“Modern ransomware is no longer just about encrypting files,” said Paul Reid, vice president of Adversary Research at AttackIQ. “The bigger risk is how quickly a single compromised machine can become a broader business disruption.”
In a technical breakdown of its operations, Microsoft said the Gentlemen Ransomware was first observed in mid-2025 and remains highly active through 2026, impacting organizations across education, transportation, healthcare, and financial industries in North America, South America, Europe, Africa, and Asia.
Gentlemen began as a “closed ransomware,” turned into a ransomware-as-a-service (RaaS) offering in September 2025, and eventually partnered up with BreachForums to pick up affiliates, including pen-testers and initial access brokers, from the popular cybercriminal marketplace.
Built to move before it encrypts
Microsoft’s analysis specifically focused on the ransomware’s ability to propagate through a network without relying entirely on manual operator intervention.
