No Manners Here: The Ruthless Rise of The Gentlemen Ransomware


The Gentlemen (aka Storm-2697) is a Ransomware-as-a-Service (RaaS) program active since at least July 2025. Public reporting indicates that the operators were likely active months earlier as an affiliate (known as ArmCorp) of Qilin RaaS, which Unit 42 tracks as Spikey Scorpius. Their ransomware variants are written in both C and Go programming languages, enabling the threat actors to spread their encryptors across different operating systems and virtual infrastructure.

Additional public reporting revealed that the operators (roughly 20 of them) likely morphed from a private entity into a RaaS model on or about September 2025. While traditional RaaS models typically offer affiliates a 70% to 80% cut of paid ransoms, The Gentlemen offer an unprecedented 90% payout.

Read more…
Source:  Palo Alto Unit 42


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Fighting cyber crimes in offshore oil and gas industry

    March 1, 2017

    Cyber crime costs offshore oil and gas companies millions each year in lost business and damaged equipment, a cyber attack on critical infrastructure, such as an oil rig, can result in more than just lost revenue but it can be catastrophic for the environment and have far reaching impacts. However, cyber security on actual installations is ...

  • New Global Cybersecurity Report Reveals Misaligned Incentives, Executive Overconfidence Create Advantages for Attacker

    March 1, 2017

    Intel Security, in partnership with the Center for Strategic and International Studies (CSIS), today released “Tilting the Playing Field: How Misaligned Incentives Work Against Cybersecurity,” a global report and survey revealing three categories of misaligned incentives: corporate structures versus the free flow of criminal enterprises; strategy versus implementation; and senior executives versus those in implementation ...

  • Even bakeries get hit by hackers, top insurer warns ‘ill-equipped’ small businesses

    February 27, 2017

    Bakers are not immune from the hacking epidemic spreading across Europe, a top insurer has warned. Hiscox boss Bronek Masojada said small businesses faced just as much risk as large ones from cyber crime – but many did not have the resources to combat it. He said that in one case, a German bakery was targeted by ...

  • Treason charges against Russian cyber experts linked to seven-year-old accusation

    February 26, 2017

    Treason charges brought in December against two Russian state security officers and a cyber-security expert in Moscow relate to allegations made by a Russian businessman seven years ago, according to the businessman and a source connected with the investigation. They said the arrests concern allegations that the suspects passed secrets to U.S. firm Verisign and other ...

  • A guided tour of the cybercrime underground

    February 23, 2017

    One of the strange features of cybercrime is how much of it is public. A quick search will turn up forums and sites where stolen goods, credit cards and data are openly traded. But a glance into those places may not give you much idea about what is going on. “Everyone can join as long as you speak ...

  • New TeamSpy Malware Campaign Turns TeamViewer into Spy Tool

    February 20, 2017

    TeamSpy is back and it’s turning TeamViewer into the spying tool that no one wants. According to security firm Heimdal, a new spam campaign emerged over the weekend, carrying the TeamSpy malware which can give hackers full access to a compromised computer. This isn’t a new type of malware whatsoever. In fact, back in 2013, it was ...