Gentlemen RaaS Leak Exposes 10% of 2026's Ransomware Victims

Gentlemen RaaS Leak Exposes 10% of 2026's Ransomware Victims

First seen 14 May 2026, 21:56 UTC Kelacyber 74% similarity 63.1

Article Content

Browse articles
ThreatCluster

On May 4, 2026, a leak of internal communications from The Gentlemen Ransomware-as-a-Service (RaaS) operation surfaced on underground forums. The leak, which included chats and backend data from November 2025 to April 2026, revealed the group's operational structure and targeting methods. The Gentlemen, active since September 2025, has claimed 328 victims in 2026, accounting for 10% of global ransomware claims. This leak mirrors a previous incident involving Black Basta and highlights the group's use of AI and affiliate models. KELA's data shows a 14.5% increase in ransomware claims compared to 2025, with The Gentlemen rapidly rising in prominence. The leak was initially posted by a user on Exploit.in and later shared on other forums, leading to a ban of the original account. The incident underscores the growing threat posed by emerging ransomware groups.

Key Points: • The Gentlemen RaaS operation leaked internal communications revealing its structure and tactics. • The group has claimed 328 victims in 2026, representing 10% of global ransomware incidents. • The leak was first posted on Exploit.in and later shared on multiple forums, leading to account bans.

ThreatCluster AI

Timeline

2020-03-28
Public exploit for CVE-2025-33073 released
A proof-of-concept exploit appeared on GitHub, lowering the barrier for opportunistic attackers.
GitHub
2023-08-29
CVE-2023-34039 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2025-01-14
CVE-2024-55591 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2025-04-16
CVE-2025-32433 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2025-11-07
Gentlemen RaaS operations began
The Gentlemen RaaS operation started its activities, leading to a rapid rise in ransomware claims.
Kelacyber
2026-05-04
Gentlemen RaaS leak surfaces
Internal chats and backend data from The Gentlemen were leaked on underground forums, revealing operational details.
Kelacyber
2026-05-06
Samples of the leak begin circulating
Samples of the leaked data were shared on forums, increasing interest in the full dataset offered for sale.
Kelacyber
2026-05-14
KELA reports on ransomware trends
KELA's data indicates a 14.5% increase in ransomware claims in 2026, with The Gentlemen as a significant player.
Kelacyber

Community

Browse all →