Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/Gentlemen RaaS Exploits Fortinet, Cisco Edge Devices for Initial Access
Threats

Gentlemen RaaS Exploits Fortinet, Cisco Edge Devices for Initial Access

Key Takeaways The Gentlemen, a prolific ransomware-as-a-service (RaaS) group, has emerged as a significant threat, claiming over 330 victims in early 2026. The group primarily gains initial access by...

David kimber
David kimber
May 14, 2026 4 Min Read
46 0

Key Takeaways

  • The Gentlemen, a prolific ransomware-as-a-service (RaaS) group, has emerged as a significant threat, claiming over 330 victims in early 2026.
  • The group primarily gains initial access by exploiting vulnerabilities in Fortinet FortiGate VPN appliances and various Cisco edge devices.
  • A recent leak of the group’s internal “Rocket” backend system provided Check Point Research with deep insights into their sophisticated operations, including affiliate management, attack methodologies, and negotiation tactics.
  • The Gentlemen employ a double-extortion strategy, exfiltrating data and leveraging it not only against primary victims but also against new targets, showcasing an evolving threat landscape.
  • Organizations must prioritize patching internet-facing devices, strengthening Active Directory security, and implementing robust endpoint detection and response (EDR) solutions to mitigate risks from such advanced RaaS operations.

The Gentlemen RaaS: Inside a Prolific Ransomware Operation

A new ransomware-as-a-service (RaaS) operation, dubbed “The Gentlemen,” has rapidly ascended to prominence since its emergence in mid-2025. This highly active threat group has already claimed approximately 332 victims in the first five months of 2026, establishing itself as one of the most prolific ransomware programs globally. A recent deep dive by Check Point Research has shed light on the group’s sophisticated tactics, particularly its reliance on exploiting Fortinet and Cisco edge devices for initial access.

Table Of Content

  • Key Takeaways
  • The Gentlemen RaaS: Inside a Prolific Ransomware Operation
  • Targeting Fortinet and Cisco Edge Devices
  • A Sophisticated Double-Extortion Playbook
  • What You Should Do
  • Indicators of Compromise (IoCs):-

The Gentlemen operate under an affiliate model, actively recruiting skilled individuals on underground forums. This structure offers a lucrative 90% cut of each ransom payment to affiliates, with the remaining 10% going to the operators. This aggressive profit-sharing scheme has proven highly attractive, fueling the group’s rapid expansion and attack volume.

Check Point Research gained unprecedented visibility into The Gentlemen’s operations following an internal database leak on May 4, 2026. The group’s administrator, known as “zeta88” or “hastalamuerte,” publicly acknowledged the compromise of their backend system, codenamed “Rocket,” which exposed sensitive operational data. The leaked material, including chat logs from channels like INFO, general, TOOLS, and PODBOR, provided researchers with a comprehensive understanding of the group’s end-to-end campaign execution, from initial access to ransom negotiations and payouts.

Targeting Fortinet and Cisco Edge Devices

The Gentlemen prioritize perimeter exploitation for initial network penetration. Their primary targets are internet-facing edge devices, specifically Fortinet FortiGate VPN appliances and various Cisco systems, which serve as critical entry points to corporate networks. By compromising vulnerable or misconfigured devices, they establish a foothold within the victim’s infrastructure.

The group employs a multi-faceted approach to gain this initial access, including brute-forcing login credentials, exploiting known security vulnerabilities, and acquiring pre-existing access from underground brokers. Key vulnerabilities actively exploited by The Gentlemen include CVE-2024-55591 (FortiOS management interface), CVE-2025-32433 (an Erlang SSH flaw relevant in Cisco environments), and CVE-2025-33073, associated with NTLM relay attacks. One prominent operator, “qbit,” was specifically observed utilizing a tool named RelayKing to scan for Fortinet VPNs and perform NTLM relay checks.

Once inside, the group conducts extensive Active Directory reconnaissance, escalates privileges, and disables security tools using custom evasion kits. They leverage cloud-based tunneling services like Cloudflare to maintain persistent, stealthy access. Only after firmly establishing control over the network do they deploy their bespoke ransomware locker and initiate data encryption.

A Sophisticated Double-Extortion Playbook

The Gentlemen’s operations extend beyond mere encryption. They engage in a sophisticated double-extortion strategy, exfiltrating sensitive data prior to deploying their ransomware. This stolen data is then used as leverage during ransom negotiations. A notable incident from April 2026 illustrates this tactic: the group breached a UK-based software consultancy, stole client data, and subsequently used that same data weeks later to facilitate an attack against a Turkish company. In both instances, initial access was gained through vulnerable VPN appliances.

During the Turkish operation, The Gentlemen publicly listed the UK consultancy as the “access broker” on their data leak site. This innovative tactic applies simultaneous pressure on both victims. Such weaponization of prior victims’ data against new targets marks a significant evolution in ransomware group methodologies. Ransom demand letters, often drafted by the administrator zeta88, strategically emphasize regulatory exposure and reputational damage to coerce quicker payments.

For cybersecurity defenders, these documented patterns highlight critical areas requiring immediate attention. Organizations must prioritize the timely patching of all internet-facing systems, especially VPN appliances and firewalls. Proactive monitoring for NTLM relay activity, hardening Active Directory configurations, and ensuring the tamper-resistance of Endpoint Detection and Response (EDR) solutions are essential steps to reduce vulnerability to sophisticated groups like The Gentlemen.

What You Should Do

  • Patch Immediately: Prioritize and apply all security updates for internet-facing devices, particularly Fortinet FortiGate VPN appliances and Cisco network devices.
  • Strengthen Authentication: Implement multi-factor authentication (MFA) on all remote access services, VPNs, and critical internal systems.
  • Harden Active Directory: Review and strengthen Active Directory security configurations, enforce strong password policies, and regularly audit for suspicious activity.
  • Monitor for NTLM Relay Attacks: Implement monitoring solutions to detect and alert on NTLM relay attempts, which The Gentlemen are known to leverage.
  • Enhance EDR Capabilities: Ensure your Endpoint Detection and Response (EDR) solutions are up-to-date, properly configured, and include tamper-prevention features to resist malware disabling security tools.
  • Regular Backups: Maintain isolated, encrypted, and regularly tested backups of all critical data to facilitate recovery without paying a ransom.
  • Network Segmentation: Implement robust network segmentation to limit lateral movement in case of a breach, minimizing the impact of a successful attack.
  • Employee Training: Conduct regular cybersecurity awareness training for employees, focusing on phishing, social engineering, and secure browsing habits.

Indicators of Compromise (IoCs):-

Type Indicator Description
SHA-256 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a The Gentlemen Windows Ransomware
SHA-256 1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436f The Gentlemen Windows Ransomware
SHA-256 1af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2 The Gentlemen Windows Ransomware
SHA-256 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 The Gentlemen Windows Ransomware
SHA-256 24ac3588fb8cfbff63b7fdfcbc7dec1f3c60e54e6f949dd69d68e89e0c89d966 The Gentlemen Windows Ransomware
SHA-256 2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d The Gentlemen Windows Ransomware
SHA-256 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235 The Gentlemen Windows Ransomware
SHA-256 3c2

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCVEExploitPatchransomwareSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical BitLocker Flaw Lets Attackers Access Encrypted Windows Drives

Next Post

Critical MongoDB Flaw CVE-2024-22000 Lets Attackers Execute Code

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us