The Gentlemen Ransomware Spree Hits 19 Firms in a Day
Summary
The day split into two very different threats sharing one feed: a patient, financially motivated wave of ransomware and data theft against mid-market firms, and a loud, political surge of defacements and denial-of-service tied to the widening war in the Middle East. The noisiest incidents did the least lasting harm. The exposure that matters sat with the quiet operators -- and with the identity-based social engineering quietly handing them access.
Today's developments
The most active operator of the day was the ransomware group calling itself The Gentlemen, which claimed roughly nineteen victims in a single spree spanning at least eight countries and almost every sector a mid-market extortion crew favours. Its alleged victims included law and consulting firms in the United States (lopes law, triquesta), construction companies across the United States and Canada (dash door & glass, aveiro constructors), IT providers in Germany and the United Kingdom (internet ag, fortray global services), healthcare billers (crossroads medical management, pharma wholesale corp), the Italian confectioner Vicenzi and the Greek arm of the accountancy network BDO. The pattern -- outsourced IT, legal and finance shops rather than marquee brands -- is the tell of a group harvesting whatever managed-service access it can reach rather than chasing headlines.
Other extortion crews worked the edges. Money Message claimed the US non-profit Envision Unlimited; CMD Organization named the UK's Finance Yorkshire; Gunra listed the Spanish builder New Tiles; Nova claimed Argentina's Hynet; and an actor going by doommageddon claimed a Brazilian hospital, the kind of target that turns an IT outage into a clinical-safety problem.
The breach and leak column -- thirty-three of the day's incidents -- reached deeper into government and health records. An actor known as sqx claimed a breach of the Supreme Court of Argentina; one calling itself yaserbakhtiary0111 claimed data from France's national health-insurance body l'assurance maladie, while Saturne named the French handisport federation and NXBB.SEC claimed Thailand's Ministry of Interior. In the United States, Nemoris_Hacking claimed a breach of a correctional-services provider and HitekTech claimed to have taken data from 7-Eleven; in Switzerland, an actor claimed data from the crypto-analytics firm Glassnode. A serial leaker operating as RoisData posted alleged datasets across at least six countries in a single day -- Finland, India, Japan, Poland, Turkey and the United States -- while another, 0cx00iq, concentrated on Iraq, Lebanon and Palestine, a reminder that the region's war is reshaping who gets hit.
That conflict dominated the hacktivist noise floor. Israel was the day's most-targeted country by a wide margin, ahead of the United States and Iran, as crews such as Sarbedaran, Dark Storm Team and the pro-Russian denial-of-service group NoName057(16) claimed defacements and short-lived outages; defacement alone accounted for fifty-six of the day's incidents. Little of it caused durable damage, but the volume is the point -- it buries the incidents that do.
External reporting converged on two themes, crypto and identity. Security reporters covered the sentencing of Angelo Martino, a former ransomware negotiator given seventy months in a US prison for feeding confidential client information to the BlackCat/AlphV gang in schemes that extorted a combined $75.3 million -- the third insider from the incident-response industry convicted this way, alongside a separate Ryuk operator who pleaded guilty the same week. Researchers at Coinspect disclosed a wallet flaw they call Ill Bloom that attackers were already using to drain more than $5 million, while Ledger's Donjon team showed a precisely timed laser pulse could reset passwords on unpatchable Tangem hardware wallets, and unknown actors compromised Injective Labs' GitHub project to push wallet-key-stealing packages to the npm registry. On the identity side, Okta warned of voice-phishing campaigns steering Microsoft 365 users to fake Entra ID login pages, and separate research detailed attackers abusing fake Microsoft Entra passkey enrollment to seize M365 accounts. Elsewhere, an exposed server revealed the WP-SHELLSTORM crew backdooring thousands of WordPress sites, a study of 281 free Android VPN apps found widespread traffic leaks and unencrypted data, and a destructive toolkit dubbed GigaWiper was documented combining a standalone wiper, ransomware encryption and multi-pass disk wiping.
Threat landscape signals
Actor concentration was unusually high at the top. The three busiest handles -- a defacement crew, a conflict-linked hacktivist, and The Gentlemen -- together accounted for roughly two of every five tracked incidents, and The Gentlemen alone drove the large majority of the day's twenty-five ransomware claims. That skew flatters the raw count: strip out the fifty-six defacements and twenty-one denial-of-service bursts, most of them political, and the day's real exposure narrows to the thirty-three breaches and leaks and the ransomware spree.
The geography tells the same two-track story. The war pulled targeting toward Israel, Iran and their neighbours, but the monetised intrusions landed on ordinary commercial and government victims in the United States, France, Spain, Germany and Argentina. The through-line across the financially motivated activity was access rather than exploits: voice-phishing against Microsoft 365, fake passkey enrollment, a poisoned code repository, and ransomware crews feeding on outsourced IT providers all point the same way. For defenders, the signal is to treat identity and supplier access as the primary battleground -- the defacements filling the feed are a distraction from the intrusions that quietly monetise, and the crypto sector in particular absorbed four separate serious hits in a single day.