The Gentlemen Ransomware Activity Hits 11 Victims
Statistical Overview
Victim Totals
- This month: 649
- This quarter: 2192
- Year to date: 4813
- Last 24h: 25
Quarterly Breakdown
Q1: 2631 | Q2: 2192 | Q3: 0 | Q4: 0
Ransomware activity remains consistent this quarter. New victim disclosures increased this period, mainly from The_Gentlemen and Nova (RALord) operations.
Introduction
In the past 24 hours, 25 new ransomware victims were publicly identified. The_Gentlemen was the most active group with 11 victims, followed by Nova (RALord) with 6. Main affected sectors included Technology/Software, Real Estate, Professional Services, and Transportation & Logistics. Geographically, the United States, Kuwait, and France were most impacted.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | The Gentlemen | 11 | Al dhow group, Au vieux campeur, Bds cz (+8) | Kuwait, France | Technology / Software, Real Estate |
| 2 | Nova (RALord) | 6 | Alejandria, Alejandria.biz, Lpgroup (+3) | None, Venezuela | Professional Services, Transportation & Logistics |
| 3 | Akira | 2 | Jit ex, Miami machine | United States | Transportation & Logistics, Manufacturing |
| 4 | Qilin | 2 | Cash canada, Lee international | South Korea, Canada | Financial Services, Legal |
| 5 | Bravox | 1 | Meta | Brazil | Professional Services |
| 6 | CMD | 1 | Coldstat Refrigeration | United States | Professional Services |
| 7 | INC Ransom | 1 | horizoneye.com | United States | Healthcare |
| 8 | Lapsus | 1 | Aya bank | Myanmar | Financial Services |
The_Gentlemen led recent ransomware activity, accounting for nearly half of all new victims. They primarily targeted Technology, Software, and Real Estate entities across Kuwait and France. Nova (RALord) was also active in Professional Services and Transportation & Logistics, as detailed in our analysis of Nova (RALord) ransomware activity. Qilin and Lapsus targeted Financial Services, and Akira focused on Manufacturing; Akira has also been linked to SonicWall zero-day exploitation. One victim was a US-based healthcare provider impacted by INC Ransom, adding to the varied victim profile this period, as shown in previous ransomware victims reports.
Victim Distribution
By Country
- United States: 8
- Portugal: 2
- Peru: 2
- Venezuela: 1
- South Korea: 1
- Austria: 1
- None: 1
- Myanmar: 1
- Laos: 1
- Kuwait: 1
By Industry
- Construction: 2
- Engineering and Construction: 2
- Transportation and Logistics: 1
- Information Technology and Services: 1
- Trucking: 1
- Probiotic Supplements: 1
- Medical Practices: 1
- Machining, Fabrication, and Engineering Services: 1
- Commercial Refrigeration Services: 1
- Commercial Doors and Hardware Supply: 1
The United States remains the most targeted country. Industry distribution shows broad targeting, with Professional Services, various industrial sectors, and logistics frequently appearing. Financial Services also saw consistent interest, with one incident in Healthcare.
Ransomware News
Topline
Recent ransomware developments included social engineering, stealthy backdoor deployment by access brokers, significant data breaches by established and emerging ransomware groups, and legal actions against known threat actors.
Campaigns & Operations
Indian auto giant Bajaj Auto disclosed a ransomware attack. This disrupted its manufacturing and technology operations. The Interlock ransomware group claimed responsibility for the Reynella East College breach. They exfiltrated over 600 GB of sensitive student and staff data, using social engineering and a ClickFix-style fake CAPTCHA tactic. Aur0ra, a new ransomware group, claimed responsibility for a May 2026 incident at Australian testing firm ALS Global. They published a leak exposing employee home directories and client laboratory results. Separately, Owen Flowers and Thalha Jubair of the Scattered Spider group pleaded guilty to hacking Transport for London and US healthcare providers, detailing SIM-swapping operations.
Vulnerabilities & TTPs
Symantec identified a stealthy Mistic backdoor (also known as MTLBackdoor). It is linked to the KongTuke/Woodgnat initial-access broker and has been observed in financially oriented attacks across several sectors since April. This backdoor uses side-loading a malicious version.dll and runs in memory, providing long-term, low-visibility access for ransomware operators such as Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Service desks remain an easy entry point for social engineering attacks, allowing rapid privilege escalation and multi-factor authentication bypass through credential resets.
Analyst Note
These incidents show the persistent reliance on human-centric initial access tactics. They also demonstrate the continued evolution of sophisticated backdoors and access brokers that facilitate ransomware operations.
Technical Takeaways
- The_Gentlemen group accounted for 11 new ransomware victims, making them the most active operator this period.
- The Mistic backdoor, deployed by the KongTuke/Woodgnat initial-access broker, provides stealthy, memory-resident long-term access for several ransomware groups, including Qilin, Interlock, and Akira.
- Social engineering, targeting service desks for credential resets and SIM-swapping, is an effective initial access vector for ransomware campaigns.
- Ransomware groups like Interlock and Aur0ra continue to employ double extortion tactics, which involve data exfiltration and subsequent publication on dark web leak sites.
- Geographical targeting shows a high concentration in the United States, with a broad international distribution of victims.