Based on reporting by The Hacker News →
Introduction
The ransomware ecosystem is undergoing a dangerous evolution: seasoned affiliates are breaking away from established RaaS brands to launch their own operations, armed with professional tools and the ability to self-propagate. A recently published analysis of The Gentlemen group reveals exactly how that transition happens and why it makes the average WordPress site a more likely target.
The problem
According to a detailed report published by The Hacker News, researchers have dissected the operations of a financially motivated threat group known as The Gentlemen. The analysis reveals that this group initially functioned as an affiliate (a hired gun) responsible for conducting double extortion attacks. Crucially, The Gentlemen leveraged resources and probably code from multiple ransomware-as-a-service (RaaS) schemes to build their own operation, specifically citing LockBit (tracked as Tenacious Mantis), Qilin (Pestilent Mantis), and Medusa (Venomous Mantis) as sources of inspiration or tooling. The most alarming finding is that The Gentlemen has claimed 478 victims and possesses the capability to spread like a worm—meaning it can move from an initial compromised host to other connected systems without requiring manual interaction by the attacker.
Consequences
The 478 claimed victims represent a significant, mature operation that is actively causing data breaches and operational disruption on multiple continents. The worm-like propagation capability accelerates the blast radius: an initial intrusion into a single vulnerable web application, such as an unpatched WordPress plugin, could rapidly escalate into a full network compromise, with encryption and data exfiltration occurring in hours rather than days. For organizations relying on WooCommerce or similarly exposed platforms, the risk is that a single overlooked vulnerability becomes a wormhole for lateral movement into corporate networks, CRM systems, and financial databases.