A ransomware operation that was barely known a year ago has rapidly become one of the most active and dangerous criminal enterprises in the current threat landscape. The Gentlemen, a ransomware-as-a-service (RaaS) group that first appeared in mid-2025, has claimed approximately 332 victims in just the first five months of 2026 — a pace that places it among the most prolific ransomware programs ever documented. Now, a rare internal database leak has given security researchers an unprecedented look inside the group’s operations, revealing a highly organized criminal enterprise with a well-defined playbook for targeting, compromising, and extorting victims.
A RaaS Built for Scale
The Gentlemen operates through an affiliate model advertised openly on underground cybercriminal forums. The group’s value proposition to potential affiliates is aggressive: a 90% cut of every ransom payment, with the operator retaining just 10%. This unusually high affiliate share has attracted a steady stream of skilled participants, enabling the group to scale its attack volume far beyond what a centralized team could manage alone.
Analysts from Check Point Research obtained a rare view into the group’s inner workings after its internal backend system — known internally as “Rocket” — was breached and leaked on underground forums in early May 2026. The group’s administrator, who operates under the aliases zeta88 and hastalamuerte, publicly acknowledged the breach on May 4, 2026, confirming that sensitive operational data including internal chat logs, tooling discussions, and affiliate coordination records had been exposed.
The leaked material, spanning channels named INFO, general, TOOLS, and PODBOR, gave researchers an end-to-end view of how The Gentlemen runs campaigns — from initial access and reconnaissance through ransom negotiations and final payouts. In one documented case, the group negotiated a final ransom payment of $190,000 after opening with a demand of $250,000.
Targeting Fortinet and Cisco Edge Devices
The Gentlemen’s preferred attack vector is well-defined: exposed edge network devices, particularly Fortinet FortiGate VPN appliances and Cisco systems that sit at the perimeter of corporate networks. The group combines brute-force attacks against login panels, exploitation of known security flaws, and the purchase of pre-established access from underground initial access brokers.
Three vulnerabilities feature prominently in the group’s toolkit:
- CVE-2024-55591 — affecting the FortiOS management interface, allowing unauthenticated command execution
- CVE-2025-32433 — an Erlang SSH flaw used in Cisco environments
- CVE-2025-33073 — tied to NTLM relay attacks for lateral movement within Windows Active Directory environments
One key operator, identified in the leaked data as qbit, was specifically observed scanning for exposed Fortinet VPN endpoints and running NTLM relay checks using a custom tool called RelayKing. This pattern of systematic perimeter scanning followed by rapid exploitation is consistent across multiple documented intrusions.
Post-Compromise Operations
Once inside a network, The Gentlemen move methodically through a well-rehearsed attack sequence. They perform Active Directory reconnaissance to map the environment, escalate privileges, and disable endpoint security tools using purpose-built evasion kits. Cloud-based tunneling through services like Cloudflare maintains reliable command-and-control access without triggering perimeter monitoring alerts.
Only after achieving firm network-wide control do affiliates deploy the custom ransomware locker and begin encrypting systems. By this point, sensitive data has already been exfiltrated — a key element of the group’s double-extortion strategy.
Double Extortion and a Novel Cross-Victim Pressure Tactic
The Gentlemen’s extortion playbook goes beyond simple ransom demands. The group exfiltrates data before encryption and weaponizes it in multi-layered pressure campaigns. Ransom demand letters drafted by zeta88 emphasize regulatory exposure and reputational damage to accelerate victim decision-making.
Perhaps most alarmingly, the group has demonstrated a willingness to use data from earlier victims to pressure future ones. In a notable operation from April 2026, the group breached a software consultancy in the United Kingdom, stole sensitive client data, and then reused that same data weeks later to assist an attack against a company in Turkey where they had gained access through a vulnerable VPN appliance. The UK consultancy was subsequently listed on The Gentlemen’s data leak site as the supposed “access broker” for the Turkish operation — creating simultaneous extortion pressure on both organizations.
This tactic, where earlier victims are effectively weaponized against future targets, represents a significant evolution in double-extortion methodology and signals that ransomware groups are increasingly treating stolen data as a durable operational asset rather than a one-time leverage point.
Defensive Recommendations
The Gentlemen’s operational patterns highlight clear priorities for enterprise defenders. Organizations with internet-facing Fortinet or Cisco edge devices should treat patching as an immediate priority, particularly for the three CVEs documented in the group’s active toolkit. Monitoring for NTLM relay activity within Active Directory environments is a high-value detection opportunity given the group’s documented use of RelayKing.
Additional recommended steps include:
- Audit all perimeter VPN and firewall appliances for default credentials and known vulnerabilities
- Implement tamper protection on endpoint detection and response solutions to resist the group’s security tool disabling techniques
- Restrict and monitor Cloudflare tunnel usage, which the group uses to maintain persistent command-and-control access
- Segment Active Directory environments to limit lateral movement after initial perimeter compromise
- Establish data exfiltration monitoring to detect large outbound transfers that precede ransomware deployment
The Gentlemen’s rapid growth from a newly observed group to one of the world’s most active RaaS operations in under a year demonstrates the danger posed by well-organized affiliate programs that attract skilled operators. The leaked playbook confirms that the group’s success is not accidental — it is the product of disciplined, coordinated attack operations with clear financial incentives for affiliates. Organizations that have not yet hardened their perimeter against VPN-targeting ransomware groups should treat this as an urgent call to action.