The ransomware-as-a-service (RaaS) group The Gentlemen has claimed a cyberattack against Energon, a prominent energy services holding company based in the Czech Republic. On July 10, 2026, the group added Energon to its dark web data leak site, employing a double extortion tactic by threatening to release sensitive data if a ransom is not paid. The attack on this energy sector firm highlights the indiscriminate nature of financially motivated ransomware gangs and their continued threat to critical infrastructure-adjacent industries. The incident is part of a significant surge in activity from The Gentlemen, who have targeted numerous organizations across various sectors and countries in July 2026.
The Gentlemen is a financially motivated cybercriminal group operating a ransomware-as-a-service model. Their typical modus operandi involves gaining initial access to a target's network, moving laterally to compromise key systems, exfiltrating sensitive data, and finally deploying their ransomware to encrypt files. This is a classic double extortion strategy:
T1486 - Data Encrypted for Impact).T1657 - Financial Cryptojacking).The group's post regarding Energon stated, "The full leak will be published soon, unless a company representative contacts us via the channels provided." This indicates that data exfiltration was successful. The attack does not appear to have impacted operational technology (OT) or the energy supply, suggesting the group focused on the corporate IT environment to maximize financial leverage without provoking a state-level response.
While the specific initial access vector for the Energon attack was not disclosed, ransomware groups like The Gentlemen commonly use methods such as:
T1190 - Exploit Public-Facing Application).T1566 - Phishing).Once inside, they likely used common tools for lateral movement and credential dumping, such as Mimikatz or Cobalt Strike, before exfiltrating data to a cloud storage provider and deploying the final ransomware payload.
The attack on Energon, a company involved in the Czech Republic's energy independence and renewable energy projects, is significant. While operational systems were reportedly unaffected, the exfiltration of corporate data can have severe consequences. This could include the exposure of sensitive financial information, employee PII, strategic business plans, and proprietary project details. The reputational damage from such a leak can be substantial, and the costs associated with incident response, system restoration, and potential regulatory fines can be crippling. The incident serves as a stark reminder that even companies not directly operating critical infrastructure can be targeted due to their role in the broader energy ecosystem.
No specific file hashes, IP addresses, or C2 domains associated with The Gentlemen ransomware were mentioned in the source articles.
To hunt for ransomware activity like that of The Gentlemen, security teams can look for the following general patterns:
powershell.exevssadmin.exe delete shadowsLarge outbound data transfers*.thegentlemenD3-PA - Process Analysis.D3-OTF - Outbound Traffic Filtering.D3-DO - Decoy Object.M1051 - Update Software.M1032 - Multi-factor Authentication.M1030 - Network Segmentation.Using modern EDR/XDR solutions with behavioral detection is crucial for identifying and stopping ransomware execution.
Proper network segmentation can contain a ransomware outbreak and prevent it from spreading to critical assets.
Enforcing MFA on all remote access points is one of the most effective ways to prevent initial access via compromised credentials.
Consistent patch management reduces the attack surface by closing vulnerabilities commonly exploited by ransomware groups.
The Gentlemen ransomware group lists Energon on its data leak site.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.