The Gentlemen ransomware targets Windows, Linux, ESXi and NAS

One of 2026's most active ransomware groups has been documented attacking every major enterprise platform simultaneously, while a leak of its own backend systems has given researchers an unprecedented look inside its operations.

What happened

The Gentlemen ransomware-as-a-service operation has emerged as one of the most active groups in 2026, claiming more than 328 victims in the first five months of the year and accounting for approximately 10% of all global ransomware claims during that period. According to CyberSecurityNews, the group deploys separate ransomware lockers targeting Windows, Linux, NAS, BSD, and ESXi environments, enabling it to encrypt the full range of infrastructure in a single attack. Researchers documented that the group gains initial access primarily through exposed edge devices, unpatched VPNs, and remote management interfaces, or credentials purchased from initial access brokers. Once inside, affiliates turn off security tools, conduct Active Directory reconnaissance, harvest credentials to escalate privileges, exfiltrate data, and deploy ransomware across the entire domain via Group Policy. Healthcare is among the confirmed targeted sectors, with documented attacks on Hospital Caribbean Medical Center in Puerto Rico, IntraCare in New Zealand, and Unimed Anápolis in Brazil.

Going deeper

The ransomware group has developed separate versions of its malware for different environments. The Windows version is written in the Rust programming language and includes an experimental capability aimed at systems running virtual machines through Microsoft Hyper-V, while another version is specifically designed for VMware servers. The VMware-focused version can lock access to virtual machine data, shut down virtual machines, and modify administrative management screens. Researchers found that the group does not depend on sophisticated or previously unknown hacking techniques. Instead, it succeeds through disciplined execution of well-known methods, typically gaining access through existing security weaknesses, quickly taking control of critical systems across an organization, and deploying ransomware throughout the network before defenders can respond. The group also offers affiliates, independent attackers who use its ransomware platform, a 90% share of ransom payments, higher than the 70–80% commonly offered by established ransomware operations. Researchers believe this attractive revenue-sharing model has helped the group recruit experienced cybercriminals and rapidly increase its number of victims since emerging in mid-2025.

In the know

In early May 2026, The Gentlemen suffered a breach of its own backend infrastructure, giving researchers a rare window into how the operation actually functions. According to Hackread, the compromise traces to an attack on hosting provider 4VPS, which disclosed on May 2 that its systems had been breached. The group's administrator acknowledged on May 4 that part of its internal database had been leaked. The exposed material included the internal Rocket. Chat logs from November 2025 through April 2026, affiliate rosters, ransom negotiation transcripts, and operational tooling discussions. Researchers found that the operation is run by approximately nine named operators around a single administrator, a former Qilin affiliate; that the administrator built the entire RaaS admin panel in three days using AI coding assistants; and that data stolen from victims was used in follow-on attacks against those victims' own clients.

The big picture

The Gentlemen's documented targeting of healthcare providers across three continents, combined with the internal leak confirming a tightly coordinated operation with experienced affiliates and AI-assisted development, makes it one of the more consequential active threats to the sector heading into the second half of 2026. The attack chain the group consistently uses, exposed edge devices and purchased credentials, maps directly to weaknesses documented across healthcare environments. According to the FBI's 2025 Internet Crime Report, healthcare recorded 460 ransomware attacks in 2025, the most of any critical infrastructure sector. The Gentlemen's Q1 2026 activity placed it third globally in the number of claimed victims, according to Comparitech's Q1 2026 healthcare ransomware roundup, behind only Qilin and Akira in confirmed healthcare incidents.

FAQs

Why does targeting multiple platforms in a single attack matter?

Most ransomware encrypts Windows systems and leaves other infrastructure intact. A group with separate lockers for Linux, NAS, ESXi, and BSD can simultaneously encrypt an organization's entire environment, including backup servers, file storage, and virtual machine infrastructure, eliminating the recovery paths that organizations with Windows-only ransomware exposure can fall back on.

What does the internal breach reveal about how the group selects targets?

The leaked chats show affiliates discussing credentials purchased from access brokers and exposed remote services as the primary entry points, confirming the group is access-driven rather than industry-specific. Organizations with internet-facing management interfaces, unpatched VPNs, or credentials circulating in criminal markets are in the target pool regardless of sector.

How does a 90% affiliate revenue share affect the group's growth?

A higher revenue share attracts more experienced affiliates who have access to better tooling, established victim networks, and prior ransomware experience. The Gentlemen's rapid growth from its mid-2025 emergence to third place globally in Q1 2026 is consistent with having attracted technically capable operators through the favorable financial terms.

What is chain-victimization, and why is it particularly dangerous in healthcare?

Chain-victimization means data stolen from one organization is used to attack that organization's own clients or partners. In healthcare, where providers share patient data with billing companies, care coordinators, and specialist referral networks, a single breach can generate multiple downstream attacks affecting patients whose information was never held by the originally targeted organization.

Does the internal breach weaken The Gentlemen as an active threat?

The group confirmed its core ransomware infrastructure, control panel, and lockers were not affected by the breach. With more than 328 claimed victims in 2026 already and active affiliates still operating, the breach raises law enforcement's visibility but does not neutralize the group's attack capability.