Gentlemen Ransomware claims multiple victims

DarkWebInformer posted on May 21 that The Gentlemen ransomware operation had claimed three more victims: YMCA of Columbia, MBM Corp and Grupo Pasquel. The post circulated across security-monitoring feeds alongside a separate discussion of legacy virtual private network weaknesses, including broad access after login and limited visibility into threats. The claims appeared as researchers were already tracking The Gentlemen as one of the most active ransomware-as-a-service groups of 2026. Check Point Research said on May 13 that The Gentlemen had more than 400 public victims in 2026 and ranked as the world’s second most active ransomware group this year. Ransomware.live, which tracks leak-site postings, listed 427 victims for the group and showed May 21 as the latest discovered victim date. Neither of those databases, by themselves, confirms that an intrusion occurred at any named organization; they show that the group publicly claimed them. (blog.checkpoint.com) ### Who is The Gentlemen, and why are researchers watching it closely? Check Point said The Gentlemen emerged around mid-2025 as a ransomware-as-a-service operation that recruits affiliates to carry out attacks. The firm said leaked internal material showed about nine named operators, centered on an administrator known as zeta88 or hastalamuerte, who built the ransomware and managed payouts. (blog.checkpoint.com) Ransomware.live said the group uses a Go-based locker against Windows, Linux, NAS and BSD systems and offers affiliates a 90% revenue share. Check Point said that unusually generous split helped it attract experienced operators, including some with ties to the Qilin ecosystem. ### What exactly was claimed on May 21? DarkWebInformer’s May 21 post named YMCA of Columbia, MBM Corp and Grupo Pasquel as newly listed victims of The Gentlemen. (research.checkpoint.com) The available sourcing tied to the post points to leak-site monitoring and ransomware tracking rather than public breach notices from the organizations themselves. (ransomware.live) May 22 reporting and tracking pages did not provide public confirmation from those three organizations that matched the ransomware claim. In ransomware cases, groups often post names on leak sites before victims comment publicly, and sometimes before the underlying claim can be independently verified. That means the current reporting standard is narrower: The Gentlemen claimed the organizations, and researchers amplified the claim on May 21. (undercodenews.com) ### Why did the VPN debate show up next to this ransomware post? A separate May 21 social post highlighted three familiar criticisms of legacy VPNs: broad access after authentication, weak visibility and low confidence against newer AI-assisted threats. Those points line up with mainstream vendor and security guidance that says older VPN designs can give users — and intruders with stolen credentials — wider network access than they need. (ransomware.live) Fortinet said legacy VPNs can increase lateral-movement risk because they provide wide network access after authentication and depend on fragmented tools that reduce visibility and control. Check Point’s research on The Gentlemen said the group’s initial access was “almost exclusively” through unpatched edge devices or purchased credentials, which helps explain why access architecture keeps surfacing in ransomware discussions around the group. (fortinet.com) ### What do the leaked records say about how the group gets in? Check Point said leaked internal discussions tied The Gentlemen’s access methods to Fortinet and Cisco edge appliances, NTLM relay, and Outlook Web Access or Microsoft 365 credential logs. The firm also said the group tracked newer vulnerabilities and used stolen data from one victim in a later attack against that victim’s client. (fortinet.com) One negotiation example in the leaked material ended with a $190,000 payment after an initial $250,000 demand, Check Point said. That detail did not relate to the three May 21 named organizations, but it showed the scale and operating model researchers say they found inside the group’s records. ### What should readers treat as confirmed right now? (research.checkpoint.com) As of May 22, the confirmed facts are narrower than the social posts: DarkWebInformer said on May 21 that The Gentlemen had claimed YMCA of Columbia, MBM Corp and Grupo Pasquel, and public tracking pages show The Gentlemen remained active through May 21. The next hard points to watch are whether any of the named organizations issue statements, whether regulators publish notices, and whether researchers add technical indicators tied to those claims. (research.checkpoint.com) (ransomware.live)