A comprehensive analysis of **The Gentlemen** ransomware operation has shed light on its intricate evolution, revealing a financially motivated threat group that has transitioned from an affiliate model to an independent partnership program. Initially operating under the moniker **Phantom Mantis**, the group leveraged resources from prominent Ransomware-as-a-Service (**RaaS**) schemes such as **LockBit** (aka Tenacious Mantis), **Qilin** (aka Pestilent Mantis), and **Medusa** (aka Venomous Mantis) to conduct double extortion attacks.  ### The Rise of LARVA-368 According to a detailed report by **PRODAFT**, the operation is spearheaded by a Russian-speaking cybercriminal identified as **LARVA-368**, who uses various online aliases including hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. **The Gentlemen** has been active since March 2025, accumulating a total of 478 victims to date, according to data from Ransomware.Live. In July 2025, **Phantom Mantis** transitioned to **The Gentlemen**, establishing itself as an independent program. This shift coincided with a payment dispute between **LARVA-368** and **Qilin**, where the former accused the **RaaS** operation of an exit scam and defrauding them of $48,000. Notably, **LARVA-368** heavily relies on artificial intelligence for the development and maintenance of ransomware and tools, as well as for assistance with post-exploitation procedures. Cybersecurity journalist Brian Krebs has identified **LARVA-368** as 36-year-old Alexander Andreevich Yapaev from Izhevsk, Russia, a finding corroborated with high confidence by **PRODAFT**. ### Sophisticated Tactics and Affiliate Program **The Gentlemen** is characterized by its sophisticated and adaptive operational model: * **Aggressive Affiliate Model**: The group offers an attractive 90% profit share to affiliates, with 10% for the operator. * **Vetting Affiliates**: Prospective affiliates must provide at least 1GB of exfiltrated data to gain access to the affiliate panel, a tactic designed to deter researchers and law enforcement. * **Multi-Platform Ransomware**: **Phantom Mantis** provides five versions of ransomware tailored for Windows, Linux, ESXi, Windows XP+, and Logical Volume Manager (**LVM**). * **AI-Powered Support**: **LARVA-368** uses **The Gentlemen** IM app accounts to support affiliates, offering assistance with encryption and intrusion-related issues, including providing EDR killers to bypass security solutions via the Bring Your Own Vulnerable Driver (**BYOVD**) technique. * **Communication Channels**: Support is available via Tox, SimpleX Chat, and Ricochet Refresh open-source messaging platforms.  ### Attack Vectors and Defense Evasion **The Gentlemen** prioritizes enterprise targets, gaining initial access through vulnerable internet-facing services or stolen credentials, with a particular focus on edge devices like **Cisco** and **Fortinet FortiGate** VPN appliances and firewalls. The group employs a range of red team utilities such as **NetExec**, **RelayKing**, **TaskHound**, **PrivHound**, and **CertiHound** for Active Directory discovery, certificate abuse, privilege escalation, and file share discovery. For defense evasion, tools like **EDRStartupHinder**, gfreeze, glinker, and DumpBrowserSecrets are utilized, while **Velociraptor** serves as a command-and-control (**C2**) framework. Attacks also involve clearing System, Application, and Security Windows Event Logs, disabling **Microsoft Defender**, and adding antivirus exclusions. ### Technical Deep Dive **Microsoft**, tracking the cluster as **Storm-2697**, notes that **The Gentlemen** ransomware is written in Go and obfuscated with **Garble**. When executed with the `--spread` argument, it transforms into a self-propagating worm, deploying its encryptor to every reachable system on the network. The `--wipe` argument triggers an additional post-encryption routine to eliminate recoverable artifacts from disk. The ransomware employs a hybrid cryptographic scheme, combining **X25519** key exchange with **XChaCha20** symmetric encryption. **The Gentlemen** also exhibits a multi-channel extortion approach, integrating ransomware attacks with email outreach and phone-based pressure tactics against victims. Their highly responsive development cycle was demonstrated by the rapid release of a same-day patch after a decryptor for their ransomware was made public in April 2026. While only 13% of their victims are based in the U.S., the majority are concentrated in Thailand, the U.K., Brazil, Germany, and India, highlighting a global reach. The group's average dwell time within compromised networks stands at approximately 15 days.