New generation of ransomware targets Latin America with tailored attacks that cause severe damage

The Gentlemen ransomware attacked more than 250 victims in 17 countries, including Mexico, Colombia, Chile, and Argentina, and represents a new era of customized and ultra-adaptive attacks. Unlike other groups, this Ransomware as a Service (RaaS) studies the specific defenses of its victims and adapts its tools during the campaign to overcome existing controls. ESET, a leading company in proactive threat detection, analyzes the new landscape of ransomware groups and warns how this disciplined, meticulous, and highly methodical organization has disrupted traditional approaches to become one of the most active threats since July 2025.

“It is an emerging Ransomware-as-a-Service group that burst onto the cybercrime scene in mid-2025. Unlike other groups with more sloppy or rustic aesthetics, The Gentlemen stands out for its polished brand identity. It even maintains a leak site on the dark web with a professional logo and a slogan that reinforces its image as a disciplined and highly detail-oriented organization. This professionalism is not merely aesthetic; it is reflected in the precision of its attacks and the technical quality of its tools,” says Martina Lopez, cybersecurity researcher at ESET Latin America.

Their operating model is based on double extortion, a tactic where they not only encrypt the victim’s files to block access, but also exfiltrate confidential data before encryption. Once they possess the information, they threaten to publish it on their leaks site if a ransom is not paid. This strategy puts massive pressure on companies, especially those that cannot afford a public data breach.

A ransomware attack by The Gentlemen typically begins by exploiting exposed internet access points (systems with open administration) or using previously stolen credentials. Once inside, they deploy tools to scan the internal network, understand how the company is organized, and identify users with elevated privileges, especially those with full access to the systems.

To move within the network and escalate the attack, they use tools that allow them to remotely execute actions on multiple computers and modify key configurations. In this way, they manage to distribute the ransomware simultaneously across all connected devices, further weakening security mechanisms to facilitate remote access and control.

In the final stage, they combine two critical actions: first, they steal sensitive information and send it to external servers in encrypted form; second, they lock down systems using encryption. Once the attack is complete, they execute processes designed to erase their tracks: they delete activity logs, remote connections, and any evidence that could allow them to reconstruct what happened, thus hindering subsequent investigations.

Their first documented victim was registered on June 30, 2025, and since then, their activity has not ceased. They have affected critical sectors such as manufacturing, construction, healthcare, insurance, and financial services.

Geographically, their impact is global, but the most affected countries include the United States and Thailand, followed by India, Mexico, Colombia, Spain, and France. This distribution suggests that the group takes advantage of access opportunities wherever they arise, without an apparent geopolitical agenda.

In mid-March 2026, they published on their website the attack on two organizations in Colombia in the healthcare and media sectors. During February, they attacked a government scientific research institute in Argentina, and in March, they claimed responsibility for an attack on an organization in Chile. According to the ransomware.live website, they also reported victims in Brazil, Peru, Ecuador, Venezuela, Guatemala, the Dominican Republic, Costa Rica, and Panama.

ESET provides the following list of recommendations to protect yourself from The Gentlemen ransomware:

• Reduce internet exposure: review which systems are accessible from outside and close any unnecessary access, especially administration panels or remote access.
• Protect credentials: use unique and strong passwords, enable two-factor authentication, and monitor any suspicious logins.
• Keep everything up to date: apply security patches to operating systems, servers, and applications. Many of their intrusions exploit known vulnerabilities.
• Detect anomalous behavior: Implement solutions that allow you to identify unusual activity within the network, such as after-hours access or unexpected remote executions.
• Limit privileges: Not all users need full access. Reducing permissions minimizes the impact if an account is compromised.
• Segment the network: Separating critical systems prevents an attacker from moving freely and compromising the entire infrastructure.
• Perform backups: Carry out regular backups and store them in isolation, verifying that they can be restored correctly.
• Train the team: Human error remains one of the main entry points. Awareness is key.

“In a scenario where attacks are no longer massive but personalized, the question is no longer whether an organization can be targeted, but when. Understanding how groups like The Gentlemen operate is the first step to anticipating a threat that no longer gives warning,” concludes Lopez from ESET.

ESET invites you to learn more about cybersecurity by visiting: https://www.welivesecurity.com/es/.

For useful preventative information, visit https://www.eset.com/ve/ and follow them on social media @eset_ve, Instagram (@esetla), and Facebook (ESET.

Information and images provided by ESET and Comstat Rowland

Follow our news on Google! For current, interesting, and accurate information, click here to see all the content on Bitfinance.news. You can also find us on X/Twitter and Instagram