The Rise of "The Gentlemen" and the New Era of Ransomware-as-a-Service

Imagine a group of bullies who used to steal your lunch money one kid at a time. Now, imagine they created a franchise where anyone can pay them to be a bully for them. They provide the masks, the threats, and even collect the money, taking a cut of the profits. This is exactly what Ransomware-as-a-Service (RaaS) is, and in 2026, a new group called "The Gentlemen" has taken this business model to terrifying new heights. According to a May 2026 report by CYFIRMA, The Gentlemen ransomware is confirmed active and ranked as the second most prolific ransomware operation globally, with 332 confirmed victims. As reported by the New York Times, this new wave of RaaS is making ransomware accessible to anyone with a few hundred dollars and a grudge. The Wall Street Journal notes that the professionalization of these criminal gangs is turning cybercrime into a multi-billion dollar industry.

How Ransomware-as-a-Service Works

To understand The Gentlemen, you first need to understand RaaS. In the old days, a hacker had to be a genius to write a virus that could lock up a computer network. Today, the master developers create the ransomware software and lease it to "affiliates." These affiliates are the ones who actually break into the hospitals, schools, and companies. When a victim pays the ransom, the developers and the affiliates split the money. The Washington Post explains that this franchise model has led to an explosion in attacks because you no longer need technical skills to be a cybercriminal; you just need to be good at phishing emails. The USA Today reports that small and medium-sized businesses are the primary targets for these affiliates because they rarely have the advanced security needed to stop them.

Who are "The Gentlemen"?

The Gentlemen are a relatively new player in the RaaS space, but they have grown with shocking speed. According to the The Guardian, they are known for their highly sophisticated encryption methods and their ruthless double-extortion tactics. Double extortion means they don't just lock your files; they steal them first. If you refuse to pay to get your files unlocked, they threaten to publish your sensitive data on the dark web. The Financial Times notes that The Gentlemen specifically target organizations that cannot afford downtime, such as healthcare providers and logistics companies. The Independent adds that their name is ironic, as their negotiation tactics are anything but polite. They use automated chat bots to negotiate ransoms, demanding payment in cryptocurrency within strict deadlines.

The FortiGate Connection: Exploiting Enterprise VPNs

One of the most alarming aspects of The Gentlemen's campaign is how they get inside. The CYFIRMA report reveals that many of the 332 victims were compromised through vulnerabilities in FortiGate virtual private network (VPN) infrastructure. A VPN is like a secure tunnel that allows employees to work from home. But if the VPN has a flaw, hackers can use it as a secret backdoor into the entire corporate network. The Telegraph reports that enterprise VPNs have become the number one target for ransomware gangs in 2026. The Times explains that because so many companies rushed to set up remote work infrastructure in previous years, many of these VPNs were misconfigured or left unpatched. The Gentlemen's affiliates use automated scanners to find these misconfigured FortiGate devices and waltz right in.

The Economics of Ransomware in 2026

Why is this happening? Simply put, it pays. The Dawn newspaper highlights that the average ransom payment in 2026 has skyrocketed, often reaching into the millions of dollars. Even if a company has backups, the cost of downtime—the days or weeks it takes to rebuild the network—often makes paying the ransom seem like the cheaper option. The The News International notes that this creates a vicious cycle. The more companies pay, the more money the gangs make, and the more they invest in better tools to hack more companies. The The Tribune adds that insurance companies are increasingly refusing to pay out ransomware claims, forcing companies to either pay out of pocket or face bankruptcy.

Fighting Back: Threat Intelligence and Immutable Backups

How do we stop The Gentlemen and other RaaS gangs? The first line of defense is threat intelligence. By monitoring the dark web and hacker forums, security teams can find out if their VPN credentials have been leaked before an attack happens. The Business Recorder reports that companies are now hiring 24/7 threat hunting teams to actively look for these hidden backdoors. The second defense is immutable backups. Immutable means "unchangeable." If a company has backups that even the system administrator cannot delete or encrypt, the hackers lose their leverage. The Daily Times explains that with immutable backups, a company can simply say "no" to the ransom, delete the infected network, and restore from the backups.

The Legal and Ethical Dilemma

Paying the ransom is not just a technical problem; it is a legal and ethical nightmare. In many countries, paying a ransom to a sanctioned nation-state gang is a federal crime. The Pakistan Today notes that governments are cracking down on ransom payments to starve the gangs of funding. However, when a hospital is locked down and patients' lives are at risk, administrators are faced with an impossible choice. The Arab News highlights the global debate over whether ransomware should be classified as terrorism. Until the global community can coordinate a massive law enforcement crackdown on the RaaS developers, groups like The Gentlemen will continue to thrive, turning cybercrime into a lucrative, franchise-based business model.