A new industrialized ransomware group has a nasty habit of putting security software to sleep before striking. And unlike its competitors focused on the United States, it has set its sights on Western Europe.
Ransomware has long operated on a simple principle, encrypting a victim’s files before demanding a ransom to release them. The most organized groups have added a step, which consists of first neutralizing the defenses supposed to detect them. Many today operate as a crime franchise, where independent hackers, affiliates, rent the gang’s equipment to carry out their own attacks in exchange for a commission. A group called Gentlemen has taken the model further, providing these affiliates with ready-made tools to disable professional antiviruses.
Also read: $100,000 if you have been hacked – the astonishing promise of this French company
How does a gang manage to disarm antiviruses?
Most groups leave their affiliates to fend for themselves to circumvent protections. Gentlemen made the opposite choice, by centralizing this function and delivering it turnkey. Its main tool, dubbed GentleKiller, already comes in eight variations, each masquerading as legitimate software in order to exploit a vulnerable driver and cut down defenses from the inside. On his own, he aims more than 400 security processes spread across 48 productsfrom CrowdStrike suites to those of SentinelOne or Microsoft.
The process diverts drivers that are signed and recognized as legitimate, a known loophole that publishers are struggling to close because they cannot revoke all the components concerned. The economic model is in one figure, the gang paying 90% of ransoms to its affiliates, who in exchange rent its encryption arsenal. By lowering the entry barrier so much, Gentlemen attracts less seasoned hackers, who are now exempt from developing their own tools. Double extortion completes the mechanism, with the group threatening to disclose the stolen data if the victim refuses to pay.
Why is Europe being targeted?
Where large gangs usually focus their attacks on the United States, Gentlemen follows an opposite trajectory. Its affiliates mainly strike in Western Europe, Southeast Asia and South America. This geography places France and its neighbors in the crosshairs, even if no French victim has yet been publicly named. The rise of the group is cause for concern among security officials.
Appeared fin 2025Gentlemen was born from the dissent of a former affiliate of the Qilin gang, who left after a financial dispute. A team of defectors from LockBit, Medusa and Embargo gathered around him, who have reconstituted formidable expertise. The group has already claimed more than 200 victims in the first quarter of 2026 alonemaking him the second most active actor on the planet, just behind Qilin. A leak within its own ranks in the spring confirmed its functioning, and a specialist journalist claimed at the beginning of June to have identified its alleged leader.
For European companies, the lesson is harsh, because a high-end antivirus no longer guarantees much when it is precisely it that these hackers learn to turn off first. The real defense now takes place upstream, well before the ransomware affects any file.
👉🏻 Follow tech news in real time: add 01net to your sources on Google, and subscribe to our WhatsApp channel.
Source :
Bleeping Computer
