The Gentlemen Ransomware Group Rises to Global Threat #2, Accounting for 10% of Attacks in 2024 A new report from cybersecurity firm KELA reveals that The Gentlemen has rapidly ascended to become the world’s second-most prolific ransomware group, responsible for 10% of all global ransomware victims this year. The findings highlight the group’s aggressive expansion, fueled by sophisticated tactics including upselling, discount schemes, and psychological manipulation during ransom negotiations. The group’s rise coincides with growing concerns over industrial cybersecurity, particularly in manufacturing, where legacy infrastructure and AI-driven automation create new vulnerabilities. Recent leaks, including the 2025 Black Basta breach, have been weaponized by threat actors as training exercises, further refining their attack strategies. Notably, The Gentlemen has exploited unpatched systems, remote access tools, and even AI-powered data theft to compromise targets including corporate mailboxes and plant-floor robotics. The report also underscores the broader risks facing operational technology (OT) environments, where outdated Ethernet systems and delayed patch management leave critical infrastructure exposed. While autonomous patching adoption is accelerating, it remains insufficient to counter the pace of emerging threats. The group’s tactics reflect a shift in ransomware operations, where financial pressure such as prioritizing $20 million payouts from utilities is used to maximize leverage. As industrial sectors grapple with these challenges, the incident serves as a stark reminder of the evolving threat landscape, where ransomware groups increasingly target high-value, interconnected systems with far-reaching consequences.

Iranian State-Backed Threat Actors Blur Lines Between Cybercrime and Espionage Recent intelligence from KELA reveals a troubling evolution in Iranian state-sponsored cyber operations, where nation-state actors increasingly collaborate with criminal ransomware groups to conduct financially motivated attacks under the guise of extortion. Rather than operating standalone ransomware cartels, these groups now embed themselves within the cybercriminal ecosystem acting as initial access brokers, partnering with ransomware affiliates, and deploying pseudo-ransomware to mask destructive campaigns as profit-driven attacks. A prime example is Pay2Key, an Iran-linked ransomware operation that has resurfaced as a professionalized Ransomware-as-a-Service (RaaS) platform on the anonymous I2P network. The group now actively recruits affiliates from Russian cybercrime forums, offering an 80% profit share up from the typical 70% for attacks targeting U.S. and Israeli organizations. This model poses significant compliance risks: victims paying ransoms may unknowingly fund OFAC-sanctioned Iranian entities, exposing themselves to severe legal and financial penalties. A joint advisory from the FBI, CISA, and DoD Cyber Crime Center in August 2024 highlighted groups like Pioneer Kitten (UNC757/Fox Kitten), which specialize in exploiting vulnerabilities in VPNs and firewalls to gain initial access. Instead of deploying their own ransomware, these actors hand off compromised networks to affiliates such as NoEscape, RansomHouse, and ALPHV/BlackCat, taking a cut of ransom payments. This collaboration enables Iranian hackers to generate revenue while providing ransomware groups with streamlined access to high-value targets, including healthcare, education, and financial institutions in the U.S. Pay2Key’s evolution underscores Iran’s use of ransomware as a geopolitical tool. Initially launched in 2020 by the Fox Kitten group to target Israeli organizations, the operation combined extortion with information warfare, leveraging data leaks to pressure adversaries. By 2025, it had rebranded as Pay2Key.I2P, adopting a more aggressive, scalable RaaS model that blends political objectives with criminal enterprise. Beyond financial motives, Iranian actors have repeatedly used ransomware-style encryption as a cover for destruction. The Agrius APT group, for instance, repurposed the Apostle malware originally a data wiper into a ransomware variant, disguising sabotage as extortion. A similar tactic was observed in July 2022, when an Iranian state-sponsored actor deployed ROADSWEEP ransomware alongside a destructive wiper against Albanian government networks, framing the attack as a ransom operation despite its true intent being disruption. Attribution challenges are further complicated by "moonlighting" where Iranian operatives use state-provided tools and access for personal financial gain. In April 2024, the U.S. DOJ and Treasury Department sanctioned individuals linked to Mahak Rayan Afraz, a front company for the IRGC’s Cyber-Electronic Command, after operatives were found running ransomware schemes alongside official state duties. The convergence of state-sponsored cyber warfare and cybercrime creates serious legal and operational risks for organizations. Paying ransoms to seemingly independent groups may violate OFAC sanctions if those groups have undisclosed ties to Iran, leading to heavy penalties. The shift demands heightened vigilance, as traditional security measures such as patching and backups must now account for hybrid threats that blend espionage, sabotage, and financial crime.