Fraud Management & Cybercrime,
Ransomware
Internal Communications Dumped Online, Revealing Fresh Victims, Repeat Tactics
The world of ransomware faced a significant upheaval following a recent incident involving a ransomware group known as “The Gentlemen.” The group’s internal communications were unexpectedly exposed to the public, revealing insights into their operations and victim profiles.
Since its emergence as a ransomware-as-a-service entity in mid-2025, The Gentlemen had established a reputation for their brazen tactics and aggressive cybercriminal strategies. Initial hints of the group’s misfortune appeared on May 4, when a post surfaced on the cybercrime forum Breached. The post, titled “The Gentlemen – hacked data for sale,” sought $10,000 in Bitcoin for access to their internal data. However, the situation took an intriguing turn when, just days later, the same individual provided a link to a file-sharing service named MediaFire, offering the compromised data for free.
Milivoj Rajić, head of threat intelligence at DynaRisk, commented on the significance of the leaked data. According to Rajić, it offers an unprecedented glimpse into the inner workings of a modern ransomware ecosystem, showcasing everything from infrastructure management to target selection and the operational security measures they implement.
The leaked communications consisted of approximately 8,200 lines from an internal chat tool, along with various images of compromised systems. Notably, the timestamps of these messages align with workers operating on Moscow time, highlighting the group’s geographic base. Within these chats, a variety of topics are covered, including strategies to access victims’ VPN connections using tools like OpenConnect, discussions on command-and-control software, and even recommendations for YouTube tutorials aimed at enhancing technical skills.
Perhaps most alarming is the suggestion that The Gentlemen managed to infiltrate high-profile companies like Sony and Barclays, reportedly stealing around a terabyte of data from each. This data haul also included non-disclosure agreements, which the group threatened to release unless their ransom demands were met. The correspondence detailed the group’s typical approach, which involved using compromised credentials for Fortinet networking equipment and frequently leveraging the open-source ZeroPulse GitHub Repository to manage their compromised systems.
Furthermore, Rajić indicated that the leaked communications reveal a methodical approach to executing large-scale ransomware attacks. The Gentlemen seemed to prioritize significant infections, methodically encrypting corporate infrastructure while taking steps to prepare their environment for a full-scale encryption deployment. Rajić’s analysis suggests extensive reconnaissance is conducted prior to deploying ransomware, as the group gathers intelligence on backup systems, virtualization infrastructure, and critical servers to maximize the impact of their attacks.
As they executed their schemes, the group frequently discussed methods to disable endpoint security systems and counteract detection tools. They aimed to escalate privileges within Active Directory, enabling unrestricted access to IT environments and complicating detection efforts. Living-off-the-land tactics became a hallmark of their approach, utilizing legitimate enterprise IT tools to obfuscate their malicious activities.
By the end of 2025, The Gentlemen had accumulated a roster of victims across Thailand and the United States, including sectors such as manufacturing, healthcare, and insurance. Their operations included a significant disruption at Romania’s state-owned power producer, Complexul Energetic Oltenia, just before Christmas. As of April 2026, cybersecurity firm S-RM noted that The Gentlemen had identified over 340 victims who had refused to pay ransoms, but details surrounding the actual ransom payments remained elusive.
The Gentlemen’s recruitment strategies were similarly aggressive, leveraging forums on the dark web to attract affiliates excited by the promise of their Go-based malware, which reportedly allows for stealthy encryption across diverse systems, including Windows, Linux, BSD, and ESXi. The group employed initial access brokers and made lucrative offers to share revenue, along with access to markets trading stolen credentials.
In the rapidly changing ransomware landscape, the Gentlemen’s adaptability has been notable. Following the release of a free decryptor for their malware by Canadian cybersecurity firm Bedrock Safeguard, the group quickly issued a patch, indicating an impressive responsiveness to their operational challenges. Furthermore, they adjusted their profit-sharing model, offering affiliates a staggering 90% cut from ransom payments, even raising this figure to 97% for data-only extortion attacks. This pivot signals the group’s efforts to adapt to evolving market conditions and cater to affiliates seeking lower-risk operational models.