for a disruptive ransomware attack against Asahi Group in November 2025, remains the most-active group worldwide and accounting for 14 per cent of attacks.
Matt Hull, vice president of cyber intelligence and response at NCC Group, said: “The rise of groups like The Gentlemen demonstrates how affiliates are now combining shared tooling, stealth infrastructure and repeatable intrusion methods to accelerate attacks at scale.
“Techniques such as covert tunnelling and rapid domain-wide deployment are shrinking the window that defenders have to detect and respond before encryption occurs.”
Microsoft researchers separately published analysis of The Gentlemen ransomware this week, noting that the group began as a closed ransomware operation in mid-2025 but now offers affiliates RaaS and has established itself on the dark web leaks site BreachForums.
The researchers added that they have observed The Gentlemen attacking organisations in the financial, healthcare, transportation, and education sectors.
.jpg "87% of business leaders think quantum will disrupt their industry, EY and NQCC find")
