The Gentlemen ransomware group now behind 10% of global attacks

The Gentlemen, a ransomware group that emerged in July last year, now represents roughly 10% of global ransomware listings and concentrates its operations on European organizations, with the United Kingdom and Germany among the most targeted countries, according to a report from NTT.

NTT researchers found the group has developed into an operational ransomware-as-a-service (RaaS) operation that relies on advanced proxy infrastructure and obfuscation techniques. Affiliates increasingly deploy SystemBC, a proxy and backdoor tool, to create covert tunnels, evade detection and move laterally across enterprise networks, the report states.

The analysis describes The Gentlemen as showing technical maturity more common to longer-established ransomware operations and notes the group may include experienced actors with potential links to other ransomware ecosystems. Named victims include Synergy France, UK Electronics and Equity Life.

NTT placed The Gentlemen second only to the Qilin group in activity. The firm recorded 748 ransomware listings worldwide in April, a 7% decline from March, while overall activity in 2026 remains at a higher baseline than much of 2025.

The report flagged geopolitical developments that could affect cyber activity. It noted China’s expanded supply-chain security regulations broadening controls on imports and exports, and it identified growing espionage and intellectual-property theft interest around NASA’s Artemis program among several states and private actors.

NTT also examined potential effects of artificial intelligence on offensive operations. Large language models that can identify vulnerabilities and generate exploit chains have not yet produced a clear operational impact, the report says, citing restricted access and testing in controlled environments. The researchers warned that future advances could shorten attacker timelines if models prove effective at automating vulnerability discovery and exploit development.

NTT recommended that organizations prepare for faster compromise-to-encryption cycles and increase monitoring for proxy-based tunnel activity, atypical lateral movement and rapid domain-wide changes that may signal imminent encryption.

“Affiliates are combining shared tooling, stealth infrastructure, and repeatable intrusion methods to accelerate attacks at scale,” warned Matt Hull, vice president of cyber intelligence and response at NCC Group. He noted techniques such as covert tunneling and rapid domain-wide deployment are reducing the time defenders have to detect and respond to intrusions.