The Gentlemen Ransomware: What NZ Businesses Need to Know About This Fast-Rising Threat

A new name has surfaced on the ransomware scene — and it's already making waves. The Gentlemen, a ransomware-as-a-service (RaaS) operation first spotted in mid-2025, has rapidly claimed victims across multiple industries and continents. According to reporting by Dark Reading, the group has demonstrated a level of operational maturity that suggests experienced operators are behind the polished branding.

For New Zealand businesses, the rise of The Gentlemen is another reminder that ransomware isn't slowing down — and that email remains the number one entry point for attackers.

Who Are The Gentlemen?

The Gentlemen emerged publicly in 2025 with a dark-web leak site, a professional-looking brand, and a rapidly growing list of victims spanning manufacturing, construction, healthcare, and professional services sectors. Despite the polite name, their tactics are anything but courteous.

Key characteristics of the group include:

  • Double extortion tactics — encrypting files and exfiltrating sensitive data to pressure victims into paying.
  • Targeting mid-sized businesses — the sweet spot where security budgets are often limited but data is valuable.
  • Rapid victim turnover — dozens of organisations listed on their leak site within months of launch.
  • Sophisticated tooling — suggesting the operators have prior experience with other ransomware families.

Security researchers note that The Gentlemen's rapid rise is consistent with a growing trend: seasoned cybercriminals rebranding or splintering from older ransomware operations to avoid law enforcement attention.

How The Gentlemen Gain Access

Like most modern ransomware crews, The Gentlemen rely on a familiar playbook to breach networks:

1. Phishing Emails

The most common initial access vector. Attackers send targeted emails with malicious attachments or links, often impersonating trusted brands, suppliers, or internal staff. For Kiwi businesses, this often means spoofed invoices from familiar vendors, fake IRD notices, or cloned emails from freight and logistics partners.

2. Exploiting Exposed Services

Unpatched VPNs, RDP endpoints, and edge devices remain a favourite entry point. Once inside, attackers move laterally to escalate privileges.

3. Compromised Credentials

Credentials purchased from initial access brokers or harvested through infostealer malware give The Gentlemen a foothold without needing to send a single phishing email.

Why This Matters for New Zealand Businesses

New Zealand isn't immune. CERT NZ's recent reports show ransomware incidents continue to rise year-on-year, with small and mid-sized Kiwi businesses making up the majority of reported cases. A single successful attack can mean:

  • Days or weeks of downtime
  • NZ$100,000+ in recovery costs
  • Mandatory Privacy Act 2020 breach notifications
  • Permanent loss of customer trust

When you consider that the average small business in Aotearoa runs on a handful of cloud services and a shared email system, it's easy to see why attackers view the region as a target-rich environment.

How to Defend Your Business Against The Gentlemen (and Similar Threats)

There's no silver bullet, but a layered defence dramatically reduces your risk. Here's a practical checklist for New Zealand businesses:

1. Lock Down Your Email Authentication

Since phishing is the #1 entry point, hardening your email domain is non-negotiable. Make sure you have SPF, DKIM, and DMARC properly configured.

Here's what a basic enforcing DMARC record looks like:

_dmarc.yourbusiness.co.nz. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourbusiness.co.nz; ruf=mailto:dmarc@yourbusiness.co.nz; fo=1; adkim=s; aspf=s"

And a typical SPF record for a business using Microsoft 365:

yourbusiness.co.nz. IN TXT "v=spf1 include:spf.protection.outlook.com -all"

The -all (hard fail) and p=reject policy combination ensures spoofed emails pretending to be your brand are blocked — protecting both your staff and your customers.

2. Enforce Multi-Factor Authentication (MFA)

Every user. Every account. No exceptions. MFA alone blocks the majority of credential-based attacks.

3. Patch Aggressively

Prioritise internet-facing systems: firewalls, VPN appliances, email gateways, and remote access tools. The Gentlemen, like most ransomware groups, actively exploit known CVEs within days of disclosure.

4. Segment Your Network

Flat networks are ransomware paradise. Segment critical systems, limit lateral movement, and apply least-privilege access controls.

5. Back Up — and Test Your Backups

Follow the 3-2-1 rule: three copies, two different media, one offsite (and ideally immutable). Crucially — test your restores regularly. A backup you can't restore is just expensive storage.

6. Train Your Team

Run phishing simulations and ongoing awareness training. Your staff are your last line of defence when a malicious email slips past technical controls.

7. Have an Incident Response Plan

Know who to call, what to isolate, and how to communicate — before an attack happens. Document it, rehearse it, and keep an offline copy.

Red Flags to Watch For

Early detection saves businesses. Keep an eye out for:

  • Unusual login activity from overseas IP addresses
  • Unexpected RDP or VPN sessions outside business hours
  • Sudden spikes in outbound data transfer
  • New admin accounts appearing in Active Directory or Microsoft 365
  • Antivirus or EDR tools being disabled on endpoints

Any of these warrant immediate investigation.

The Bottom Line

The Gentlemen ransomware group is a reminder that threat actors are evolving faster than ever — polished branding, professional operations, and relentless targeting of mid-market businesses. But the fundamentals of defence haven't changed: strong email authentication, MFA everywhere, patched systems, segmented networks, and tested backups.

The businesses that weather these threats aren't necessarily the biggest or best-funded — they're the ones that take the basics seriously.

Check Your Email Security in 30 Seconds

Since phishing is the #1 way ransomware groups like The Gentlemen get in, the smartest first step is making sure your domain can't be easily spoofed.

👉 Try xteam's free MailCheck tool — instantly analyse your SPF, DKIM, and DMARC configuration, spot gaps, and get clear recommendations tailored for New Zealand businesses. It takes less than a minute, and it's free.

Don't wait for a ransomware note to find out your email isn't protected.