Gentlemen RaaS Exploits Fortinet & Leverages Cisco

The Gentlemen, a ransomware-as-a-service (RaaS) operation that emerged in mid-2025, has rapidly established itself as a highly active threat. In just the first five months of 2026, the group claimed approximately 332 published victims, quickly becoming one of the world’s most prolific ransomware programs. Its methods, including leveraging Fortinet and Cisco edge devices for initial access, are detailed in

Analysts from Check Point Research have been closely tracking The Gentlemen and recently obtained a rare look inside the group’s inner workings after an internal database leak surfaced on underground forums.

On May 4, 2026, the group’s administrator publicly acknowledged that their backend system, known internally as “Rocket,” had been compromised and that sensitive operational data had been exposed.

The leaked material included internal chat logs from channels named INFO, general, TOOLS, and PODBOR. These conversations gave researchers an end-to-end view of how the group runs its campaigns, from initial access and reconnaissance all the way through ransom negotiations and payouts.

Targeting Fortinet and Cisco Edge Devices

In one documented case, the group negotiated a final ransom payment of 190,000 USD after starting with an initial demand of 250,000 USD.

What makes The Gentlemen particularly dangerous is how tightly organized they are despite being affiliate-based. The leak identified nine named accounts working together in a coordinated way, with the administrator, known as zeta88 or hastalamuerte, personally involved in carrying out attacks alongside managing the overall program.

The group’s preferred method for breaking into a target’s network starts at the perimeter. Their main focus is on exposed edge devices such as Fortinet FortiGate VPN appliances and Cisco systems, which are commonly found at the entry points of corporate networks. Once they find a vulnerable or misconfigured device, they use it as a gateway inside.

To gain that initial foothold, the group combines several approaches. They brute-force login panels, exploit known security flaws, and purchase ready-made access from underground brokers.

Three vulnerabilities they actively track include CVE-2024-55591, affecting the FortiOS management interface, CVE-2025-32433, an Erlang SSH flaw relevant in Cisco environments, and CVE-2025-33073, tied to NTLM relay attacks.

One key operator known as qbit was specifically observed scanning for Fortinet VPNs and running NTLM relay checks using a tool called RelayKing.

After getting a foothold, the group pivots deeper into the network. They perform Active Directory reconnaissance, escalate privileges, and disable security tools using purpose-built evasion kits.

They also use cloud-based tunneling through services like Cloudflare to maintain reliable, long-term access without being detected. Only once the network is firmly in their control do they deploy their custom ransomware locker and begin encrypting systems.

A Sophisticated Double-Extortion Playbook

The Gentlemen do not stop at encryption. They exfiltrate data before deploying their locker and use it as leverage in negotiations. In a notable case from April 2026, the group breached a software consultancy in the United Kingdom, stole sensitive client data, and then reused that same data weeks later to assist an attack against a company in Turkey, where they had also gained initial access through a vulnerable VPN appliance.

In the Turkish operation, the group published the UK consultancy as the supposed “access broker” on their data leak site, creating pressure on both victims simultaneously.

This tactic, where earlier victims are weaponized against future ones, signals a notable shift in how ransomware groups think about stolen data. Ransom demand letters drafted by zeta88 also emphasized regulatory exposure and reputational damage to push victims into paying faster.

For defenders, the patterns seen in this campaign highlight clear areas that need attention. Organizations should prioritize patching internet-facing systems, particularly VPN appliances and firewalls.

Monitoring for NTLM relay activity, hardening Active Directory configurations, and ensuring that EDR solutions are tamper-resistant are all meaningful steps that can reduce exposure to groups operating with this level of sophistication.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.