The Gentlemen: A New Ransomware Threat Climbing the Charts — Fast — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 26, 2026

Severity: HIGH | View Full Scam Details

The Gentlemen Ransomware Scam in India 2026: A Fast-Rising Digital Threat to Your UPI and Data

The Gentlemen ransomware is quickly becoming one of the most dangerous cybercrime threats in India in 2026, targeting both individuals and businesses through social media and phishing schemes.

What Is The Gentlemen: A New Ransomware Threat Climbing the Charts — Fast?

The Gentlemen ransomware is a recently identified cyber threat that has been spreading rapidly across India, especially since early 2026. Unlike typical malware, this ransomware specifically targets users by encrypting their important files and demanding payment — often in cryptocurrency — for decryption keys. It primarily goes after individuals and small to medium businesses that rely heavily on digital payments via UPI, digital document management, and platforms like WhatsApp and Telegram.

Indian cybersecurity agencies have noted its sharp rise; CERT-In has issued general alerts about the increasing sophistication of ransomware attacks exploiting social media and phishing. While RBI hasn't issued a direct advisory for The Gentlemen, its warnings about UPI-related frauds indirectly apply, given this scam's frequent use of fake UPI promotions as bait. The Indian government’s I4C (Indian Cyber Crime Coordination Centre) has flagged ransomware as a growing menace; The Gentlemen is a prime example of why vigilance is necessary.

The scam is widely spread in urban and semi-urban areas where internet usage and digital transactions are high. It often begins through social media platforms, making common users vulnerable.

How This Scam Works — Step by Step

1. Initial Contact via WhatsApp or Telegram: The scammers create fake profiles claiming to represent popular brands or financial services. They send messages offering lucrative promotions, fake business contracts, or urgent UPI transaction requests.

2. Phishing Emails: Victims may receive emails that look like genuine invoices or payment requests linked to these fake offers. The emails include links or attachments which, when clicked or downloaded, initiate the ransomware infection.

3. Information Collection: By engaging the victim with these fake promotions or contracts, scammers gather personal data such as phone numbers, email IDs, and financial details, sometimes even Aadhaar-related information obtained through social engineering.

4. Infection and Encryption: Once the victim interacts (by clicking links or downloading files), The Gentlemen ransomware silently encrypts important personal or business files on the device.

5. Ransom Demand: A ransom note appears on the screen demanding payment in cryptocurrency or UPI transfers to unblock access to the victim’s data. The note often threatens permanent data loss or public release of sensitive information.

6. Psychological Pressure: The criminals may follow up relentlessly with repeated messages or calls to intimidate victims into paying quickly.

Real Warning Signs to Watch For

• Messages or calls from unknown profiles offering unrealistic UPI cashback or promotional deals.
• Emails with urgent payment requests or contracts that contain spelling mistakes or unusual sender addresses.
• Links or attachments in messages claiming to be invoices or payment mandates but originating from unofficial sources.
• Requests to install software or files on your device to "verify" or "process" payments.
• Sudden encryption of your files, with ransom notes appearing on your screen.
• Persistent demands for payment threatening to leak your personal or business data.
• Unsolicited messages asking for Aadhaar or bank-related details tied to sentimental or “urgent” offers.

What Happens to Victims

Victims face severe financial losses as paying the ransom often involves untraceable cryptocurrency transactions or irreversible UPI payments. Unlike some banking transactions, UPI payments made under fraud are usually final, making recovery difficult.

Beyond monetary loss, victims suffer emotional distress from data loss, threats of privacy exposure, and the disruption of personal or business activities. Theft of Aadhaar details can lead to further identity misuse, such as SIM swap frauds—commonly reported in India—which may escalate the damage by enabling unauthorized loans or fraudulent transactions.

Businesses may lose critical customer and financial data, hampering operations and resulting in potential regulatory penalties under IT rules.

What RBI and CERT-In Say

Though RBI has not issued a specific advisory on The Gentlemen ransomware, it regularly warns about frauds exploiting UPI and digital payments, urging users to verify payment requests carefully. RBI’s helpline number, 1800-112-101, is available for reporting payment-related issues.

CERT-In emphasizes the need for awareness against ransomware and phishing. It advises users to avoid clicking unknown links, not share OTPs or Aadhaar details unnecessarily, and report incidents immediately. The national cybercrime helpline 1930 is available for citizens to report cyber frauds, including ransomware attacks.

The I4C framework encourages businesses to adopt stringent cybersecurity measures and cooperate with law enforcement to prevent ransomware damage.

How to Protect Yourself

1. Verify all UPI payment requests: Never pay based on unsolicited messages. Confirm legitimacy directly with the company or person involved.
2. Beware of too-good-to-be-true promotions: Offers promising large cashback or discounts should be approached with skepticism.
3. Don’t open unexpected email attachments or links: Especially if unsolicited or from unknown senders.
4. Use official apps and platforms: Download apps only from Google Play Store or Apple App Store and avoid third-party links.
5. Regularly back up your important files: Keep offline or cloud backups to avoid permanent data loss.
6. Install updated antivirus and anti-ransomware tools: Ensure real-time protection and scan downloads before opening.
7. Enable two-factor authentication (2FA): For UPI apps and email accounts to add an extra security layer.

What to Do If You’ve Been Targeted

1. Do not pay the ransom immediately: Payment does not guarantee data recovery and may encourage further attacks.
2. Disconnect your device from the internet: To prevent the ransomware from spreading or communicating with attackers.
3. Report the incident to the cybercrime police: File a complaint on cybercrime.gov.in or visit the nearest cybercrime cell.
4. Call the national helpline 1930: For guidance on handling ransomware and fraud.
5. Inform your bank and UPI app provider: Freeze accounts if necessary and report unauthorized transactions.
6. Seek help from CERT-In or BharatSecure.app: For advice on device cleaning and recovery options.
7. Keep records of all communications and ransom notes: For investigation and potential legal action.

Frequently Asked Questions

Q1. Can paying the ransom guarantee my files will be restored?
No, paying ransom to The Gentlemen does not guarantee file recovery. Most times, criminals demand payment but delay or refuse to provide decryption keys, further victimizing you.

Q2. How can I identify if an email or message is part of The Gentlemen scam?
Look for urgent payment demands linked to UPI promotions, fake business contracts, or unusual sender details. Suspicious links or attachments must never be opened unless verified directly.

Q3. Is backing up data really effective against ransomware?
Yes. Regular offline or cloud backups allow you to restore files without paying ransom, minimizing loss from file encryption.

Stay vigilant and protect your money and data. To verify suspicious messages or UPI payment requests, always visit BharatSecure.app — India’s trusted platform for digital fraud awareness and prevention.