Threat Analysis: The Gentlemen Ransomware and AI-Powered Phishing, What UK SMBs Need to Know
Hello, Mauven here.
This is your Daily Threat Analysis for 12th June 2026.
Two items today. Neither is a zero-day. Neither requires nation-state resources to deploy against you. That is precisely why I am covering them.
The Gentlemen: A Ransomware Operation Already Running at Pace
A group tracked as The Gentlemen has been making itself known since the second half of 2025, and threat researchers have now published enough to form a clear picture. This is not a new entrant finding its feet. AlienVault OTX’s pulse on The Gentlemen’s recent leak activity documents 68 indicators of compromise and connects the group to SystemBC, a proxy malware that has been a fixture in ransomware deployment chains for years, alongside reported links to the Qilin ransomware ecosystem and a Russian-speaking affiliate actor tracked as ‘hastalamuerte.’
What that tells me: the infrastructure and tradecraft here did not appear from nowhere in late 2025. This is experienced affiliate activity operating under a new name. The rapid escalation to high-volume operations is consistent with a group that already knows how to run the playbook.
The advisory-level assessment is that this is a ransomware and extortion operation. What it does not spell out is what that combination means operationally. Ransomware encrypts. Extortion means data was exfiltrated before encryption. Two leverage points. Two separate threats to manage. Even if you restore from backup, and you should be able to, the exfiltration has already happened. The group still has the data. The demand does not go away because you recovered your systems.
For UK SMBs, the relevant question is not whether The Gentlemen would specifically target you. It is whether your defences are adequate against the volume of opportunistic activity this kind of operation generates. High-volume ransomware groups do not hand-pick every victim. They find exposed services, weak credentials, and unpatched systems. If any of those descriptions apply to your environment, the name of the group is irrelevant.
What the TTP profile suggests you should check:
- SystemBC is delivered through phishing and via compromised remote access. If you have RDP or VPN endpoints exposed to the internet, they should be behind MFA. No exceptions.
- Qilin-affiliated campaigns have historically targeted organisations via managed service providers. If you use an MSP, ask them directly what segmentation exists between your environment and other clients.
- Exfiltration before encryption is now standard. Your detection strategy cannot rely solely on spotting encryption activity. You need to be looking for unusual outbound data movement, ideally before a ransom note appears.
SniperDz: AI-Powered Phishing at Industrial Scale
Group-IB published an investigation this week into SniperDz, a centralised phishing-as-a-service platform that has been operating across the Middle East and North Africa. I am covering this here because the model is relevant to UK businesses regardless of the geographic focus of current campaigns.
SniperDz combines push-notification abuse with phishing infrastructure, delivered through fraudulent social media accounts impersonating politicians, public figures, and trusted brands. The AI component is not hype or marketing language, it is being used to scale content generation and account management in ways that previously required significant human resource. The platform is described as centralised, meaning the operators maintain the infrastructure and sell access to affiliates. Sound familiar? It is the same model that made ransomware-as-a-service so effective.
This sits alongside separate reporting from Infosecurity Magazine on fake software tutorial videos circulating on TikTok and Instagram Reels, distributing the Vidar infostealer. The delivery mechanism: short-form video content, AI-voiced, convincingly formatted, instructing viewers to run PowerShell commands to unlock premium software. Vidar is a credential stealer. It is after your passwords, session tokens, and browser data. The targets are not just individuals; they are the same employees who access your business systems on personal devices.
The NCSC has published guidance on phishing-as-a-service platforms. The fact we are still treating each new platform as novel tells you something about how the industry responds to this category of threat.
The operational reality for SMBs:
- Social media impersonation at this scale means your staff will encounter convincing fakes of brands they trust regularly. Training that focuses on ‘spot the bad email’ is no longer sufficient. The vector is now video, push notifications, and social media DMs.
- The Vidar delivery mechanism via TikTok is worth flagging to any staff who manage social media for your business, or who access business accounts on personal devices. Running PowerShell commands from a tutorial video is not a niche behaviour, it is something non-technical users do routinely when they think they are unlocking software.
- Browser credential theft means that compromised personal devices can expose business credentials even when separate accounts are nominally in use. Device policy matters.
A note on today’s wider picture. Plymouth City Council disclosed this morning that it exposed the email addresses of hundreds of home-schooling families in a mass mailing error, CC’d instead of BCC’d. The council has self-reported to the ICO. This is relevant context for any organisation sending bulk email to service users. It is not a sophisticated attack. It is a process failure. The ICO’s reprimand register for exactly this type of incident has been growing steadily since 2021. If your organisation sends bulk email to clients or service users and does not have a second-check process before that email leaves the building, you are one mistake away from your own ICO report.
What to Do Before the End of the Day
These are not theoretical risks requiring a six-month project plan. Each of the following takes less than an hour to initiate:
- Check your remote access posture. If RDP or any VPN endpoint is accessible from the public internet without MFA, that is today’s highest priority. Ransomware affiliate groups actively scan for these.
- Ask your MSP about client segregation. If you use a managed IT provider, ask them specifically what prevents a compromise in one client environment from pivoting to yours. If they cannot answer clearly, that is information you needed.
- Brief your staff on social media phishing. Not a formal training session, a short message today explaining that convincing video tutorials, social media DMs, and push notifications are now common delivery mechanisms for credential theft. Specifically mention: do not run commands from tutorial videos.
- Audit your bulk email process. If you send newsletters, client updates, or service communications, confirm that your process requires BCC verification before send. The Plymouth incident will not be the last one this month.
Cyber Essentials certification covers several of the controls relevant to today’s threats, including boundary firewalls, access control, and patch management. If your business has not yet assessed against the scheme, the NCSC’s self-assessment tool is a reasonable starting point. It will not protect you against everything discussed above, but it will close the doors that affiliate ransomware groups walk through most often.
If you found this analysis useful, the Small Business Cyber Security Guide publishes daily threat analysis and practical guidance for UK SMBs. Subscribe at [link] to receive it directly, Graham Falkner and the team also cover the practical controls side, for when you need the how-to alongside the what’s-happening.