The Gentlemen Ransomware Claims 20 Victims in 24h
Statistical Overview
Victim Totals
- This month: 126
- This quarter: 126
- Year to date: 5132
- Last 24h: 34
Quarterly Breakdown
Q1: 2631 | Q2: 2386 | Q3: 126 | Q4: 0
Ransomware activity shows a decline this quarter compared to prior periods, yet recent operations by The_Gentlemen and Qilin indicate persistent threats. The cumulative victim count for the past 24 hours reflects ongoing malicious campaigns.
Introduction
The past 24 hours saw 34 new ransomware victims reported. The_Gentlemen was the most active group, responsible for 20 incidents. Other active operators included Qilin (7 victims) and APT73 (4 victims). Affected sectors spanned Real Estate, Technology, Professional Services, and Manufacturing, targeting organizations predominantly in the United States, Oman, and China. For more on the activities of the leading group, refer to our analysis of The_Gentlemen ransomware victims.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | The Gentlemen | 20 | Arabia falcon insurance company saog, Automovil supply s.a, Ce ratp comite d entreprise ratp (+17) | Oman, China | Real Estate, Technology / Software |
| 2 | Qilin | 7 | Answer precision tool, Grupo inteca, Keystone homes (+4) | Costa Rica, United States | Professional Services, Manufacturing |
| 3 | APT73 | 4 | Azarestan.com, Dgcement.com, Vicentetrapani.com (+1) | Pakistan, Iran | Professional Services, Agriculture & Food |
| 4 | Booba | 1 | Upstaging | United States | Media & Entertainment |
| 5 | Morpheus | 1 | Hansa Research Group Pvt. Ltd | India | Professional Services |
| 6 | Space Bears | 1 | Blenheim | United Kingdom | Real Estate |
The table above shows The_Gentlemen's major activity, accounting for the majority of new victims, including financial sector target Arabia falcon insurance company saog. Qilin continued to impact Professional Services and Manufacturing in the United States, as detailed in our recent Qilin ransomware activity report. APT73, while less prolific, demonstrated targeting across Professional Services and Agriculture & Food.
Victim Distribution
By Country
- United States: 8
- Germany: 3
- India: 3
- United Kingdom: 2
- Argentina: 2
- France: 2
- Oman: 1
- Pakistan: 1
- Paraguay: 1
- Philippines: 1
By Industry
- Construction: 2
- Accounting Services: 1
- Insurance: 1
- Building Materials: 1
- Automotive Retail: 1
- Information Technology: 1
- Semiconductor and Electronic Component Manufacturing: 1
- Conglomerate: 1
- Luxury Property Development: 1
- Freight & Logistics Services: 1
The geographic distribution of attacks remains broad, with the United States experiencing the highest concentration of incidents. Industrially, the targeting is diversified, with Construction and Professional Services seeing recurring incidents, suggesting a non-specific opportunistic approach by many operators.
Ransomware News
Topline
Recent intelligence shows two threats: ongoing traditional ransomware campaigns and the emergence of agentic, AI-driven extortion operations.
Campaigns & Operations
The_Gentlemen ransomware group impacted Indra Group's subsidiary; River Financial Corp, Nidec Chaun Choung Tech, and Aflac Japan also reported compromises. An operational technology (OT) ransomware incident at Mackay Sugar exposed systemic risks to industrial infrastructure. Separately, Google and partners successfully dismantled the NetNut residential proxy botnet, which had used pre-installed malware across millions of devices. Researchers flagged fake Proof-of-Concept campaigns like ChocoPoC delivering trojans for credential harvesting.
Vulnerabilities & TTPs
Sysdig documented the first agentic ransomware case, attributed to JadePuffer. It executed an end-to-end operation by exploiting Langflow CVE-2025-3248 and using multiple AI models. Concurrent reports detail browser-native ransomware techniques using Chromium's File System Access API. This indicates AI can reason about legitimate platform features. Actively exploitable vulnerabilities, including CVE-2026-46817 (Oracle E-Business Suite RCE), CVE-2026-46242 (Linux kernel), CVE-2026-8451 (Citrix NetScaler), and CVE-2026-8037 (Kemp LoadMaster), remain prominent threats.
Analyst Note
These developments show changing threats. Both established ransomware groups and innovative AI-powered attack vectors require ongoing vigilance.
Technical Takeaways
- The_Gentlemen ransomware group continues to be highly active, accounting for a major portion of reported victims across diverse sectors.
- The first documented instance of agentic ransomware, JadePuffer, demonstrates the emerging capability of AI agents to conduct end-to-end extortion operations by exploiting Langflow CVE-2025-3248.
- New attack vectors, such as browser-native ransomware abusing Chromium's File System Access API, indicate a shift towards using legitimate platform features for malicious purposes.
- Critical infrastructure and operational technology (OT) environments remain vulnerable targets, as evidenced by the Mackay Sugar incident.
- Actively exploited vulnerabilities, including CVE-2026-46817, CVE-2026-46242, CVE-2026-8451, and CVE-2026-8037, require immediate patching efforts.