The Rise of The Gentlemen Ransomware-as-a-Service: An In-Depth Analysis
The Gentlemen ransomware-as-a-service (RaaS) operation has recently emerged as a formidable threat, exploiting exposed Fortinet and Cisco edge devices to gain rapid access to enterprise networks. Initially gaining traction in mid-2025, by early 2026, this operation has transformed into one of the most prolific entities within the underground cybercrime landscape, with hundreds of victims and a well-defined methodology focused on compromising edge appliances, abusing NTLM relay vulnerabilities, and executing aggressive evasion strategies against endpoint detection and response (EDR) systems.
As part of their modus operandi, affiliates of The Gentlemen engage in exhaustive scans for exposed Fortinet VPNs and other edge devices. They employ a variety of tactics to breach these systems, including brute-forcing credentials at web or VPN access points, exploiting known vulnerabilities, or acquiring access through established bot and access brokers. Leaked internal communications have revealed that the operators of The Gentlemen typically achieve initial access through internet-facing VPN appliances, firewalls, and management interfaces, with Fortinet’s FortiGate and Cisco’s platforms identified as particularly lucrative targets.
Reports from Checkpoint substantiate that, according to a victims list found on the group’s data leak site (DLS), The Gentlemen represents one of the most active RaaS programs currently operating. This group meticulously tracks specific vulnerabilities fitting their operational strategy, such as CVE‑2024‑55591, which affects the FortiOS management interface, and CVE‑2025‑32433, linked to an Erlang SSH flaw relevant to Cisco and Erlang-based SSH services.
The communication among the group’s operators showcases a rigorous examination of proof-of-concept exploits. They assess the quality and reliability of these exploits before deploying them against the identified edge services, viewing vulnerabilities not just as endpoints, but as integral components of a robust initial access pipeline. Once a target device is compromised—whether it be a Fortinet or Cisco appliance—it is merely a launching pad for deeper intrusions rather than the ultimate objective.
An investigation into the group’s internal structure reveals a tightly-knit core of at least nine named operators and eight distinct affiliate TOX IDs, all under the leadership of an administrator identified as “zeta88,” also referred to as “hastalamuerte.” These operators typically strategize movements inward from the network’s perimeter. Utilizing VPN access or credentials obtained directly from compromised devices, they attempt to reach domain-joined systems, escalate privileges, and initiate reconnaissance efforts targeting Active Directory, file shares, and backup infrastructures.
The leaked data and chat logs from the group’s Rocket backend provide a unique end-to-end overview of their sophisticated RaaS workflow. Following the initial foothold gained at the edge, they proceed through a structured sequence: mapping Active Directory, checking for certificate and NTLM relay vulnerabilities, escalating local privileges, and tampering with EDR and antivirus defenses.
Tools such as NetExec, RelayKing, PrivHound, CertiHound, and TaskHound facilitate their efforts to identify relayable paths and take advantage of misconfigurations to gain domain-level access. The importance of NTLM relay vulnerabilities within their operations cannot be overstated; the group pays particular attention to CVE‑2025‑33073, an NTLM reflection/relay issue, employing the output from RelayKing to identify targets for further exploitation using tools like ntlmrelayx.
In a strategic investment in evasion techniques, The Gentlemen focus heavily on EDR bypass methods. They deploy specialized sets labeled as "EDR killers," such as EDRStartupHinder, alongside techniques inspired by public research on event tracing and logging abuse. This strategy aims to obscure their activities from defenders before unleashing ransomware payloads.
Once defenses are compromised, the priority shifts toward lateral movement and data theft. The operators often establish Cloudflare-based tunnels and custom VPNs to facilitate stable command-and-control (C2) communication. Their targets expand to include Network Attached Storage (NAS) devices, virtualization hosts, and backup systems, as they look to exfiltrate sensitive information on a large scale.
The final phase of their operation involves deploying custom ransomware designed to spread through existing administrative sessions and utilize Group Policy mechanisms, ensuring maximum disruption. This point marks the culmination of their efforts in obtaining critical data and access.
Key individuals in The Gentlemen’s hierarchy, such as “qbit,” specialize in scanning vulnerable Fortinet VPNs and edge devices. Another operator, “quant,” focuses on log-based access credential acquisition, especially targeting O365 and Outlook Web Access (OWA) systems through high-value brute-force attacks. Their infrastructure is fine-tuned for repeat operations, employing a suite of tools like ZeroPulse, Velociraptor, and scripts for WireGuard and OpenVPN to secure access and C2 channels.
On the financial front, The Gentlemen operate under an aggressive revenue-sharing model, offering a 90/10 split favoring affiliates. They utilize non-custodial wallets and over-the-counter cash-out methods to launder the profits from their nefarious activities while attempting to elude Anti-Money Laundering (AML) scrutiny.
In summary, the ongoing threat posed by The Gentlemen signifies that exposed Fortinet and Cisco edge devices have become more than mere perimeter vulnerabilities; they are viewed as preferred entry points into enterprise networks by an increasingly sophisticated RaaS operation. Consequently, cybersecurity defenders must prioritize closing these avenues of exploitation through patching management interfaces, enhancing VPN authentication measures, and eliminating NTLM relay pathways to remain one step ahead of the evolving threats posed by adversaries in this criminal ecosystem.