The Gentlemen are a dangerous ransomware group that attacks healthcare and technology companies all over the world.
Ransomware is a very dangerous type of cyberattack that is becoming more common. In fact, this kind of attack has had the biggest effects on Arab countries around the world. These attacks use malware to lock or encrypt files on a computer and then ask for money to unlock them.
This issue hurts both people and businesses, and it can lead to lost money, lost data, and wasted time. Also, this model has changed over the years into what is now called "ransomware as a service" (RaaS). In this model, a group makes the tool and other criminals use it in exchange for a cut of the profits.
Check Point 's research division specifically addresses this issue, warning of the rapid growth and expansion of a ransomware group known as "The Gentlemen." This group emerged in mid-2025, with over 320 victims reported on its leak site.
So far in 2026, they have already recorded around 240 attacks, making them among the most active groups at the moment, and approaching the numbers previously achieved by large operations such as LockBit 3.
They explain that one of the keys to their success lies in their business model, which gives affiliates 90% of the profits, leaving only 10% for the group. This is clearly a much larger incentive than is typical for this type of operation, attracting experienced attackers from other programs who contribute their technical expertise and access to corporate networks.
The analysis also indicates that its actual scope may be much larger, with an infrastructure uncovered that includes more than 1,570 potentially affected companies, suggesting that many victims are not reporting it publicly, which is common practice so as not to damage the company's image.
Work methods and victims
Their methods are characterized by speed and automation, exploiting vulnerabilities in internet-connected devices, such as virtual private networks (VPNs) and firewalls, to gain access to systems. Once inside, they use tools like group policies to widely distribute ransomware across the network, encrypting numerous computers almost simultaneously within a few hours.
They combine this with the release of stolen information, a technique known as double ransom. That is, they not only encrypt systems, but also threaten to release the data if the ransom is not paid.
It is worth noting that they do not seem to have limits to their objectives. Although they primarily target technology and manufacturing companies, the healthcare sector is a major target for them, and it is a very sensitive sector due to the nature of the information it deals with.
The group operates globally, but the United States accounts for the majority of victims, followed by Germany and the United Kingdom, demonstrating its international reach.