The Gentlemen Ransomware Claims 20 Victims in 24h

Statistical Overview

Victim Totals

  • This month: 126
  • This quarter: 126
  • Year to date: 5132
  • Last 24h: 34

Quarterly Breakdown

Q1: 2631 | Q2: 2386 | Q3: 126 | Q4: 0

Ransomware activity shows a decline this quarter compared to prior periods, yet recent operations by The_Gentlemen and Qilin indicate persistent threats. The cumulative victim count for the past 24 hours reflects ongoing malicious campaigns.

Introduction

The past 24 hours saw 34 new ransomware victims reported. The_Gentlemen was the most active group, responsible for 20 incidents. Other active operators included Qilin (7 victims) and APT73 (4 victims). Affected sectors spanned Real Estate, Technology, Professional Services, and Manufacturing, targeting organizations predominantly in the United States, Oman, and China. For more on the activities of the leading group, refer to our analysis of The_Gentlemen ransomware victims.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1The Gentlemen20Arabia falcon insurance company saog, Automovil supply s.a, Ce ratp comite d entreprise ratp (+17)Oman, ChinaReal Estate, Technology / Software
2Qilin7Answer precision tool, Grupo inteca, Keystone homes (+4)Costa Rica, United StatesProfessional Services, Manufacturing
3APT734Azarestan.com, Dgcement.com, Vicentetrapani.com (+1)Pakistan, IranProfessional Services, Agriculture & Food
4Booba1UpstagingUnited StatesMedia & Entertainment
5Morpheus1Hansa Research Group Pvt. LtdIndiaProfessional Services
6Space Bears1BlenheimUnited KingdomReal Estate

The table above shows The_Gentlemen's major activity, accounting for the majority of new victims, including financial sector target Arabia falcon insurance company saog. Qilin continued to impact Professional Services and Manufacturing in the United States, as detailed in our recent Qilin ransomware activity report. APT73, while less prolific, demonstrated targeting across Professional Services and Agriculture & Food.

Victim Distribution

By Country

  • United States: 8
  • Germany: 3
  • India: 3
  • United Kingdom: 2
  • Argentina: 2
  • France: 2
  • Oman: 1
  • Pakistan: 1
  • Paraguay: 1
  • Philippines: 1

By Industry

  • Construction: 2
  • Accounting Services: 1
  • Insurance: 1
  • Building Materials: 1
  • Automotive Retail: 1
  • Information Technology: 1
  • Semiconductor and Electronic Component Manufacturing: 1
  • Conglomerate: 1
  • Luxury Property Development: 1
  • Freight & Logistics Services: 1

The geographic distribution of attacks remains broad, with the United States experiencing the highest concentration of incidents. Industrially, the targeting is diversified, with Construction and Professional Services seeing recurring incidents, suggesting a non-specific opportunistic approach by many operators.

Ransomware News

Topline

Recent intelligence shows two threats: ongoing traditional ransomware campaigns and the emergence of agentic, AI-driven extortion operations.

Campaigns & Operations

The_Gentlemen ransomware group impacted Indra Group's subsidiary; River Financial Corp, Nidec Chaun Choung Tech, and Aflac Japan also reported compromises. An operational technology (OT) ransomware incident at Mackay Sugar exposed systemic risks to industrial infrastructure. Separately, Google and partners successfully dismantled the NetNut residential proxy botnet, which had used pre-installed malware across millions of devices. Researchers flagged fake Proof-of-Concept campaigns like ChocoPoC delivering trojans for credential harvesting.

Vulnerabilities & TTPs

Sysdig documented the first agentic ransomware case, attributed to JadePuffer. It executed an end-to-end operation by exploiting Langflow CVE-2025-3248 and using multiple AI models. Concurrent reports detail browser-native ransomware techniques using Chromium's File System Access API. This indicates AI can reason about legitimate platform features. Actively exploitable vulnerabilities, including CVE-2026-46817 (Oracle E-Business Suite RCE), CVE-2026-46242 (Linux kernel), CVE-2026-8451 (Citrix NetScaler), and CVE-2026-8037 (Kemp LoadMaster), remain prominent threats.

Analyst Note

These developments show changing threats. Both established ransomware groups and innovative AI-powered attack vectors require ongoing vigilance.

Technical Takeaways

  • The_Gentlemen ransomware group continues to be highly active, accounting for a major portion of reported victims across diverse sectors.
  • The first documented instance of agentic ransomware, JadePuffer, demonstrates the emerging capability of AI agents to conduct end-to-end extortion operations by exploiting Langflow CVE-2025-3248.
  • New attack vectors, such as browser-native ransomware abusing Chromium's File System Access API, indicate a shift towards using legitimate platform features for malicious purposes.
  • Critical infrastructure and operational technology (OT) environments remain vulnerable targets, as evidenced by the Mackay Sugar incident.
  • Actively exploited vulnerabilities, including CVE-2026-46817, CVE-2026-46242, CVE-2026-8451, and CVE-2026-8037, require immediate patching efforts.