No Manners Here: The Ruthless Rise of The Gentlemen Ransomware


The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS, which Unit 42 tracks as Spikey Scorpius. Their ransomware variants are written in both C and Go programming languages, enabling the threat actors to spread their encryptors across different operating systems and virtual infrastructure.

Additional public reporting revealed that the operators (roughly 20 of them) likely morphed from a private entity into a RaaS model on or about September 2025. While traditional RaaS models typically offer affiliates a 70% to 80% cut of paid ransoms, The Gentlemen offer an unprecedented 90% payout.

Read more…
Source:  Palo Alto Unit 42


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • ManageEngine zero-day vulnerabilities impact three out of five Fortune 500’s

    March 21, 2018

    Severe zero-day vulnerabilities have been discovered in ManageEngine products used by a substantial number of Fortune 500 companies. On Wednesday, researchers from Digital Defense disclosed the bugs, discovered by the firm’s Vulnerability Research Team (VRT). In a security advisory, the team said that six previously unknown vulnerabilities impact three ManageEngine products, Logs360, EventLog Analyzer and Applications Manager. Read more… Source: ZDNet  

  • Expedia’s Orbitz Says 880,000 Payment Cards Compromised in Security Breach

    March 20, 2018

    Chicago-based online travel booking company Orbitz, a subsidiary of Expedia, reveals that one of its old websites has been hacked, exposing nearly 880,000 payment card numbers of the people who made purchases online. The data breach incident, which was detected earlier this month, likely took place somewhere between October 2016 and December 2017, potentially exposing customers’ ...

  • Phishing still number one method for cyber-attacks

    March 16, 2018

    Microsoft has just released its annual cybersecurity report and it says that phishing is still the most popular way for cyber-criminals to attack, giving security experts everywhere headaches. To create the report, Microsoft scanned more than 400 billion emails, 450 billion authentications and 1.2 billion devices. More than half (53 per cent) of all email threats are phishing ...

  • Cyberattacks Put Russian Fingers on the Switch at Power Plants, U.S. Says

    March 15, 2018

    The Trump administration accused Russia on Thursday of engineering a series of cyberattacks that targeted American and European nuclear power plants and water and electric systems, and could have sabotaged or shut power plants off at will. United States officials and private security firms saw the attacks as a signal by Moscow that it could disrupt ...

  • Hacking operation uses malicious Word documents to target aid organisations

    March 5, 2018

    A newly uncovered ‘nation-state level’ cyber espionage operation has targeted humanitarian aid organisations around the globe via the use of backdoors hidden within malicious Word documents. Dubbed Operation Honeybee based on the name of lure documents used during the attacks, the campaign has been discovered by security researchers at security company McAfee Labs after a new variant of ...

  • Equifax hack just got worse for a lot more Americans

    March 2, 2018

    Equifax has confirmed more Americans are impacted by the cyberattack that targeted the credit rating giant last year than was first revealed. The company said in a statement Thursday that an ongoing analysis showed 2.4 million more Americans had their names and partial drivers’ license information stolen, but they were not previously thought to have been affected. The company ...