惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
News and Events Feed by Topic
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
月光博客
月光博客
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
大猫的无限游戏
大猫的无限游戏
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
V
V2EX
阮一峰的网络日志
阮一峰的网络日志
C
Cisco Blogs
博客园 - 叶小钗
P
Privacy International News Feed
Jina AI
Jina AI
Apple Machine Learning Research
Apple Machine Learning Research
T
Threatpost
IT之家
IT之家
博客园 - 聂微东
Know Your Adversary
Know Your Adversary
Help Net Security
Help Net Security
罗磊的独立博客
I
Intezer
S
Schneier on Security
博客园_首页
C
CERT Recently Published Vulnerability Notes
雷峰网
雷峰网
Cisco Talos Blog
Cisco Talos Blog
宝玉的分享
宝玉的分享
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Webroot Blog
Webroot Blog
TaoSecurity Blog
TaoSecurity Blog
MyScale Blog
MyScale Blog
P
Privacy & Cybersecurity Law Blog
T
The Exploit Database - CXSecurity.com
PCI Perspectives
PCI Perspectives
Security Latest
Security Latest
H
Heimdal Security Blog
S
Secure Thoughts
Hacker News: Ask HN
Hacker News: Ask HN
Y
Y Combinator Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Microsoft Security Blog
Microsoft Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
SecWiki News
SecWiki News
The GitHub Blog
The GitHub Blog
A
Arctic Wolf
A
About on SuperTechFans
aimingoo的专栏
aimingoo的专栏
T
Threat Research - Cisco Blogs
Engineering at Meta
Engineering at Meta
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC

Check Point Blog

AI Appreciation Day: Let's Be Honest About What We're Appreciating - Check Point Blog AI Security Is Never Finished: Building the Continuous Red Teaming Loop  - Check Point Blog AI Security Threats in 2026: Annual Insights from Check Point Research - Check Point Blog AI Agents are Only As Effective as Their Harness - Check Point Blog Email Agent Hijacking: The Hidden Threat That Breaks Post-Delivery Security - Check Point Blog How Check Point Email Security Stopped a Student Job Scam Before It Reached the Inbox - Check Point Blog Redefining the CISO Contract: From Securing the Business to Securely Doing Business - Check Point Blog A New Ransomware Leader Emerges as June 2026 Attack Volumes Climb Worldwide How Unified Policies Close Security Gaps - Check Point Blog Under Pressure: Insights from the 2026 Exposure Gap Report - Check Point Blog When AI Invents the Attack: Browser-Native Ransomware - Check Point Blog Check Point and the AWS European Sovereign Cloud: Securing Europe’s Digital Future - Check Point Blog Shadow AI Is Not a Tool Problem. It's a Timing Problem. - Check Point Blog AI Is Changing Cyber Careers. NICE 2026 Showed What Students Need Next - Check Point Blog 90% of the World's Businesses are SMEs and MSMEs and AI Is Reshaping Both Their Future and Their Risk - Check Point Blog Prevention Before the Inbox: Reading the Microsoft Defender Benchmark Report in Context - Check Point Blog ClickFix: The Attack That Turns Users Into Their Own Attackers - Check Point Blog From Prompt Testing to AI Red Teaming at Enterprise Scale - Check Point Blog AI Has Moved From Assistance to Action. Is Your Security Model Ready? AI Security Governance: How to Secure AI Agents, Copilots, and Autonomous AI in 2026 - Check Point Blog OpenAI Frontier AI Models Powering Check Point's Leading Cyber Security Solutions The Operational Reality of Zero Trust- And How You Can Change It - Check Point Blog Amazon Prime Day 2026: Bargains Begin June 23 — and So Do the Scams - Check Point Blog Securing AI Agent Behavior with Amazon Bedrock AgentCore and CheckPoint AI Security - Check Point Blog What Successful Exposure Management Deployments Had in Common in 2026 - Check Point Blog From Stars to Upvotes: The Fake Reputation Economy Behind a Crypto Clipboard Hijackers - Check Point Blog AI Red Teaming Makes the Unknowns Known - Check Point Blog Check Point and Illumio Expand Partnership to Secure Hybrid Environments - Check Point Blog The NCSC Patch Wave Is Coming. Do You Know Where Your Risk Lives? - Check Point Blog NCSC Warns of AI-Driven Patch Wave: Is Your Attack Surface Ready? Energy, Healthcare, and Finance: Why Midwest Industries Are Facing Surging Cyber Attacks - Check Point Blog Midwest Cyber Attacks Surge in 2026: Energy, Healthcare, and Finance Under Growing Threat Travel Phishing and Cyber Attacks are Surging in 2026, Growing 122% over the last 3 years. Here's What Cyber Criminals Are Actually Doing - Check Point Blog Travel Phishing Scams Surge 122%: How Cybercriminals Are Targeting Travelers in 2026 The AI Your Security Team Can’t See Is the One You Should Worry About Check Point Engage Public Sector 2026: AI Is the New Battlefield Check Point Joins OpenAI’s Trusted Access for Cyber Program and Daybreak Initiative When Your AI Agent’s Memory Becomes a Security Liability AI Agents Are Becoming Enterprise Workers. Who Secures Them? Global Cyber Attacks Ease in May 2026, But Ransomware Surges 48% As Threats Reorganize Security Advisory – Action Required – Active Exploitation of Check Point VPN Authentication Bypass (CVE-2026-50751) Fraud, Ransomware, and Fake Apps Are Already Targeting FIFA 2026 The AI Defense Plane: Securing the New Enterprise Execution Layer The Meta AI Account Recovery Incident Wasn’t Just a Chatbot Problem Check Point Lays the Groundwork for the Future of AI Factory Security with NVIDIA - Check Point Blog Check ... The 2026 U.S. Midterms Have a Cyber Problem, But it’s Not at the Ballot Box The Server Seizure That Affects Also Iran’s Cyber Operations The Autonomous Security Platform Built for Attacker Speed Check Point Frontier AI Models Readiness Program – Security Update 2026 Cloud Security Report: Why Traditional Network, Cloud, and Security Architecture Are Lagging Behind t ... AI Attacks Are No Longer Experimental: Key Findings from the March-April 2026 AI Threat Landscape - Check ... Protect GenAI Chatbots with Check Point WAF The Network Security Problem No One Could Solve – Until Now. Hacktivists, Ransomware, and a 124% Surge Across DACH The Case for a Vulnerability Operations Center Before the First Whistle: How Cyber Criminals Are Targeting World Cup 2026 - Check Point Blog World Cup 20 ... When the Ransomware Gang Gets Hacked: What the Gentlemen Leak Reveals About Modern Ransomware Risk - Check ... Cyber Threats Spike in April 2026 as Ransomware Expands and Attack Volumes Climb After Short-Lived Moderation Q1 2026 Ransomware Report: Fewer Groups, Higher Impact - Check Point Blog World Password Day 2026: Why "Strong Passwords" Can’t Save You from AI, Infostealers, and the Telegram Underground - Check Point Blog Resilient by Design: When the Network Itself Becomes the Target AI Threat Readiness: Defending Against Attacks Powered by Frontier AI Models Check Point Cyber Security Now Available Across All Levels of U.S. Government - Check Point Blog Check Poi ... VECT Ransomware: Why Paying Won’t Get Your Files Back Check Point WAF Leads Application Security-Validated by Frost & Sullivan Check Point WAF Leads Application ... From Access Control to Outcome Control: Securing AI Agents with Check Point and Google Cloud Experience AI-Powered Check Point Firewall at Google Cloud Next AI Finds Every Gap: How Many Can Your Network Survive? The Phishing Paradox: The World’s Most Trusted Brands Are Cyber Criminals’ Entry Point of Choice World Quantum Day 2026: The Harvest Has Already Begun, Are You Prepared? Why Manufacturing Cyber Security is Becoming More Complex as Cyber Attacks Accelerate March 2026 Cyber Threat Report: Ransomware & GenAI Risk PS Private Training: Turning Cyber Complexity into Operational Control Tax Season 2026: How Cyber Criminals Are Preparing Their Attacks Months in Advance Claude Mythos Wake-Up Call: What AI Vulnerability Discovery Means for Cyber Defense Iran-nexus Password Spray Campaign Targeting Cloud Environments, with a Focus on the Middle East ROI of Hybrid Mesh Network Security (IDC Study 2026) Operation TrueChaos: TrueConf Zero‑Day Supply‑Chain Attack ChatGPT Data Leak (Fixed Feb 2026): Key Takeaways Spring Cleaning Has Arrived: Meet the New Check Point Portal Experience North America’s Cyber Security Threat Reality in 2026
The Gentlemen RaaS Is Surging in 2026
rohann@check · 2026-04-20 · via Check Point Blog
Key Findings 
  • The Gentlemen ransomware-as-a-service (RaaS) operation has claimed over 320 victims since mid-2025, with 240 attacks occurring in 2026 alone, making it the #2 most active ransomware group by victim count so far this year 
  • Check Point Research gained rare access to a live command-and-control server linked to a Gentlemen affiliate, revealing a botnet of over 1,570 likely corporate victims, surpassing the group’s own publicly claimed numbers. 
  • The group deliberately targets internet-facing devices (VPNs, firewalls) as their entry point, and once inside, moves quickly to encrypt entire networks within hours 
  • Manufacturing and technology are the most frequently targeted sectors, with healthcare a growing third target — a sign the group is not observing the informal limits that some ransomware operators apply to critical services 
  • A 90/10 affiliate revenue split — compared to the industry standard of 80/20 — is accelerating the group’s growth by attracting experienced operators from competing programs 
A New Group That Isn’t Acting Like One 

Most ransomware groups that emerge with fanfare are gone within months. The Gentlemen are not following that script. 

Since surfacing in mid-2025, the group has grown at a pace that rivals the early years of LockBit 3, a program widely considered the gold standard of ransomware operations. By April 2026, The Gentlemen have publicly listed over 320 victims on their data leak site, with 240 of those occurring in the first months of 2026 alone. That figure only reflects organizations that refused to pay; the actual number of victims is almost certainly higher. 

Check Point Research (CPR) has been tracking this group since its emergence, and their latest analysis, including findings from an active incident response engagement and access to a live attacker-controlled server, reveals why this operation is scaling so quickly, and what it means for enterprise security teams. 

For the full technical breakdown, read the CPR deep-dive report. 

Why They’re Growing: Better Economics for Criminals 

Understanding why The Gentlemen are attracting affiliates so quickly requires understanding how the RaaS business model works. Ransomware operators build the tools and infrastructure; affiliates carry out the attacks and share the ransom proceeds with the operator. 

The Gentlemen are offering affiliates a 90% share of every ransom paid, versus the 80% that most competing programs offer. In a criminal ecosystem driven by financial incentive, that 10% difference matters. It is pulling experienced operators away from established brands and into The Gentlemen’s program, bringing their skills, their access to corporate networks, and their track record with them. 

The result is rapid scaling. The group is not growing because they invented a fundamentally new attack. Most of their techniques are actually well-established. They are growing because their business model is more attractive, and because they have built a program capable of supporting a large and expanding affiliate base across Windows, Linux, and ESXi environments. 

Who Is Getting Hit 

The Gentlemen’s attacks are largely opportunistic rather than targeted. They look for organizations with exposed, vulnerable internet-facing infrastructure (think: VPNs, remote access gateways, firewall management portals) and use those as their entry points. 

Manufacturing and technology companies make up the largest share of victims, which is consistent with the broader ransomware landscape. More notable is the presence of healthcare as the third most frequently targeted sector. Some ransomware groups, as a matter of informal policy or self-preservation, avoid attacking hospitals. The Gentlemen show no indication of observing that limit. 

Geographically, the USA accounts for the largest number of victims, with the UK and Germany also heavily represented. CPR confirmed this pattern from the group’s public leak site and from independent telemetry obtained from an affiliated attacker’s server. 

What CPR Found Inside an Attacker’s Server 

During an incident response engagement, Check Point Research investigators discovered that a Gentlemen affiliate had deployed infrastructure connected to a much larger operation than a single incident would suggest. By gaining access to the command-and-control server in question, the researcher was able to observe a botnet of over 1,570 likely corporate victims. These were organizations whose systems had been quietly compromised and were awaiting further action. 

That number is significant for two reasons. First, it exceeds the group’s own publicly claimed victim count, suggesting the true scale of their activity is larger than what appears on their leak site. Second, the profile of the victims (enterprise systems, domain-joined machines, corporate credentials) confirms this is not opportunistic consumer targeting. These are organizations, and their data was likely already staged for exfiltration. 

Speed Is the Defining Characteristic 

In the incident CPR responded to, the attacker arrived with domain-level administrative access already established. From that point, the intrusion escalated rapidly: credential validation across the environment, lateral movement to dozens of hosts, disabled security tools, and ultimately a domain-wide ransomware deployment triggered through Group Policy, hitting every connected machine simultaneously. 

The speed and coordination of this attack reflects a group that has refined its playbook. Affiliates are not improvising; they are executing a documented, tested process designed to maximize impact before defenders can respond. 

What Security Leaders Should Do 

The Gentlemen are not exploiting novel zero-days or bypassing security through exotic means. Their initial access relies overwhelmingly on unpatched or misconfigured internet-facing devices. These are the same vulnerabilities that defenders have been advised to prioritize for years. 

The fundamentals remain the most important defensive investments: 

  • Patch internet-facing infrastructure first: VPNs, firewalls, and remote access gateways are the primary entry point. These devices must be treated with the same urgency as public-facing web applications 
  • Assume credential compromise: The Gentlemen affiliates move quickly from initial access to domain-level control. Multi-factor authentication and privileged access controls are non-negotiable 
  • Test your backup and recovery capability: A functioning, isolated backup is the single most effective tool for limiting ransomware impact. Many organizations discover their backup strategy is inadequate during an incident, not before 
  • Monitor for lateral movement, not just perimeter breach: By the time ransomware detonates, the attacker has typically been present for some time. Detection at the lateral movement stage provides the best opportunity to interrupt an attack in progress 
  • Segment your network: Domain-wide encryption via Group Policy is only possible when an attacker has domain controller access and can reach every endpoint. Network segmentation limits both the attacker’s reach and the blast radius of a successful intrusion 
The Bigger Picture 

The Gentlemen’s rise illustrates a structural challenge in the ransomware landscape: the barrier to standing up a professional RaaS operation has fallen considerably. A compelling revenue split, a capable locker, and a leak site are enough to attract affiliates who bring their own access and expertise. The operation does not need to be technically groundbreaking to be damaging at scale. 

CPR will continue monitoring this group as it evolves. For the complete technical analysis, including the full attack timeline from our incident response engagement, detailed malware behavior, and indicators of compromise, read the full report. 

Check Point customers are protected from this threat via Threat Emulation and Harmony Endpoint.