No Manners Here: The Ruthless Rise of The Gentlemen Ransomware


The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS, which Unit 42 tracks as Spikey Scorpius. Their ransomware variants are written in both C and Go programming languages, enabling the threat actors to spread their encryptors across different operating systems and virtual infrastructure.

Additional public reporting revealed that the operators (roughly 20 of them) likely morphed from a private entity into a RaaS model on or about September 2025. While traditional RaaS models typically offer affiliates a 70% to 80% cut of paid ransoms, The Gentlemen offer an unprecedented 90% payout.

Read more…
Source:  Palo Alto Unit 42


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Naked photos and personal info from thousands of plastic surgery patients including dozens of celebrities and 1,500 Britons are published on the dark web

    May 30, 2017

    Hackers have published naked photos of thousands of plastic surgery patients who had work done at a Lithuanian clinic, it has been reported. Local authorities said more than 25,000 private photos and pieces of personal information from the Kaunas-based Grozio Chirurgija clinics were published on the internet. The leak includes intimate photos and data of more than ...

  • Linguistic Analysis Suggests WannaCry Hackers Could be From Southern China

    May 29, 2017

    It’s been almost four weeks since the outcry of WannaCry ransomware, but the hackers behind the self-spread ransomware threat have not been identified yet. However, two weeks ago researchers at Google, Kaspersky Lab, Intezer and Symantec linked WannaCry to ‘Lazarus Group,’ a state-sponsored hacking group believed to work for the North Korean government. Now, new research from ...

  • Fancy Bear Hackers Tainted Dumped Emails with False Data

    May 27, 2017

    Hackers from Fancy Bear, the espionage hacker group with Russian ties, reportedly snuck false information in the data trove they leaked from the Democratic National Committee during the American elections. According to a report from Citizen Lab, an organization with ties to the University of Toronto, the hackers planted information inside emails belonging to a journalist ...

  • EternalRocks spreads seven Windows SMB exploits

    May 23, 2017

    Someone has stitched together seven of the Windows SMB exploits leaked by the ShadowBrokers, creating a worm that has been spreading through networks since at least the first week of May. Researcher Miroslav Stampar, a member of the Croatian government’s CERT, captured a sample of the worm last Wednesday in a Windows 7 honeypot he runs, ...

  • Russian Cron Malware Operators Arrested Before Banking Malware Taken Abroad

    May 23, 2017

    With the help of an Android malware, Russian cyber criminals were able to steal from local bank customers and were planning to move their operation to the rest of Europe. Twenty people were arrested as law enforcement tried to kill off the “Cron” malware campaign. Russian security firm Group IB writes that the raids also thwarted ...

  • Zomato Breach Exposes 17M User Records, Makes Deal with Hacker to Destroy Data

    May 19, 2017

    Restaurant guide Zomato has announced that it has been the victim of a data breach which saw the records of 17 million users being stolen from its database. The bad news is that 6.6 million of those are already on sale on a dark web marketplace. The good news is that the company has more ...