Gentlemen ransomware targets VMware ESXi
- A Gentlemen ransomware-as-a-service operation advertised affiliate recruitment and claimed capability to target VMware ESXi, Windows, Linux and NAS environments, researchers posted today - The group's post lists ESXi among targets and invites affiliates to use its RaaS infrastructure for attacks against cloud and virtualized hosts - Activity was highlighted on May 16 by CyberAlertsHQ in a social post amplifying recruitment notices (x.com)
1/ The Gentlemen ransomware-as-a-service (RaaS) group posted a recruitment notice on May 16, 2026, targeting affiliates for attacks on VMware ESXi hypervisors alongside Windows, Linux, and NAS systems. 2/ The post, shared on a cybercrime forum, lists ESXi explicitly as a supported target and promotes the group's infrastructure for hitting virtualized and cloud environments. CyberAlertsHQ amplified it publicly the same day. 3/ RaaS models like Gentlemen let affiliates deploy pre-built ransomware in exchange for a cut of ransoms—typically 70-80% to the operator, 20-30% to the attacker. This lowers the technical bar for entry-level cybercriminals. 4/ VMware ESXi is a type-1 hypervisor used to run multiple virtual machines on physical servers, powering much of enterprise data centers and cloud infra. A single ESXi infection can encrypt dozens of VMs at once, amplifying damage. 5/ Why ESXi? It's a high-value target—disabling it halts entire server farms. Groups like Black Basta and LockBit have hit ESXi before; Gentlemen now joins them, signaling broader adoption of hypervisor exploits. 6/ The recruitment pitch invites affiliates to "monetize" skills against "cloud and virtualized hosts," per the post. No confirmed attacks yet, but this advertises ready tooling for ESXi encryption. 7/ Timeline: Forum post appeared May 16. CyberAlertsHQ flagged it hours later. As of May 17, no victim claims on Gentlemen leak sites, but recruitment like this often precedes campaigns by days or weeks. 8/ Past ESXi ransomware waves: In 2023, ESXiArgs exploited a flaw affecting 100k+ servers, demanding 1 BTC (~$25k then) per victim. Recovery? Often impossible without backups. 9/ Defenses for orgs: Patch ESXi regularly (v8.0 U2 fixes recent vulns). Enable SSH only when needed. Segment networks. Use EDR on vCenter. Backups offline. VMware urges these post-2023 outbreaks. 10/ Gentlemen joins a crowded field—RansomHub, Qilin, etc.—but ESXi focus differentiates it for affiliates chasing big payloads from fewer hits. Watch for victim posts on XSS.is or similar forums.
