DermaPharm Ransomware Attack by thegentlemen (May 2026)

Claim Summary

On May 8, 2026, the ransomware group known as “thegentlemen” allegedly claimed responsibility for a cyberattack against DermaPharm A/S, a Danish skincare and personal care manufacturer. According to the group’s leak site, they purportedly exfiltrated data from the company’s domain (dermapharm.dk). DermaPharm, founded in 1980, is a 100% Danish-owned company specializing in mild, eco-certified, and allergy-friendly products. They operate a 10,000 square meter production facility in Fårup, Denmark, and serve as both a brand owner (Derma) and a private label manufacturer for third parties. The company is also a market leader in Nordic suncare and a trusted partner of the Danish Cancer Society.

The claim includes no specific data volume or sample files, which is unusual for a group seeking to pressure a victim. This lack of evidence should be treated with skepticism, as ransomware groups frequently exaggerate or fabricate claims to force ransom payments.

Threat Actor Profile

The group “thegentlemen” is a relatively obscure ransomware operation with an unknown number of confirmed victims. Their total known victim count is undisclosed, and no public research is available on their operations. This lack of track record makes their credibility difficult to assess.

However, the group reportedly uses a sophisticated toolset, including:

• DumpBrowserSecrets: For extracting browser-stored credentials.
• Hydra: A network login cracker.
• KslDump: For memory dumping.
• EDRStartupHinder: To disable endpoint detection and response (EDR) solutions.
• GFreeze: Likely for system freezing or encryption.
• GLinker: Possibly for lateral movement.
• ADFind: For Active Directory reconnaissance.
• BloodHound: For mapping Active Directory attack paths.

These tools suggest a capability for initial access, credential theft, defense evasion, and lateral movement. However, without confirmed attacks, this remains speculative. No YARA rules or detection guidance are publicly available for thegentlemen.

Alleged Data Exposure

The group claims to have accessed data from DermaPharm’s network, but no specific file types, volumes, or samples have been released. The leak site entry only lists the company’s public profile information, which is easily obtainable from open sources. This raises questions about the veracity of the claim.

If the breach is real, potential data types could include:

• Customer personally identifiable information (PII) such as names, addresses, and purchase histories.
• Employee records, including payroll and HR data.
• Intellectual property related to product formulations and manufacturing processes.
• Third-party partner contracts and supply chain information.

Potential Impact

If confirmed, this breach could have significant consequences for DermaPharm:

• Reputational Damage: As a trusted partner of the Danish Cancer Society and a market leader in Nordic suncare, any data exposure could erode consumer and partner trust.
• Regulatory Penalties: As a Danish healthcare-adjacent company, DermaPharm may be subject to GDPR fines for failing to protect personal data.
• Operational Disruption: Ransomware attacks often involve encryption of critical systems, potentially halting production at their 10,000 m facility.
• Supply Chain Risk: DermaPharm’s role as a private label manufacturer means third-party brands could be indirectly affected if their proprietary data is leaked.

What to Watch For

• Leak Site Updates: Monitor for any release of data samples or a full dump, which would increase the credibility of the claim.
• Official Statements: DermaPharm may issue a press release or notify regulators. Check their website (dermapharm.dk) for updates.
• Dark Web Chatter: Look for discussions about thegentlemen’s tactics, as this group is poorly understood.
• YARA Rules: If detection guidance becomes available, it will be posted on Yazoul Security’s intel page at /intel/.

Disclaimer

This report is based on unverified claims from a ransomware group’s leak site. Yazoul Security has not independently confirmed the attack, the data exfiltration, or the identity of the threat actor. Ransomware groups routinely exaggerate or fabricate claims to pressure victims into paying ransoms. All information should be treated as preliminary and subject to change upon verification. No PII, download links, or access credentials are included in this report.