Gentlemen Ransomware Hits Windows, Linux, NAS, Attacks ESXi

The Gentlemen, a ransomware group, has discreetly established one of the most aggressive cybercriminal operations seen in recent years. This sophisticated threat is notably versatile, capable of targeting a wide array of systems including Windows, Linux, NAS, BSD, and ESXi. A comprehensive analysis of their attack capabilities is detailed in a recent

The group has demonstrated capability against a wide range of enterprise environments, including Windows, Linux, NAS, BSD, and VMware ESXi systems.

Its attacks follow a well-organized workflow, from gaining initial access through stolen credentials or exposed remote services, to deploying ransomware across entire networks.

The group also steals data before locking systems, using that stolen information as additional lever to pressure victims into paying.

Analysts at LevelBlue said in a report shared with Cyber Security News (CSN) that The Gentlemen is not an entirely new operation.

It appears to be a continuation of prior ransomware affiliate activity tied to the Qilin ecosystem, reportedly managed by a Russian-speaking actor known as “hastalamuerte.”

This background gives the group a head start, with existing knowledge, affiliate networks, and operational experience already in place.

The Gentlemen Ransomware

By May 10, 2026, the group had publicly claimed 352 attacks in the incomplete first half of the year alone.

Leak site data shows victim disclosures spanning more than 70 countries, with APAC, Europe, Latin America, and North America all heavily represented.

Professional services, manufacturing, technology, and healthcare account for the largest share of known victims.

Dark web monitoring also uncovered an unverified intelligence lead involving someone offering data allegedly taken from The Gentlemen’s own internal systems for $10,000 in Bitcoin.

The offered material included what appeared to be actor handles, victim negotiation content, and file mapping data. While this cannot yet be confirmed as authentic, it adds an important layer to an already complex operation.

The Gentlemen ransomware is engineered to attack multiple operating systems in a single campaign.

The Windows version is built using the Go programming language and requires a password at execution, helping the group avoid early detection and sandbox analysis.

Encrypted files receive random six-character extensions, and affected systems are left with a ransom note named READMEGENTLEMEN.txt.

The encryption approach is designed to maximize damage as quickly as possible. Smaller files are fully encrypted, while larger files are only partially encrypted in chunks, allowing the ransomware to move through large environments faster while still making recovery extremely difficult without a decryptor.

Before locking files, the malware first stops services related to databases, backups, virtualization platforms, and remote access tools to prevent easy restoration.

Attacking ESXi and virtualization infrastructure is particularly damaging, as it can bring down entire server estates within minutes.

The group’s affiliate panel supports this model by allowing operators to generate custom payloads, manage victim negotiations, estimate ransom revenue, and handle stolen data uploads from a single structured backend.

Extortion Strategy and Defense Guidance

The Gentlemen’s attack model does not stop at file encryption. The group uses stolen data as a central part of its pressure strategy, threatening to publish sensitive files on its leak site if victims refuse to pay.

Even organizations that restore systems from backups can still face data exposure, regulatory consequences, and lasting reputational harm.

Security teams should start by reviewing all internet-facing infrastructure, particularly VPNs, firewalls, and remote access portals, and enforce multi-factor authentication on all privileged accounts.

Credentials exposed through prior breaches or stolen by information-stealing malware should be rotated immediately, and stale accounts should be disabled.

LevelBlue researchers recommend hunting for early-stage attack behaviors rather than waiting for ransomware to appear.

Key signals include unusual administrative logins, scanning tools like Nmap or Advanced IP Scanner, unexpected use of AnyDesk or WinSCP, and any signs of Group Policy modification or mass service shutdowns.

Backup systems and ESXi environments should be isolated from the main domain and tested regularly for restoration capability.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.