Ransomware - Affiliate Exposes 'The Gentlemen' Operation Details

What Happened

A ransomware affiliate known as hastalamuerte has leaked critical operational details about a group called The Gentlemen. This revelation offers a rare glimpse into the inner workings of a ransomware-as-a-service (RaaS) operation. The insights, published by Group-IB and corroborated by Check Point Research, highlight the group's tactics, techniques, and internal disputes. Such leaks are crucial as they shed light on how these cybercriminal networks function and evolve.

The Gentlemen group has emerged from a dispute within the existing RaaS ecosystem, particularly from a group called Qilin. This new brand quickly established itself using existing tools and infrastructure. They employ a dual-extortion model, which means they not only encrypt victim data but also threaten to release it publicly if the ransom isn't paid. This tactic significantly increases pressure on organizations to comply with their demands.

Victim Count and Targeting

The Gentlemen group has rapidly gained notoriety, publicly claiming over 320 victims, with the majority of attacks (approximately 240) occurring in the first months of 2026. This growth indicates that the RaaS program has attracted numerous affiliates, expanding its operational reach significantly. The group is increasingly targeting enterprise environments, utilizing a mix of modular tooling and cross-platform payloads, which enhances their effectiveness in large-scale intrusions.

The Gentlemen group targets a wide range of platforms, including Windows, Linux, ESXi, and BSD environments. Recently, they have introduced a new locker written in C specifically designed for VMware ESXi hypervisors, enhancing their cross-platform capabilities. Their primary method of gaining initial access involves exploiting vulnerabilities in FortiGate VPN devices or using brute-force attacks. Once they infiltrate a system, they deploy a series of automated processes to maximize their impact, including credential harvesting and domain-wide encryption.

Tactics & Techniques

The operational tactics of The Gentlemen are sophisticated and reflect a trend toward more professionalized cybercrime. They utilize a Bring Your Own Vulnerable Driver (BYOVD) approach, which helps them evade detection by security systems. Additionally, they engage in aggressive log deletion to further complicate forensic investigations.

Recent investigations reveal that The Gentlemen ransomware affiliates are expanding their attack toolkit, notably incorporating SystemBC, a proxy malware used for covert payload delivery. This malware establishes SOCKS5 network tunnels within the victim's environment, facilitating covert communication and payload delivery. Check Point Research observed telemetry from relevant SystemBC command-and-control servers, revealing a botnet of over 1,570 victims, primarily targeting corporate environments rather than individual consumers. The attackers have demonstrated adaptability, shifting to alternative command-and-control channels when their initial methods are blocked.

Moreover, the group has begun employing advanced evasion techniques, such as using legitimate software tools to mask their activities, complicating detection efforts by security teams. This shift indicates a growing sophistication in their operational methods.

The internal dynamics of the group are also noteworthy. Tensions among affiliates can lead to leaks, as seen with hastalamuerte's revelations. Such friction can expose vulnerabilities within the RaaS model, potentially leading to disruptions in their operations. This internal instability may present opportunities for law enforcement and cybersecurity professionals to intervene.

Insider Threats in Cybersecurity

Adding to the complexity of the ransomware landscape, a recent scandal involving former ransomware negotiators has surfaced, highlighting the risks posed by insider threats. Angelo Martino, a former negotiator from cybersecurity firm DigitalMint, has pleaded guilty to aiding the ALPHV/BlackCat ransomware gang by leaking sensitive information about victims to maximize ransom payments. Martino admitted to feeding confidential information back to the ransomware operators, including the victim's insurance policy limits and negotiation strategies, effectively betraying the trust of the clients he was supposed to protect. This incident underscores the vulnerabilities within the cybersecurity response sector, where insiders may exploit their positions for personal gain, further complicating the fight against ransomware.

Infection Chain and Encryption Scheme

While the initial access vector for Gentlemen ransomware attacks remains undetermined, researchers found that the attackers operated from a Domain Controller with Domain Admin privileges. They conducted reconnaissance and deployed Cobalt Strike payloads to remote systems via RPC, leveraging credential harvesting using Mimikatz. The ransomware employs a hybrid encryption scheme based on X25519 and XChaCha20, encrypting files with a random ephemeral key pair generated for each file.

Before encryption, the ransomware terminates databases, backup software, and virtualization processes, and deletes Shadow copies and logs. The ESXi variant also shuts down VMs to ensure the disks can be encrypted. The ransomware's lateral movement is executed through multiple channels, including PsExec and WMI, allowing it to spread rapidly across domain-joined machines.

Defensive Measures

Organizations must be vigilant against the evolving threat posed by groups like The Gentlemen. Implementing robust security measures is essential to mitigate risks. Regularly updating and patching systems, particularly those vulnerable to FortiGate exploits, is crucial.

Additionally, organizations should consider adopting a multi-layered security approach that includes endpoint detection and response solutions. They should enforce multi-factor authentication on all administrative accounts and remote access endpoints. Network segmentation should limit the reach of any attacker gaining domain-level access. Training employees to recognize phishing attempts and suspicious activities can also help prevent initial breaches. By staying informed about the tactics used by ransomware groups, businesses can better prepare themselves against potential attacks.