A sophisticated new ransomware-as-a-service (RaaS) operation known as “The Gentlemen” has exploded onto the scene. Despite only appearing in mid-2025, the group has already claimed 332 victims in the first five months of 2026.
By offering an aggressive 90/10 profit split—where affiliates keep 90% of the ransom—the group has attracted a surge of high-skilled attackers. However, a recent internal database leak of their backend system, “Rocket,” has given researchers at Check Point a rare look at their playbook.
The Attack Vector: Smashing the Perimeter
The Gentlemen do not rely on simple phishing. Instead, they focus on edge devices that sit at the entry point of corporate networks. Their primary targets are exposed Fortinet FortiGate VPNs and Cisco systems.
The Group’s Top 3 Exploits:
- CVE-2024-55591: A flaw in the FortiOS management interface.
- CVE-2025-32433: An Erlang SSH vulnerability often found in Cisco environments.
- CVE-2025-33073: A vulnerability used for NTLM relay attacks to intercept network credentials.
Once inside, operators like “qbit” use tools like RelayKing to scan for further vulnerabilities and move laterally through the network.
A Sophisticated Double-Extortion Playbook
The Gentlemen have evolved beyond simple file encryption. They use a “double-extortion” model: stealing sensitive data first, then threatening to leak it if the ransom isn’t paid.
In a chilling tactical shift, the group has begun weaponizing victims against each other. In April 2026, after breaching a UK consultancy, they used the stolen client data to launch a follow-up attack on a Turkish company. They then publicly listed the first victim as the “access broker” for the second, doubling the reputational pressure on both parties.
Indicators of Compromise (IoCs)
Security teams should immediately hunt for these hashes and file names within their environments:
| Type | Indicator | Description |
| SHA-256 | 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a | Windows Ransomware Locker |
| SHA-256 | 1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c | Linux Ransomware Locker |
| File Name | README-GENTLEMEN.txt | Ransomware note |
| File Name | gentlemen.bmp | Desktop wallpaper change |
How to Defend Your Network
The Gentlemen’s success relies on misconfigured or unpatched edge devices. To block them, defenders must:
- Patch Edge Devices: Prioritize updates for FortiOS and Cisco firmware immediately.
- Monitor NTLM Activity: Set up alerts for NTLM relay attempts, especially from internal accounts to external-facing servers.
- Harden Active Directory: The group performs heavy AD reconnaissance after the initial breach; ensure your AD is configured with the principle of least privilege.
- Tamper-Proof EDR: The group specifically uses “evasion kits” to disable security tools. Ensure your Endpoint Detection and Response (EDR) has protection against service termination.
