From Affiliate to Independent Operator
A detailed investigation published by the threat intelligence firm PRODAFT on June 11 lays bare the rise of The Gentlemen, a ransomware operation the firm tracks under the name Phantom Mantis. The group has claimed 478 victims since it surfaced in March 2025 and, according to the report, accounted for roughly ten percent of all ransomware activity in April 2026. That trajectory, from new entrant to one of the most active crews on the landscape in barely a year, is the kind of velocity that should worry any security leader who assumes the named gangs are a stable, known quantity.
What makes the story instructive is the group's evolution. It began as an affiliate, renting infrastructure and tooling from established ransomware as a service brands including LockBit, Qilin and Medusa, before breaking away in July 2025 to run as an independent partnership program no longer dependent on any single platform. PRODAFT attributes the operation to a Russian speaking actor it calls LARVA-368, who has cycled through a long list of aliases. The maturation from affiliate to self sufficient operator mirrors a broader market shift, where the most capable affiliates are graduating into brands of their own.
A Worm in Ransomware Clothing
The technical core of the threat is an encryptor written in Go and obfuscated with the Garble toolkit, choices that give the malware portability across operating systems and resistance to easy analysis. The detail that elevates it from dangerous to alarming is a single command line flag. As Microsoft researchers noted, enabling the spread argument turns the malware from a single host encryptor into a self propagating worm that attempts to deploy its encryptor to every reachable system on the network. Documented incidents show entire networks encrypted within minutes.
We want to be precise about why this matters operationally. Most ransomware still relies on an operator manually moving laterally, escalating privileges and seeding the payload host by host, a process that buys defenders hours and sometimes days to detect and respond. A worm capable encryptor compresses that window to minutes and removes the human pacing entirely. For incident response teams, the implication is stark: the assumption that there is time to contain an intrusion before mass encryption no longer holds against tooling like this, and segmentation that was theoretical becomes the difference between one ruined server and a ruined estate.
The Edge Is the Front Door
Initial access, in PRODAFT's telling, comes overwhelmingly through internet facing edge devices: VPN appliances, firewalls and other gateway systems, with Cisco and Fortinet FortiGate platforms singled out as favored targets. The group exploits a set of known vulnerabilities rather than relying on novel zero days, which is precisely the uncomfortable part. These are flaws with patches available, sitting on the devices that form the perimeter of nearly every enterprise network and that, too often, fall outside the normal patch cadence applied to servers and endpoints.
This pattern is now the dominant story in ransomware, and it deserves to reshape how organizations prioritize. The edge device is attractive because it is exposed by design, frequently runs outdated firmware, and sits at a position of trust that lets an attacker who compromises it pivot straight into the internal network. We would argue that the FortiGate or the VPN concentrator now deserves the same patching urgency and monitoring intensity historically reserved for domain controllers. The crews exploiting them have already made that calculation, and the victim geography proves they are working globally, not just against the United States.
What the Leaked Messages Reveal
PRODAFT's visibility was sharpened by an unusual source: an internal Rocket.Chat database leak spanning November 2025 to April 2026 that surfaced more than three thousand operational messages from inside the group. That kind of intelligence is gold for defenders, because it exposes not just indicators of compromise but the human workflow behind the campaign, how targets are chosen, how negotiations are run, and how the operation manages its own people and tooling. It is a rare look behind a curtain these groups work hard to keep drawn.
The victim distribution that emerges is itself a lesson. With only about thirteen percent of targets in the United States and the bulk concentrated in Thailand, the United Kingdom, Brazil, Germany and India, The Gentlemen is a reminder that ransomware is a global industry that follows opportunity, not headlines. Organizations outside the usual high profile geographies sometimes assume they are lower priority targets. The data says the opposite: where edge devices are exposed and unpatched, the crews will come, regardless of which flag flies over the data center.
The Economics Behind the Brand
The Gentlemen's journey from affiliate to independent operator is not just a biographical detail; it is a window into the economics reshaping the ransomware market. Affiliates who once paid a platform for tooling and infrastructure are discovering that, once they have built reputation, victim relationships and a working toolset, they can capture far more of the proceeds by going independent. The result is a fragmenting market in which capable crews spin off into their own brands, each with its own malware, its own negotiation playbook and its own internal operation to manage.
For defenders, this fragmentation has a practical consequence: the roster of serious threats is larger and more fluid than any static list of well known gangs suggests. A group can go from unknown to ten percent of monthly ransomware activity within a year, as this one did, without ever appearing in the headlines that shape executive risk perception. We would urge security leaders to anchor their posture in attacker behavior, edge exploitation, rapid lateral movement, worm like spread, rather than in the named brands of the moment, because the brands change faster than the techniques do.
The Defensive Mandate
For security leaders, this report converts neatly into a short, unsentimental checklist. Treat internet facing edge devices as crown jewels: inventory every VPN, firewall and gateway, confirm none are running firmware with known exploited vulnerabilities, and put them under the same monitoring discipline as core infrastructure. Assume that an intrusion can become full network encryption in minutes, and design segmentation, privileged access controls and offline backups on that assumption rather than on the comfortable fiction that responders will have time to react.
We would add a strategic note for the board. The shift toward worm capable, edge initiated ransomware is not a passing tactic; it reflects a maturing criminal market where capable operators graduate into brands and weaponize the gap between patch availability and patch deployment. The defensive advantage no longer lies in detecting a slow, manual intruder but in shrinking the attack surface and the patch window before the intruder ever arrives. The Gentlemen did nothing exotic to reach 478 victims. They simply exploited what too many enterprises left exposed, and they automated the rest.
