SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
The Gentlemen tops ransomware rankings in Q2 review

The Gentlemen tops ransomware rankings in Q2 review

Fri, 17th Jul 2026 (Today)
Mark Tarre
MARK TARRE News Chief

ReliaQuest has published its second-quarter review of ransomware and cyber extortion trends, recording 2,252 named victims during the quarter.

That total was down 15% from the first quarter but still 51% higher than a year earlier, showing activity remained elevated even as the leading groups changed. The data covered 90 ransomware groups operating across 99 countries.

The biggest shift at the top of the market was the rise of The Gentlemen, which ranked first by named victim count for the first time. The group posted 300 victims in the quarter, narrowly ahead of Qilin on 289.

The change came as three of the most prominent groups from the previous quarter lost momentum. Qilin, which had led the rankings for four straight quarters, fell from 111 posts in April to 79 in June. DragonForce dropped from 65 to 27 over the same period, while Coinbase Cartel fell from 45 to four, the steepest decline among the tracked groups.

ReliaQuest said the shift in rankings did not amount to a change in attackers' core methods. Affiliates, tools and access often move between brands even when the names at the top change quickly, it argued.

New leader

According to the report, The Gentlemen's rise over the past three quarters has been driven by strong affiliate recruitment and a packaged intrusion kit that makes entry easier for operators. Its monthly victim counts climbed from 101 in April to 122 in June, giving it its strongest month at the end of the quarter.

The report said publicly leaked chat logs indicate the group's leader, known as hastalamuerte, previously ran the ArmCorp affiliate group under Qilin. The logs also suggest affiliates are given pre-compromised victim lists, tools to disable endpoint detection and response products, Group Policy Object-based deployment methods, and WinSCP for data theft.

ReliaQuest linked this model to a broader trend in ransomware-as-a-service operations, where standardised toolkits and rapid updates can shorten the time needed for new affiliates to become active. The techniques used by The Gentlemen were mostly conventional, including exploiting edge devices, using tunnelling tools for command and control, and encrypting over Server Message Block from a single host.

Deadlock focus

The report placed particular emphasis on Deadlock, a group that had been largely absent from public data-leak sites for 11 months before naming 75 victims in June. Although smaller by quarterly victim volume, ReliaQuest described it as especially important because of how it manages command and control and disables security tools.

Deadlock's malware retrieves connection instructions from a public blockchain rather than relying on hard-coded domains or internet addresses. That allows operators to rotate addresses without leaving fixed infrastructure for defenders to block or remove.

Before encryption, the group is also said to exploit a vulnerable driver to terminate endpoint security products at kernel level. The technique, known as Bring Your Own Vulnerable Driver, uses a legitimate signed driver that Windows trusts by default, allowing attackers to disable protected processes, including endpoint detection and response systems.

The report said this combination weakens two common defensive measures. Blocking network indicators becomes less useful when command infrastructure can change on demand, while endpoint tools lose visibility once they are shut down before encryption begins.

Deadlock's wider intrusion chain still relies on more familiar methods. ReliaQuest said the group uses AnyDesk for persistence, Remote Desktop Protocol for lateral movement, and PowerShell scripts to bypass User Account Control, disable Windows Defender, and delete volume shadow copies. Encrypted files take the .dlock extension, and the malware pauses for about 50 seconds before encryption, a delay designed to evade short sandbox analysis windows.

Sector exposure

By industry, professional, scientific and technical services remained the most targeted sector for the fifth consecutive quarter. It accounted for 437 victim posts across the top 11 groups, or 32% of tracked activity.

Manufacturing and construction followed close behind. ReliaQuest said the continued focus on professional, scientific and technical services reflected the value of client data held across multiple downstream businesses, which can increase pressure on victims during extortion attempts.

The report also pointed to signs of sector concentration among individual groups. Qilin was identified as a leading threat to construction, health care and social assistance, finance and insurance, and public administration. The Gentlemen focused more heavily on professional, scientific and technical services, manufacturing, retail trade, and accommodation and food services. Akira, while smaller overall, concentrated much of its activity on manufacturing and construction.

Geographic spread

The United States remained by far the most targeted country, accounting for 1,094 victim posts, or roughly 49% of all observed activity. That was about nine times the volume of the next-ranked country.

India and Thailand also maintained the elevated levels seen in the first quarter. ReliaQuest said this mattered for enterprises with subsidiaries, outsourced IT operations, or manufacturing partners in those countries, because privileged access through shared systems and service platforms can turn a supplier breach into a wider corporate problem.

The report concluded that churn in ransomware branding has done little to alter the underlying pattern of attacks. "Q2's leaderboard turned over, but the tactics converged: hide the infrastructure, stall attribution, and kill the endpoint before encryption starts."