A Russian-speaking ransomware crew known as The Gentlemen has rapidly become one of the most active and sophisticated threat actors of 2026, ranking second only to Qilin in ransomware activity. Unlike traditional ransomware groups that rely on off-the-shelf tools, The Gentlemen combine Fortinet vulnerability exploitation, AI-assisted operations, and an entirely custom command-and-control framework to breach and extort organizations worldwide.
In May 2026, the Ransom-ISAC research team extracted 3,366 messages from the group’s self-hosted Rocket.Chat server, exposing internal plans, tooling discussions, and victim targeting details in unprecedented detail. Analysts at Vectra AI analyzed the findings and noted that while the group’s tools have evolved considerably, the core weaknesses they exploit in victim networks have remained nearly identical since 2022.
Fortinet: The Front Door of Choice
Fortinet devices remain the primary initial access vector for The Gentlemen. The extracted Rocket.Chat logs mention FortiGate 81 times, with CVE-2024-55591, a FortiOS authentication bypass vulnerability, called out explicitly as their main way into victim networks. Halcyon’s analysis found the group brute-forcing roughly 1,000 Fortinet VPNs, in some cases using reused passwords such as gentlemen25 and gentle26 across multiple victims.
This reliance on a single vendor’s unpatched devices highlights a persistent problem across enterprise environments: edge devices are often deprioritized in patch cycles despite being the most exposed assets on a network perimeter.
G-BOT: A Custom C2 That Defeats Signature Detection
Once inside a victim network, The Gentlemen deploy a custom command-and-control framework called G-BOT. This previously undocumented platform supports per-beacon SOCKS5 tunneling and distributes builder components through temporary file-sharing sites, completely replacing commercial tools like Cobalt Strike. Because G-BOT has no public signatures, most endpoint detection and response (EDR) products and network monitoring tools that rely on known indicators fail to flag its traffic.
The group’s Linux locker is equally sophisticated. It targets hypervisors directly by attacking Hyper-V Volume Manager, encrypting data at the hypervisor level so that endpoint agents running inside virtual machines cannot observe the attack. Encrypted files receive the extension .i8p14s and a ransom note named README-GENTLEMEN.txt is dropped on affected systems.
AI-Assisted Operations and Credential Theft
The Gentlemen have integrated AI into their operational workflow. Leaked chat logs show operators referencing large language models to assist with ransom negotiations, describing them as automatic response writers for victim communications. The group also discusses renting GPUs on vast.ai and running uncensored open-source AI models from Hugging Face to rapidly triage large volumes of stolen data before deciding what to leak or weaponize.
For credential theft, the group deploys a layered toolkit including:
- Phemedrone Stealer V2.3.2 — browser password harvesting
- LummaC2 — credential stealer and payload dropper
- Chrome App-Bound Encryption Decryption — bypasses Chrome’s credential protection
- XenAllPasswordPro and DumpBrowserSecrets — additional credential recovery tools
Stolen data is exfiltrated via rclone to MEGA, following the double-extortion pattern established by earlier groups. Standard authentication logs show nothing unusual during this phase because the tools extract saved passwords without triggering login failures.
Links to Black Basta and a Pattern of Rebranding
The leaked messages also revealed a connection between The Gentlemen and earlier ransomware brands. A negotiator using the handle “Tinker” appeared in both Black Basta chats and The Gentlemen’s logs, performing the same operational role. A shared Matrix homeserver, bestflowers247.online, was present in archives from both groups, providing hard infrastructure evidence of continuity.
This pattern reinforces a critical truth about the ransomware ecosystem: operators do not retire when a group is disrupted. They rebrand. The same individuals carry their knowledge, access, and tooling from one criminal enterprise to the next, making group takedowns far less effective than many defenders hope.
Defensive Recommendations
Organizations can take concrete steps based on what the leaked chats reveal:
- Audit edge devices — FortiGate, Palo Alto, Citrix, F5, Cisco — against the CVE list discussed in The Gentlemen’s operator chats and prioritize patching CVE-2024-55591 immediately.
- Treat NTDS.dit access and Volume Shadow Copy (VSS) deletion as immediate severity-one alerts rather than post-incident forensic discoveries.
- Hunt for tools like rclone, MEGAcmd, WinSCP, and Velociraptor on hosts that have no legitimate reason to run them.
- Segment backup infrastructure from production networks so that a compromised domain controller cannot reach backup repositories.
- Monitor Rocket.Chat, Matrix, and self-hosted communication platforms on your network perimeter for unauthorized outbound connections.
The Gentlemen represent the new face of ransomware: distributed, AI-assisted, hypervisor-aware, and operationally resilient. Their rise makes clear that organizations must move beyond signature-based defenses and invest in behavioral detection, network segmentation, and resilient backup architectures to have any realistic chance of limiting the damage when sophisticated groups like this come knocking.
Source: CyberSecurityNews.com