The Gentlemen Overtakes Qilin as Most Prolific Ransomware Threat

Written by

There has been a shift in the ransomware ecosystem as a new group has emerged as the most prolific threat actor behind cyber extortion campaigns in recent months.

According to analysis of ransomware events between March and May 2026, The Gentlemen ransomware gang was responsible for the most attacks during the three-month period, accounting for 300 incidents.

The Gentlemen usurped the Qilin ransomware affiliate operation, which was the most prolific group during each quarter during the previous year. The number of Qilin incidents between May and March is reported at 289, dropping the group to the second most prolific.

The analysis of ransomware trends during the period by cybersecurity researchers at ReliaQuest was published on July 16.

In total, 1368 claims of victims by 11 ransomware groups were tracked via posts about them on data leak sites. The victims were spread across 99 countries.

There was a significant gap between ransomware incidents by The Gentlemen and Qilin compared with other notable ransomware operators, with DragonForce, Akira and LockBit accounting for between 150 and 100 observed incidents each during the period.

Read More: Why Ransomware Remains One of Cybersecurity’s Most Persistent and Costly Threats

Those three ransomware crews have been responsible for some of the most significant incidents in recent years, but, like Qilin, they appear to have been surpassed by a relative newcomer to the scene.

“The Gentlemen became the most-active group, powered by aggressive affiliate recruitment and a well-packaged intrusion kit that lowers the bar for new operators,” wrote Tristano Di Liberto, security analyst at ReliaQuest.

“The pressure The Gentlemen applies is likely to persist into Q3,” he added.

Analysis of The Gentlemen by ReliaQuest has suggested that the pre-packaged, easy-to-use tools that affiliates of the ransomware-as-a-service operation are provided with has played a significant role in the rise of the group.

Such tools include a playbook which affiliates can consult as a resource which gives them a guide to the attack chain and the workflow, advice on what edge devices to target for exploitation, how to use lightweight tunneling tools for command servers, and how to deploy Single-host Server Message Block (SMB) encryption.

Leaked chat logs have suggested that The Gentlemen, like some other cybercriminal operations, harness the power of AI tools to speed up development and new versions of their offering – and doing it faster than rival ransomware groups which have not attempted to exploit AI.

According to ReliaQuest, this could lead to affiliates abandoning their current provider in favor of The Gentlemen.

“It runs proven affiliate throughput, ships tools faster than most rivals through its AI-accelerated build pipeline and offers a pre-packaged intrusion kit that shortens ramp-up,” said Di Liberto.

To help protect against ransomware attacks, ReliaQuest recommended the following actions to cybersecurity leaders to strengthen networks and users against common intrusion methods:

  • Restrict RDP and remote access
  • Enforce Microsoft's vulnerable-driver block list
  • Monitor blockchain RPC and session messenger egress
  • Harden identity against vishing and Adversary-in-the-Middle (AiTM) attacks

What’s Hot on Infosecurity Magazine?