The Gentlemen Ransomware Tied to 478 Victims, Uses AI and Worm Spreading

A new deep-dive into The Gentlemen ransomware operation reveals that the financially motivated threat group has claimed 478 victims since emerging in March 2025, and now operates an independent partnership program with worm-like propagation capabilities. According to PRODAFT, which tracks the group as Phantom Mantis, the operation is led by a Russian-speaking threat actor known as LARVA-368, who leveraged resources from multiple ransomware-as-a-service (RaaS) schemes — including LockBit (Tenacious Mantis), Qilin (Pestilent Mantis), and Medusa (Venomous Mantis) — before breaking away in July 2025.

LARVA-368, identified by journalist Brian Krebs as 36-year-old Alexander Andreevich Yapaev from Izhevsk, Russia, previously worked with the Embargo (Primeval Mantis) group before launching his own operation under the alias ArmCorp, which later rebranded to The Gentlemen. The shift followed a payment dispute with Qilin, in which LARVA-368 accused the RaaS operation of running an exit scam and defrauding affiliates of $48,000. PRODAFT notes that the group's heavy reliance on artificial intelligence for ransomware development, tooling maintenance, and post-exploitation procedures marks a notable evolution in operational tradecraft, enabling faster iteration and broader affiliate scaling.

Technical analysis from LevelBlue's Cybereason team has previously described The Gentlemen as capable of self-propagation across networked systems, raising the stakes for organizations with exposed services and weak segmentation. Affiliates have been observed paying for premium accounts on underground forums to boost visibility and absorb rival operators — a recruitment tactic that mirrors tactics seen in other RaaS turf wars. For defenders, the worm-style lateral movement makes perimeter hygiene and internal network monitoring critical, and tools like a port scanner or DNS leak test can help identify exposed attack surfaces and misconfigured network paths before ransomware spreads laterally.

With affiliate panels registering more than 20 targets in under 30 days and a dedicated support persona ("The Gentlemen Data") handling communications, the operation has matured into a full-service extortion business. The 478-victim tally from Ransomware.Live underscores the scale of the threat, and security teams should prioritize credential hardening — verifying account safety with a password checker — alongside monitoring for the group's IOCs as PRODAFT and other researchers continue to publish indicators.