Gentlemen RaaS Exploits Fortinet, Cisco Edge Devices for Initial Access
Key Takeaways The Gentlemen, a prolific ransomware-as-a-service (RaaS) group, has emerged as a significant threat, claiming over 330 victims in early 2026. The group primarily gains initial access by...
Key Takeaways
- The Gentlemen, a prolific ransomware-as-a-service (RaaS) group, has emerged as a significant threat, claiming over 330 victims in early 2026.
- The group primarily gains initial access by exploiting vulnerabilities in Fortinet FortiGate VPN appliances and various Cisco edge devices.
- A recent leak of the group’s internal “Rocket” backend system provided Check Point Research with deep insights into their sophisticated operations, including affiliate management, attack methodologies, and negotiation tactics.
- The Gentlemen employ a double-extortion strategy, exfiltrating data and leveraging it not only against primary victims but also against new targets, showcasing an evolving threat landscape.
- Organizations must prioritize patching internet-facing devices, strengthening Active Directory security, and implementing robust endpoint detection and response (EDR) solutions to mitigate risks from such advanced RaaS operations.
The Gentlemen RaaS: Inside a Prolific Ransomware Operation
A new ransomware-as-a-service (RaaS) operation, dubbed “The Gentlemen,” has rapidly ascended to prominence since its emergence in mid-2025. This highly active threat group has already claimed approximately 332 victims in the first five months of 2026, establishing itself as one of the most prolific ransomware programs globally. A recent deep dive by Check Point Research has shed light on the group’s sophisticated tactics, particularly its reliance on exploiting Fortinet and Cisco edge devices for initial access.
Table Of Content
The Gentlemen operate under an affiliate model, actively recruiting skilled individuals on underground forums. This structure offers a lucrative 90% cut of each ransom payment to affiliates, with the remaining 10% going to the operators. This aggressive profit-sharing scheme has proven highly attractive, fueling the group’s rapid expansion and attack volume.
Check Point Research gained unprecedented visibility into The Gentlemen’s operations following an internal database leak on May 4, 2026. The group’s administrator, known as “zeta88” or “hastalamuerte,” publicly acknowledged the compromise of their backend system, codenamed “Rocket,” which exposed sensitive operational data. The leaked material, including chat logs from channels like INFO, general, TOOLS, and PODBOR, provided researchers with a comprehensive understanding of the group’s end-to-end campaign execution, from initial access to ransom negotiations and payouts.
Targeting Fortinet and Cisco Edge Devices
The Gentlemen prioritize perimeter exploitation for initial network penetration. Their primary targets are internet-facing edge devices, specifically Fortinet FortiGate VPN appliances and various Cisco systems, which serve as critical entry points to corporate networks. By compromising vulnerable or misconfigured devices, they establish a foothold within the victim’s infrastructure.
The group employs a multi-faceted approach to gain this initial access, including brute-forcing login credentials, exploiting known security vulnerabilities, and acquiring pre-existing access from underground brokers. Key vulnerabilities actively exploited by The Gentlemen include CVE-2024-55591 (FortiOS management interface), CVE-2025-32433 (an Erlang SSH flaw relevant in Cisco environments), and CVE-2025-33073, associated with NTLM relay attacks. One prominent operator, “qbit,” was specifically observed utilizing a tool named RelayKing to scan for Fortinet VPNs and perform NTLM relay checks.
Once inside, the group conducts extensive Active Directory reconnaissance, escalates privileges, and disables security tools using custom evasion kits. They leverage cloud-based tunneling services like Cloudflare to maintain persistent, stealthy access. Only after firmly establishing control over the network do they deploy their bespoke ransomware locker and initiate data encryption.
A Sophisticated Double-Extortion Playbook
The Gentlemen’s operations extend beyond mere encryption. They engage in a sophisticated double-extortion strategy, exfiltrating sensitive data prior to deploying their ransomware. This stolen data is then used as leverage during ransom negotiations. A notable incident from April 2026 illustrates this tactic: the group breached a UK-based software consultancy, stole client data, and subsequently used that same data weeks later to facilitate an attack against a Turkish company. In both instances, initial access was gained through vulnerable VPN appliances.
During the Turkish operation, The Gentlemen publicly listed the UK consultancy as the “access broker” on their data leak site. This innovative tactic applies simultaneous pressure on both victims. Such weaponization of prior victims’ data against new targets marks a significant evolution in ransomware group methodologies. Ransom demand letters, often drafted by the administrator zeta88, strategically emphasize regulatory exposure and reputational damage to coerce quicker payments.
For cybersecurity defenders, these documented patterns highlight critical areas requiring immediate attention. Organizations must prioritize the timely patching of all internet-facing systems, especially VPN appliances and firewalls. Proactive monitoring for NTLM relay activity, hardening Active Directory configurations, and ensuring the tamper-resistance of Endpoint Detection and Response (EDR) solutions are essential steps to reduce vulnerability to sophisticated groups like The Gentlemen.
What You Should Do
- Patch Immediately: Prioritize and apply all security updates for internet-facing devices, particularly Fortinet FortiGate VPN appliances and Cisco network devices.
- Strengthen Authentication: Implement multi-factor authentication (MFA) on all remote access services, VPNs, and critical internal systems.
- Harden Active Directory: Review and strengthen Active Directory security configurations, enforce strong password policies, and regularly audit for suspicious activity.
- Monitor for NTLM Relay Attacks: Implement monitoring solutions to detect and alert on NTLM relay attempts, which The Gentlemen are known to leverage.
- Enhance EDR Capabilities: Ensure your Endpoint Detection and Response (EDR) solutions are up-to-date, properly configured, and include tamper-prevention features to resist malware disabling security tools.
- Regular Backups: Maintain isolated, encrypted, and regularly tested backups of all critical data to facilitate recovery without paying a ransom.
- Network Segmentation: Implement robust network segmentation to limit lateral movement in case of a breach, minimizing the impact of a successful attack.
- Employee Training: Conduct regular cybersecurity awareness training for employees, focusing on phishing, social engineering, and secure browsing habits.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a |
The Gentlemen Windows Ransomware |
| SHA-256 | 1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436f |
The Gentlemen Windows Ransomware |
| SHA-256 | 1af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2 |
The Gentlemen Windows Ransomware |
| SHA-256 | 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 |
The Gentlemen Windows Ransomware |
| SHA-256 | 24ac3588fb8cfbff63b7fdfcbc7dec1f3c60e54e6f949dd69d68e89e0c89d966 |
The Gentlemen Windows Ransomware |
| SHA-256 | 2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d |
The Gentlemen Windows Ransomware |
| SHA-256 | 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235 |
The Gentlemen Windows Ransomware |
| SHA-256 | 3c2
|



No Comment! Be the first one.