The Gentlemen: A New Ransomware Threat Climbing the Charts — Fast — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated Apr 30, 2026

Severity: HIGH | View Full Scam Details

The Gentlemen Ransomware: New 2026 UPI & Aadhaar Scam Sweeping India

A new ransomware threat called "The Gentlemen" is rapidly spreading across India, targeting unsuspecting users through social media and messaging apps with devastating consequences.

What Is the The Gentlemen: A New Ransomware Threat Climbing the Charts — Fast?

"The Gentlemen" is a sophisticated ransomware campaign operating on a Ransomware-as-a-Service (RaaS) model. Meaning, the core developers provide the malicious software, and other cybercriminals use it to launch attacks. This arrangement makes it harder to track and shut down the entire operation. In India, "The Gentlemen" ransomware has been particularly insidious, exploiting the familiarity of popular platforms like WhatsApp and Facebook to distribute malicious links and files disguised as legitimate content.

The scammers actively seek out vulnerable targets based on their online behavior and demographics. They often prey on individuals with limited technical knowledge, enticing them with promises of tech support or assistance with UPI transactions and Aadhaar-linked applications. They spread these malicious links through social media platforms, popular messaging apps like WhatsApp, and even SMS. The deceptive nature of their approach allows them to bypass security measures and lure victims into clicking on links that ultimately lead to ransomware infections, encrypting their devices and demanding a ransom payment. While there are no specific advisories for "The Gentlemen" from Indian authorities yet, CERT-In regularly issues warnings about generic ransomware threats aimed at Indian citizens and businesses.

How This Scam Works — Step by Step

Here's how the scammers behind "The Gentlemen" ransomware operate in India:

1. Initial Contact: The scam begins with a message or call received through WhatsApp, Facebook Messenger, or even a seemingly harmless SMS. These messages often pose as urgent notifications related to your Aadhaar card, UPI account, or even a government scheme.
2. Luring with Deceptive Content: The message contains a link or an attachment claiming to be a document, update, or application related to the stated urgent issue. Examples include fake Aadhaar verification links, UPI cashback offers, or even software claiming to fix a supposed security flaw.
3. Clicking the Malicious Link: The victim, believing the message to be genuine, clicks on the provided link or downloads and opens the attached file.
4. Ransomware Installation: Once clicked, the link installs the "The Gentlemen" ransomware onto the victim's device (phone, tablet, or computer). This happens silently in the background, often disguised as a software update or a seemingly harmless program.
5. Data Encryption: The ransomware immediately begins encrypting the victim's data. Important files, documents, photos, and videos become inaccessible, renamed with strange extensions.
6. Ransom Demand: A ransom note appears on the screen, demanding a sum of money (typically in cryptocurrency) in exchange for the decryption key. This note often threatens permanent data loss if the ransom isn't paid within a specified time. For example, a recent victim had their data encrypted with an extension '.locked' and the ransom demand appeared in a file named 'readme.txt'. The note requested INR 50,000 worth of Bitcoin to unlock the files.

Real Warning Signs to Watch For

• Unsolicited Messages: Be extremely wary of any unsolicited messages or calls claiming to be from government agencies, banks, or tech support, especially if they create a sense of urgency.
• Suspicious Links or Attachments: Never click on links or download attachments from unknown or untrusted sources, even if they appear to be sent by a contact you recognize (their account may have been compromised).
• Requests for Immediate Action: Scammers often pressure victims into acting quickly without thinking, promising immediate rewards or threatening negative consequences if they don't comply.
• Poor Grammar and Spelling: Phishing messages are often riddled with grammatical errors and typos, a sign that they are not legitimate.
• Mismatching URLs: Hover your mouse over a link to see the actual URL. If it doesn't match the sender's claimed identity, it's likely a scam. For example, a link masquerading as an RBI page might direct to 'rbi.example.com' instead of 'www.rbi.org.in'.
• Requests for Personal Information: Be very cautious of any message asking for sensitive information like your Aadhaar number, bank account details, UPI PIN, or OTP.
• Unusual File Extensions: Be cautious of file extensions like .exe, .zip, .rar, or .js, particularly if you weren't expecting to receive them.

What Happens to Victims

The impact of "The Gentlemen" ransomware can be devastating. Victims can lose access to their personal photos, videos, and important documents. Businesses can face operational disruptions, financial losses, and reputational damage. The emotional distress caused by data loss and potential identity theft can be significant. With the increasing integration of Aadhaar and UPI in daily life, misuse or compromise of these sensitive details could lead to financial fraud, SIM swapping, and even identity theft. Moreover, paying the ransom does not guarantee data recovery and may embolden the scammers to target you again.

What RBI and CERT-In Say

RBI and CERT-In regularly issue advisories about cyber threats, including ransomware. While they might not have specific publications addressing "The Gentlemen" by name, they consistently emphasize the importance of digital hygiene, caution against clicking suspicious links, and encourage users to keep their software updated. The RBI routinely warns against sharing sensitive financial information over unsecured channels and encourages the use of strong passwords and multi-factor authentication. CERT-In provides resources and alerts related to various cyber threats and vulnerabilities and urges individuals and organizations to report incidents to them. Remember to report cybercrime incidents on the national cybercrime reporting portal cybercrime.gov.in. Also, remember to use the 1930 cybercrime helpline in case you fall victim to such a scam.

How to Protect Yourself

1. Install a Reputable Antivirus: Use a reliable antivirus software on all your devices and keep it updated. Make sure it features ransomware protection.
2. Regularly Back Up Your Data: Back up your important files regularly to an external hard drive, cloud storage, or another secure location. Ensure that the backup is not connected to the computer all the time, to avoid being affected by the ransomware.
3. Beware of Phishing Emails and Messages: Be extremely cautious of any unsolicited emails or messages asking you to click on links or download attachments.
4. Keep Your Software Updated: Install software updates promptly to patch security vulnerabilities that ransomware could exploit.
5. Enable Multi-Factor Authentication (MFA): Use MFA wherever possible to add an extra layer of security to your accounts.
6. Educate Yourself and Your Family: Teach your family members, especially those less tech-savvy, about the dangers of ransomware and how to avoid scams.
7. Use Strong and Unique Passwords: Create strong, unique passwords for all your online accounts.

What to Do If You've Been Targeted

1. Isolate the Affected Device: Immediately disconnect the infected device from the internet and your local network to prevent the ransomware from spreading.
2. Report the Incident: File a complaint with the National Cyber Crime Reporting Portal (cybercrime.gov.in) and call the cybercrime helpline 1930. Provide as much detail as possible about the incident.
3. Contact Your Bank: If you suspect that your financial information has been compromised, contact your bank immediately to freeze your accounts and report the fraud.
4. Do Not Pay the Ransom: Paying the ransom does not guarantee that you will get your data back and may encourage the scammers to target you again.
5. Seek Professional Help: Contact a reputable cybersecurity firm for assistance in recovering your data and removing the ransomware.

Frequently Asked Questions

Q: What if I accidentally clicked on a suspicious link but didn't download anything?

A: Even if you didn't download anything, it's still a good idea to run a full scan of your device with your antivirus software and change your passwords for important accounts. The link might have exploited a vulnerability even without a direct download.

Q: Can I recover my data without paying the ransom?

A: Recovering your data without paying the ransom is possible if you have a recent backup. There are also some free decryption tools available online for certain types of ransomware, but they may not work for "The Gentlemen" ransomware. Check resources such as No More Ransom project.

Q: How can I be sure a message from a bank or government agency is legitimate?

A: Always verify any message by contacting the organization directly through their official website or phone number. Never use the contact information provided in the suspicious message.

Protect yourself from digital fraud – verify suspicious messages at BharatSecure.app.