ReliaQuest: “The Gentlemen” Overtakes Qilin as Most Prolific Ransomware Operation

The ransomware leaderboard shifts — The Gentlemen tops the chart in ReliaQuest’s latest tracking, and defender-team pattern-watching continues this week from the analyst’s chair, not the attacker’s.

Share
Editorial illustration of a top-hat ransomware badge rising above a fading rival crown, marking The Gentlemen overtaking Qilin as the most prolific operation.

Key Takeaways

  • ReliaQuest published research, dated July 16, 2026 and reported by Infosecurity Magazine, finding that the operation tracked as “The Gentlemen” has reportedly overtaken Qilin to become the most prolific ransomware threat — the first change at the top of ReliaQuest’s ranking after Qilin had led every quarter of the prior year.
  • The ranking is built from data-leak-site victim claims over a roughly three-month window (a March-to-May span, per the reporting): ReliaQuest tracked 1,368 claimed victims across 11 tracked groups and 99 countries, with The Gentlemen accounting for 300 claimed incidents and Qilin 289 — a narrow but reportedly decisive shift at the top.
  • For defenders, the useful signal is directional rather than precise: leak-site tallies are self-reported by the operators and undercount unclaimed activity, so the story is a rising base rate of attempts and a control-hardening prompt — ReliaQuest paired the finding with defensive recommendations security teams can act on regardless of which brand leads the chart.

ReliaQuest’s latest ranking puts “The Gentlemen” ahead of Qilin for the first time — a leader change The CyberSignal reads strictly from the defender’s chair, as a base-rate signal rather than an attacker profile.

TAMPA, FLA. — ReliaQuest has published new research finding that the ransomware operation it tracks as “The Gentlemen” has reportedly overtaken Qilin to become the most prolific ransomware threat, according to reporting by Infosecurity Magazine. The finding, dated July 16, 2026, marks the first change at the top of ReliaQuest’s ranking after Qilin had reportedly held the most-prolific position throughout the prior year. The CyberSignal reads the result strictly from the defender’s chair: what the researchers documented, what the leader change does and does not tell a security team, and what remains unresolved.

The headline is a leaderboard swap, not an incident disclosure. ReliaQuest’s ranking is a periodic measurement of ransomware and cyber-extortion activity, and its value for defenders is as a trend indicator — a read on which operations are generating the most claimed activity and, by extension, where the base rate of attempts is rising. The finding continues a running thread on the same operation, building on The CyberSignal’s earlier coverage of Unit 42’s analysis of The Gentlemen and its affiliate model and of the operation’s worm-like spread and victim count.

At a Glance
FieldDetails
PublisherReliaQuest — threat-research team
WhatQuarterly ransomware and cyber-extortion tracking research
DatedJuly 16, 2026 (reported by Infosecurity Magazine, July 17)
Headline finding“The Gentlemen” reportedly overtakes Qilin as most prolific operation
The Gentlemen300 claimed incidents — now most prolific
Qilin289 claimed incidents — now second
Dataset1,368 claimed victims, 11 tracked groups, 99 countries (data-leak-site posts)
Not confirmedWhether the shift reflects new activity or reclassification; named affiliates driving growth
StatusIndustry research; The CyberSignal coverage is defender-framed

What ReliaQuest Documented

In its quarterly threat-spotlight research, ReliaQuest reported that “The Gentlemen” was the most active ransomware operation over the period it measured, displacing Qilin for the first time. As Infosecurity Magazine reported, ReliaQuest tallied 300 claimed incidents attributed to The Gentlemen against 289 for Qilin across the roughly three-month window it examined — a narrow margin, but enough to move Qilin into second place after it had reportedly led every quarter of the previous year.

The broader dataset gives the ranking its context. ReliaQuest tracked 1,368 claimed victims across 11 ransomware groups spread over 99 countries, drawing on the operators’ own posts to data-leak sites. Behind the two leaders, ReliaQuest placed DragonForce, Akira, and LockBit in a second tier, each accounting for somewhere between roughly 100 and 150 observed incidents — a visible gap that puts The Gentlemen and Qilin in a category of their own for the period.

The CyberSignal is deliberately not reconstructing how any of these operations break in. What matters on the defensive side is the shape of the finding: a well-known operation has climbed to the top of a widely watched ranking, and the researcher framing for that climb is a business-model one. ReliaQuest security analyst Tristano Di Liberto attributed the rise to “aggressive affiliate recruitment and a well-packaged intrusion kit that lowers the bar for new operators,” and cautioned that “the pressure The Gentlemen applies is likely to persist into Q3.” That is a statement about recruitment and throughput, not a playbook — and it is the part defenders can plan around.

Continuation Context: Brief #169 (Unit 42 Gentlemen Affiliate-Model Analysis)

This finding does not arrive cold. The CyberSignal has been tracking the same operation, most recently through Unit 42’s profile of The Gentlemen and the affiliate model reportedly behind its growth, and earlier through reporting on Microsoft’s tracking of the same cluster. ReliaQuest’s leaderboard result slots cleanly into that thread: where the Unit 42 work argued that affiliate economics were driving the operation’s growth, ReliaQuest’s ranking is a quantitative read on what that growth looks like at the top of the chart.

Read together, the two pieces of research tell a consistent story from opposite ends. Unit 42 offered the structural explanation — a ransomware-as-a-service model whose affiliate terms attract a growing pool of operators — and ReliaQuest now offers the tally that the explanation predicts. For a defender, that consistency is more useful than either data point alone: it suggests the leader change is not a one-off blip but the visible surface of an operation that multiple independent research teams have flagged as scaling.

The Leader-Change Framing in Industry-Research Context

Leaderboard swaps at the top of ransomware rankings are a recurring feature of the industry-research beat, not a novelty, and they are best read with that history in mind. Rankings like ReliaQuest’s have repeatedly recorded one prolific brand giving way to another as affiliates migrate, infrastructure is disrupted, or a newer operation offers better terms. The specific names change; the pattern — that the top of the chart is contested and mobile — does not. The right reflex when a new operation takes the lead is therefore to ask what the change measures, not to treat the new name as a uniquely urgent threat.

Two caveats keep the finding honest. First, the ranking is built from data-leak-site claims, which are self-reported by the operators themselves: they can be inflated, can double-count, and systematically miss victims who pay quietly or are never named. A leak-site tally is a proxy for activity, not a census. Second, a single quarter’s narrow margin — here, 300 to 289 — is a thin lead that could reverse in the next measurement. The durable signal is that both operations are generating far more claimed activity than the field behind them, echoing the affiliate-economics story seen in other research such as the INC ransomware disclosure and its affiliate-driven victim count.

Defender Posture for Affected Sectors

Because affiliate-driven operations let independent operators pick their own targets, a leader change at the top of the chart does not point defenders toward any one sector. The victims in ReliaQuest’s dataset spanned 99 countries, and the practical reading for a security leader is not “is my industry named” but “does my environment present the conditions affiliates favor.” That keeps the posture sector-agnostic and control-specific — which is exactly where ReliaQuest pointed its own recommendations.

ReliaQuest paired its finding with defensive guidance that maps to common intrusion paths rather than to any single brand. Its recommendations to security leaders were to restrict RDP and remote access, enforce Microsoft’s vulnerable-driver block list, monitor blockchain RPC and session-messenger egress, and harden identity against vishing and adversary-in-the-middle (AiTM) techniques. None of these are exotic, and that is the point: an operation that scales through affiliate volume wins by finding organizations that have not yet closed those gaps. Closing them is the countermeasure that does not depend on which brand happens to lead the ranking, and it complements the ecosystem-level pressure seen in actions like Operation Endgame’s takedown of ransomware supply-chain infrastructure.

Qilin, for its part, remains a live concern rather than a footnote — a close second is still a leading operation, and The CyberSignal’s prior coverage of a Check Point VPN zero-day tied to Qilin ransomware is a reminder that the runner-up on a leaderboard can still be the operation inside a given network. The defender takeaway from a leader change is to broaden coverage, not to shift focus from one brand to another.

Open Questions

Several points behind the ranking remain unresolved at publication and belong in the open-questions column rather than the reported record. It is not established whether the shift at the top reflects a genuine increase in The Gentlemen’s activity or a change in how incidents are attributed and counted — a distinction that matters when a lead is as narrow as eleven claimed incidents. Nor does the research name the specific affiliates driving the growth; the affiliate-recruitment framing is a characterization of the model, not an identification of the operators.

The CyberSignal notes that the incident counts and the leader change are ReliaQuest’s measurements, derived from leak-site claims, and should be weighted as directional trend data rather than an exact census. Those figures may firm up, revise, or reverse in the next quarterly read. What does not depend on the contested numbers is the defensive task the research points to — and that is where a security team’s attention is best spent.


The CyberSignal Analysis

The reported facts above are ReliaQuest’s, by way of Infosecurity Magazine; what follows is The CyberSignal’s editorial reading of what defenders should take from them. None of the judgments below are new reported facts.

Signal 01 — Read the Ranking as a Base Rate, Not a Target List

The most durable lesson in a leaderboard change is that it measures volume, not proximity. A brand topping ReliaQuest’s chart tells a defender that attempts under that operation are rising in aggregate — it does not tell any individual organization that it is next. Our reading is that security teams should treat the finding as a base-rate signal: the probability of encountering an affiliate-driven intrusion is up across sectors, which raises the value of the fundamentals rather than pointing to a specific brand to block.

The trap to avoid is re-tuning detections around whichever name currently leads. Because the top of the chart is mobile and the margins are thin, a brand-first posture is always chasing last quarter’s ranking. The more defensible stance is coverage that spans the range of behaviors affiliate models produce, so that a change at the top of a leaderboard requires no change in defensive strategy.

Signal 02 — Weight Leak-Site Tallies as Directional, Not Exact

Leak-site victim counts are the raw material of most ransomware rankings, and they are self-reported by the operators. That makes them useful for spotting trends and useless as a precise census: they can be inflated for reputation, can double-count, and miss every victim who settles quietly. Our assessment is that the responsible way to consume a 300-to-289 result is as evidence of two operations pulling ahead of the field, not as a precise ledger that establishes one as decisively larger than the other.

For leaders briefing boards or prioritizing spend, the framing matters. Presenting a narrow, self-reported lead as settled fact invites overcorrection toward one brand; presenting it as a directional indicator keeps the focus on the base rate and the controls that address it. The number is a headline; the trend is the finding.

Signal 03 — Convert the Recommendations Into a Coverage Review

The most actionable part of the research is the defensive checklist ReliaQuest attached to it — restrict remote access, enforce the vulnerable-driver block list, watch specific egress paths, and harden identity against vishing and AiTM. Our view is that the right response is a structured coverage review against those recommendations rather than a one-time acknowledgment. Each item is a hypothesis a security team can test: would our telemetry surface the behavior, and is the control actually enforced where it matters.

The forward-looking watch item is whether the base rate the ranking implies persists — ReliaQuest expects the pressure to continue into the next quarter. We would grade a program’s response not by whether it noted the leader change but by whether it turned the paired recommendations into validated coverage and a short list of closed gaps. Rankings will shift again; a hardened control set keeps paying out after the names on the chart change.


Sources

TypeSource
PrimaryReliaQuest — Threat Spotlight: Ransomware and Cyber Extortion in Q2 2026
ReportingInfosecurity Magazine — The Gentlemen Overtakes Qilin as Most Prolific Ransomware Threat
RelatedThe CyberSignal — Unit 42 Details “The Gentlemen” Ransomware and the Affiliate Model Driving Its Growth
RelatedThe CyberSignal — The Gentlemen Ransomware: 478 Victims and Worm-Like Spread
RelatedThe CyberSignal — The Gentlemen Ransomware, Microsoft Storm-2697, and the Go Ephemeral-Key Finding
RelatedThe CyberSignal — INC Ransomware Research Disclosure: 830 Victims
RelatedThe CyberSignal — Check Point VPN Zero-Day CVE-2026-50751 Tied to Qilin Ransomware
RelatedThe CyberSignal — Operation Endgame 2.0: 300 Servers and 20 Operators of the Ransomware Supply Chain