No Manners Here: The Ruthless Rise of The Gentlemen Ransomware


The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS, which Unit 42 tracks as Spikey Scorpius. Their ransomware variants are written in both C and Go programming languages, enabling the threat actors to spread their encryptors across different operating systems and virtual infrastructure.

Additional public reporting revealed that the operators (roughly 20 of them) likely morphed from a private entity into a RaaS model on or about September 2025. While traditional RaaS models typically offer affiliates a 70% to 80% cut of paid ransoms, The Gentlemen offer an unprecedented 90% payout.

Read more…
Source:  Palo Alto Unit 42


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Ursnif Trojan Adopts New Code Injection Technique

    December 4, 2017

    Hackers are testing a new variation of the Ursnif Trojan aimed at Australian bank customers that utilizes novel code injection techniques. Since the summer of 2017, IBM X-Force researchers report that Ursnif (or Gozi) samples have been tested in wild by a new malware developer. The samples are a noteworthy upgrade from previous versions. “This finding is ...

  • PayPal Subsidiary Data Breach Hits Up to 1.6 Million Customers

    December 3, 2017

    Global e-commerce business PayPal has disclosed a data breach that may have compromised personally identifiable information for roughly 1.6 million customers at a payment processing company PayPal acquired earlier this year. PayPal Holdings Inc. said Friday that a review of its recently acquired company TIO Networks showed evidence of unauthorized access to the company’s network, including some confidential ...

  • RAT Distributed Via Google Drive Targets East Asia

    November 30, 2017

    Researchers said that they are tracking a new remote access Trojan dubbed UBoatRAT that is targeting individuals or organizations linked to South Korea or the video game industry. While targets aren’t 100 percent clear, researchers at Palo Alto Networks Unit 42 said UBoatRAT threats are evolving and new variants are increasingly growing more sophisticated. They said ...

  • Hackers Now Have Incredibly Sophisticated Ways to Breach Banks’ Defenses

    November 29, 2017

    Global banks need to do more to protect themselves from cyberattacks after a “significant evolution” in the threat level in the last 18 months, according to the SWIFTglobal payments network. Hackers are deploying increasingly sophisticated ways of breaching banks’ cyber defenses to launch finely orchestrated attacks, SWIFT said in a report co-written with defense contractor BAE Systems. ...

  • Hackers are scanning computers worldwide for open Bitcoin and Ethereum wallets…

    November 27, 2017

    Security researcher Didier Stevens setup a trap, or in digital security terms – a “honeypot”.  Think of it as digital sting operation, where someone puts a server online open to attack – but nothing of value is really there, it’s only there to record the attacks as they happen. The logs of these honeypots revealed hackers ...

  • Physical Theft Meets Cybercrime: The Illicit Business of Selling Stolen Apple Devices

    November 15, 2017

    Online scams and physical crimes are known to intersect. In an incident last May, we uncovered a modus operandi and the tools they can use to break open iCloud accounts to unlock stolen iPhones. Further research into their crossover revealed how deep it runs. There’s actually a sizeable global market for stolen mobile phones—and by extension, ...