New Insights into "The Gentlemen" Ransomware Group Revealed Amid Affiliate Leak
A ransomware affiliate known as hastalamuerte has exposed operational details of The Gentlemen, a rapidly emerging ransomware-as-a-service (RaaS) group, following internal disputes. Research published by Group-IB on March 19 provides a rare look into the group’s infrastructure, attack methods, and affiliate dynamics.
The Gentlemen emerged from a split within the Qilin RaaS ecosystem, leveraging existing tools to establish itself as a new threat. The group employs a dual-extortion model, encrypting victim data while threatening public leaks to pressure payments. Targets span Windows, Linux, and ESXi environments, with initial access often gained through vulnerable FortiGate VPN devices via exploitation or brute-force attacks.
Once inside, affiliates use automated lateral movement including PowerShell and Windows Management Instrumentation to harvest credentials, disrupt backups, and deploy domain-wide encryption. The group also employs anti-forensic measures, such as log deletion and Bring Your Own Vulnerable Driver (BYOVD) attacks, to evade detection and hinder recovery.
The leak underscores growing tensions within RaaS networks, where disputes among affiliates can expose operational details. The Gentlemen’s rise reflects broader trends in cybercrime, including increased specialization and professionalization of ransomware groups. Their use of advanced evasion techniques and flexible infrastructure continues to challenge traditional security defenses, while internal instability may create opportunities for disruption.
Source: https://www.infosecurity-magazine.com/news/ransomware-affiliate-gentlemen/
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
"id": "FOR1773937523",
"linkid": "fortinet",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'attack_vector': ['Exploitation of vulnerable FortiGate VPN devices',
'Brute-force attacks'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'sensitivity_of_data': 'High (threatened for public leaks)',
'type_of_data_compromised': ['Victim data']},
'date_publicly_disclosed': '2024-03-19',
'description': 'A ransomware affiliate known as hastalamuerte exposed '
'operational details of The Gentlemen, a rapidly emerging '
'ransomware-as-a-service (RaaS) group, following internal '
'disputes. The group employs a dual-extortion model, targeting '
'Windows, Linux, and ESXi environments with advanced evasion '
'techniques.',
'impact': {'data_compromised': True,
'operational_impact': 'Disruption of backups, domain-wide '
'encryption',
'systems_affected': ['Windows', 'Linux', 'ESXi']},
'initial_access_broker': {'entry_point': ['Vulnerable FortiGate VPN devices']},
'lessons_learned': 'Internal disputes among affiliates can expose operational '
'details of ransomware groups, creating opportunities for '
'disruption. The rise of specialized RaaS groups with '
'advanced evasion techniques challenges traditional '
'security defenses.',
'motivation': ['Financial gain', 'Data extortion'],
'post_incident_analysis': {'root_causes': ['Exploitation of FortiGate VPN '
'vulnerabilities',
'Brute-force attacks',
'Internal affiliate disputes']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'The Gentlemen'},
'references': [{'date_accessed': '2024-03-19', 'source': 'Group-IB'}],
'threat_actor': 'The Gentlemen (RaaS group)',
'title': 'The Gentlemen Ransomware Group Affiliate Leak',
'type': 'Ransomware',
'vulnerability_exploited': 'FortiGate VPN vulnerabilities'}