The Gentelman Ransomware Activity: 9 New Victims
Statistical Overview
Victim Totals
- This month: 85
- This quarter: 1631
- Year to date: 4256
- Last 24h: 35
Quarterly Breakdown
Q1: 2631 | Q2: 1631 | Q3: 0 | Q4: 0
Ransomware activity shows 35 new victims. The Gentelman, LockBit, and Qilin operations influenced the victim count this period.
Introduction
Recent ransomware activity shows 35 new victims, with The Gentelman as the most active operator. Other groups include LockBit, Qilin, Akira, and INC_Ransom. Affected sectors include Healthcare and Professional Services, with targeting primarily in the United States, India, and Germany.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | The Gentelman | 9 | 3e accounting, Downriver medical associates, Edgewood surgical hospital (+6) | Germany, Guatemala | Healthcare, Professional Services |
| 2 | LockBit | 4 | dobarro.com.uy, elumax.com, helios.com.bo (+1) | Uruguay, Taiwan | Retail & Ecommerce, Technology / Software |
| 3 | Qilin | 4 | Eat salad, Jnp eng, Marketjoy (+1) | United States, South Korea | Professional Services, Hospitality & Travel |
| 4 | Akira | 3 | Cherokee distributing co, Factors western, Hal otey financial | United States, Canada | Retail & Ecommerce, Financial Services |
| 5 | INC Ransom | 3 | Colina Financial Advisors, Oztugotomotiv, trrac.net | Turkey, United States | Automotive, Insurance |
| 6 | 3AM | 2 | Agroexportavocados.com, Hoplongtech.com | Mexico, Vietnam | Technology / Software, Agriculture & Food |
| 7 | Kill Security | 2 | Acehospital.in, Csinsurance.mx | Mexico, India | Healthcare, Insurance |
| 8 | APT73 | 1 | Smarty.arpinet.am | Armenia | Telecommunications |
| 9 | Krybit | 1 | Www.elumax.com | Taiwan | Technology / Software |
| 10 | Medusa Locker | 1 | Dolrad demo | United Arab Emirates | Professional Services |
| 11 | Nitrogen | 1 | Pyramid | United States | Real Estate |
| 12 | SafePay | 1 | Iql-nog.com | Spain | Manufacturing |
The Gentelman led activity with 9 reported victims, impacting healthcare and professional services across Germany and Guatemala. LockBit and Qilin were also active, each claiming 4 victims in sectors like retail, technology, and hospitality in Uruguay, Taiwan, and the United States. The varied sectors and geographies show how widely current ransomware campaigns operate.
Victim Distribution
By Country
- United States: 7
- India: 3
- Taiwan: 2
- Germany: 2
- Mexico: 2
- Portugal: 2
- South Korea: 1
- Spain: 1
- Thailand: 1
- The Bahamas: 1
By Industry
- Financial Services: 3
- Healthcare: 2
- Advertising & Marketing: 1
- Industrial Machinery & Equipment: 1
- Chemical Manufacturing: 1
- Industrial Distribution: 1
- Process Control and Electronics/Telecommunication: 1
- Conglomerates: 1
- Automotive and Industrial Manufacturing: 1
- None: 1
The United States is the most frequently targeted country, followed by India. This shows a continued focus on economically significant regions. Industries such as Financial Services and Healthcare face attacks, which suggests these sectors are high-value targets.
Ransomware News
Topline
Recent intelligence shows an increase in ransomware activity, including new AI-driven tools and an active global campaign from The Gentelman operator.
Campaigns & Operations
Microsoft Threat Intelligence has documented The Gentelman ransomware-as-a-service operation, attributed to the Storm-2697 syndicate. This operation infiltrates corporate assets, exfiltrates data, and expands via a self-spreading worm and a 21-vector remote-execution playbook. This occurs alongside broader ransomware trends: the global cost is projected to reach approximately $275 billion annually by 2031, and 29% of organizations pay the initial ransom demand. Municipalities like the City of Thorold have also confirmed cybersecurity incidents, showing the continued operational and financial impact on public services. The threat economy is consolidating, driven by four main groups. Identity is becoming a key perimeter, and there is an increase in living-off-the-land techniques, with APAC financial services accounting for about 22% of incidents. These events show a continued evolution of understanding ransomware attacks.
Vulnerabilities & TTPs
Sophos researchers have identified an AI-built ransomware toolkit that automates Active Directory discovery and EDR evasion, using multiple AI agents, including Claude Opus, to develop and harden payloads. The Gentelman campaign uses advanced evasion tactics, including PowerShell-driven Defender real-time monitoring disablement, local binary exclusion, and C:\\ volume scan exclusion. It also performs aggressive post-encryption cleanup of Volume Shadow Copies and logs, using a custom hybrid crypto stack (Curve25519 with XChaCha20).
Analyst Note
These developments show the increased sophistication of ransomware threats, combining advanced TTPs with AI to improve evasion and operational scale. This shows that timely threat intelligence platform insights are important.
Technical Takeaways
- The Gentelman, operated by the Storm-2697 syndicate, uses an advanced 21-vector remote execution playbook, a self-spreading worm, and a custom hybrid crypto stack for encryption.
- Active ransomware groups use advanced evasion techniques, including PowerShell-driven Defender disablement and aggressive post-encryption cleanup of logs and Volume Shadow Copies.
- AI is used in ransomware toolkit development to automate Active Directory discovery and EDR evasion, though human oversight is important for payload refinement and deployment.
- Ransomware operations are evolving towards double extortion and data exfiltration. Identity is recognized as a primary defense perimeter.
- Healthcare and Professional Services are highly targeted sectors, with a wide geographical distribution of victims. This indicates both opportunistic and strategic targeting across regions.
