The Gentlemen Ransomware: 332 Victims in 5 Months and Your FortiGate Is the Target

The Gentlemen ransomware attack follows a consistent, multi-stage intrusion chain that begins at the network perimeter and ends with domain-wide encryption deployed via Group Policy.

Initial access centers on internet-facing Fortinet FortiGate VPN appliances and Cisco edge devices. Operator qbit, one of the group's nine named affiliates, maintains a live HTML dashboard tracking thousands of internet-facing FortiGate panels, showing reachability, device names, and direct login links in real time. The group exploits CVE-2024-55591 (FortiOS management interface authentication bypass), CVE-2025-32433 (Erlang SSH), and CVE-2025-33073 (NTLM relay) to obtain authenticated access. Where unpatched CVEs are unavailable, affiliates brute-force VPN and web panels using credentials harvested from public breach databases via a custom tool called buildx641, which parses OWA and Microsoft 365 login logs at scale.

Post-exploitation begins with Active Directory enumeration using NetExec and MANSPIDER. The group then performs NTLM relay attacks using RelayKing-Depth and ntlmrelayx, escalating privileges through token impersonation, MSI service abuse, and ADCS misconfigurations spanning ESC1 through ESC17. EDR products are disabled through purpose-built evasion kits including EDRStartupHinder, gfreeze, and glinker, which patch Windows Event Tracing (ETW) logging and registry entries that control security tool startup.

Persistence is established via Cloudflare Zero Trust tunnels, which the operators internally call "cloud gripping," providing long-term covert access that survives reboots and firewall rule changes. The group specifically targets backup infrastructure, including Veeam servers, NAS devices, and iDRAC management controllers, using the "quant" operator's dedicated brute-force hardware to crack credentials at scale.

Encryption deploys as the final step via Group Policy, pushing the Go-based locker to Windows and Linux endpoints simultaneously. ESXi environments receive specialized tooling for hypervisor-level encryption. Victims find ransom notes named README-GENTLEMEN.txt and a desktop wallpaper named gentlemen.bmp.

Manufacturing, technology, healthcare, and financial services face the highest concentration of confirmed attacks. Check Point Research's analysis of one affiliate's C2 infrastructure revealed an active botnet of 1,570 victims, with the infection profile showing deliberate corporate and organizational targeting rather than opportunistic scanning.

Geography skews global: only 13% of The Gentlemen's victims are US-based. The United Kingdom, Brazil, Germany, India, and Thailand each account for significant victim concentrations, meaning this is not a US-centric campaign. Any mid-market or enterprise organization in these geographies with internet-facing edge appliances is a valid target regardless of sector.

The CYFIRMA May 15, 2026 Weekly Intelligence Report documents confirmed The Gentlemen activity against consumer goods, professional services, real estate, and manufacturing organizations, alongside the group's confirmed healthcare targeting. The May 2026 attack on Marutake Co., Ltd., a pharmaceutical and healthcare company in Japan, exemplifies the group's reach into regulated industries.

The group's practice of weaponizing data from prior breaches to compromise related organizations amplifies the true scope of each intrusion. In one documented chain attack reported by Check Point Research, data stolen from a UK software consultancy was reused to compromise a Turkish client company via the same Fortinet VPN credentials. Victims face triple pressure: encrypted systems, threatened publication of stolen data, and the risk of being publicly framed as an access broker responsible for downstream breaches at their own clients.

For context on how stolen credentials fuel these attack chains, the Decryption Digest analysis of credential exposure on the dark web documented 16 billion records available for exactly this type of targeting operation.

The Gentlemen ransomware operates as a tightly managed criminal franchise with nine named core operators and an affiliate program offering substantially above-market compensation.

The administrator, zeta88 (also identified as hastalamuerte), previously operated within the Qilin ransomware program before launching The Gentlemen in September 2025. He builds the custom locker, manages the RaaS admin panel, handles infrastructure, and personally participates in encryption events alongside affiliates. He built the entire GLOCKER administration panel in three days using AI coding assistants, preferring DeepSeek and Qwen for development tasks and testing uncensored Qwen 3.5 for operational support.

The affiliate payout model offers a 90/10 split: affiliates retain 90% of each ransom payment and remit 10% to the administrator. The standard across competing RaaS programs sits at 80/20, making The Gentlemen 10 points more attractive to skilled operators seeking a high-value criminal platform. Documented ransom negotiations from the leaked database show initial demands of $250,000 with confirmed settlements at $190,000 per victim.

The operational team includes specialists for each intrusion phase. Operator qbit handles VPN scanning and FortiGate enumeration. Operator quant runs credential harvesting and brute-force infrastructure on dedicated high-performance hardware. Operators named Protagor, Wick, mAst3r, Bl0ck, JeLLy, Kunder, and Mamba conduct intrusions across the affiliate network. The administrator coordinates cryptocurrency laundering through Bitcoin exchange chains, Tinkoff bank QR conversions, and peer-to-peer cash delivery to avoid financial tracking.

The Cisco edge device exploitation techniques used by The Gentlemen closely parallel the nation-state-grade Cisco edge device exploitation documented in CVE-2026-20182, confirming that criminal groups now operate at nation-state intrusion quality through structured franchise models.

The May 4, 2026 database leak provides verified indicators across multiple layers. Security teams should ingest all of the following into SIEM, EDR, and perimeter security platforms as a priority action.

Ransomware file artifacts to hunt across all endpoints and file shares:

• README-GENTLEMEN.txt — ransom note filename on all Windows and Linux platforms
• gentlemen.bmp — desktop wallpaper artifact deployed post-encryption

Confirmed SHA-256 hashes (30 Windows samples and 3 Linux samples published by Check Point Research):

• 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a (Windows)
• 1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436f (Windows)
• 1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c (Linux)

Behavioral indicators for pre-encryption detection:

• ETW event logging disabled system-wide, characteristic of EDRStartupHinder and gfreeze tooling
• Outbound Cloudflare WARP tunnel connections originating from non-IT endpoints
• Bulk NTLM relay scanning activity from internal hosts using RelayKing tooling signatures
• Group Policy Object creation or modification with an unknown executable as a startup script

YARA detection strings for the locker binary: "Silent mode", "Encrypt only mapped...shares", "README-GENTLEMEN.txt", "gentlemen.bmp", "[+] Encryption started" — any PE file matching four or more of these strings is a confirmed locker sample.

CVEs to confirm patched across all edge infrastructure: CVE-2024-55591 (FortiOS management interface), CVE-2025-32433 (Erlang SSH), CVE-2025-33073 (NTLM relay).

On May 4, 2026, the administrator of The Gentlemen acknowledged on underground forums that an internal backend database named "Rocket" had been exfiltrated. The full leak is estimated at 16.22 GB. An account named n7778 made a 44.4 MB partial dataset publicly available and listed the complete archive for sale at 10,000 USD in Bitcoin the following day.

Check Point Research's analysis of the leaked data provided the security community with an unprecedented view into a live RaaS operation. The leak confirmed nine named operators with distinct roles and TOX communication identifiers. It revealed the administrator's direct participation in encryption events, not just platform management. It exposed a botnet of 1,570 victims connected to a single affiliate's C2 server. Detailed negotiation transcripts document initial demands, counteroffers, and final settlement amounts. Bitcoin laundering chains are fully mapped, including exchange buy-desk flows, Tinkoff bank QR conversions, and physical cash delivery routes.

The leak also exposed the group's active vulnerability monitoring process: a live HTML dashboard tracking thousands of internet-facing FortiGate panels, displaying reachability status, device names, and direct login links updated in real time. This is not a passive threat operation scanning the internet opportunistically. The Gentlemen maintains a curated database of potential targets organized for rapid affiliate consumption.

The irony is operational: the group that built its operation on stealing and weaponizing victims' data suffered the same attack. Internal intelligence is now available to defenders, law enforcement, and competing criminal organizations simultaneously. For security teams, the leak delivers high-fidelity IOCs, TTPs, and operator attribution that would normally require years of DFIR engagement to assemble. The damage to organizations already in the group's active pipeline, however, is unchanged by the leak's existence.

Organizations with Fortinet or Cisco edge appliances that have not been patched within the last 30 days are at highest risk and should treat the following steps as a P0 response today.

The Gentlemen ransomware active campaign represents a structural shift in the threat landscape: criminal groups achieving nation-state intrusion quality at franchise scale. The leaked database confirms this is not a sporadic wave of opportunistic attacks. It is a structured, managed program with dedicated specialists for each intrusion phase, active CVE monitoring, purpose-built EDR evasion tools, and a financial operation complex enough to require layered money laundering across cryptocurrency exchanges, banking systems, and physical cash networks.

Three facts define the immediate risk level. First, 332 published victims in five months means the group is compromising on average more than two organizations every single day. Second, the 1,570 victims on one affiliate's C2 server includes organizations that have not yet received a ransom demand, meaning breach has occurred but monetization is still pending. Third, the May 4 leak has now exposed the group's full toolchain to every security team and law enforcement agency globally, almost certainly accelerating a rebranding or infrastructure pivot in the coming weeks.

The window to act on the intelligence advantage from this leak is narrow. The Gentlemen ransomware operators will rebrand or restructure once the leak's operational damage becomes clear. Organizations running unpatched Fortinet or Cisco edge appliances, exposed NTLM authentication, or internet-reachable backup infrastructure must treat today as their last no-cost opportunity to close these gaps before the group resurfaces under a new name with a refreshed toolchain.

Patch FortiGate for CVE-2024-55591. Disable NTLMv1. Isolate backup systems. The Gentlemen ransomware is not a future threat. Their operators are running active campaigns across manufacturing, healthcare, and financial services today, and your FortiGate login panel may already be visible on their tracking dashboard.