A recent leak associated with The Gentlemen ransomware group has provided a comprehensive analysis of the evolving landscape of ransomware operations. This leak underscores a significant transformation in both the structure and the tools utilized by these malicious entities, while illustrating a reliance on tried-and-true intrusion techniques that have persisted over the last four years.
One of the most striking revelations from the leak is the clear continuity among operators across prominent ransomware brands. An actor known by the alias “Tinker” has been consistently linked to multiple groups, appearing in connections with Conti in 2022 and Black Basta in 2025, and now within The Gentlemen in 2026. This figure has maintained a consistent role focusing on phishing attacks, negotiating ransom demands, and executing credential theft operations. The documentation reveals these practices as a standard modus operandi, suggesting a stable workforce that transitions between roles in a manner reminiscent of corporate job shifts.
The leak further demonstrates that these ransomware groups share infrastructure, which adds a layer to the attribution process when it comes to identifying these actors. The use of a shared server, identified as bestflowers247.online, exemplifies how these groups rebrand themselves rather than completely dissociate from their previous operations. This pattern of behavior highlights a troubling trend in the ransomware world: rather than disappearing after a crackdown, operatives simply shift to new aliases.
Despite the apparent sophistication in their operational methods, initial access techniques largely remain unchanged. The Gentlemen group has made extensive use of Fortinet edge devices, with an alarming 81 instances noted where FortiGate systems were referenced in chat logs. Operators openly discussed leveraging specific vulnerabilities, such as the CVE-2024-55591, an authentication bypass flaw in FortiOS. Concurrently, brute-force attempts targeting approximately 1,000 Fortinet VPN instances have been documented. These exploits often involve weak or reused passwords, exemplified through credentials such as “gentlemen25” and “Gentlemen25.” This approach mirrors previous exploits conducted by both Black Basta and Conti, where access was consistently obtained through edge device vulnerabilities and known security flaws.
Artificial intelligence increasingly finds its way into the operational frameworks of these groups, albeit in ways that might not align with conventional expectations. Rather than being employed for the creation of malware, intelligence tools like ChatGPT and Claude have been utilized for purposes such as social engineering, scripting, and processing data. Internal communications from the leak reveal that AI is being employed to draft phishing messages, automate victim interactions, and facilitate code translation for various malware iterations.
In May 2026, Vectra AI released an analysis of the Gentlemen’s leak, which contained over 3,366 internal messages from Rocket.Chat alongside crucial infrastructure components. This analysis delivers significant insights into one of the most active ransomware groups of the year. Furthermore, the group displayed a willingness to harness uncensored large language models hosted on platforms like Hugging Face, taking advantage of rented GPU infrastructure to analyze stolen data.
However, even among these advanced methods, operators exhibited varying degrees of confidence in the outputs generated by AI, indicating that it serves primarily as a supportive tool, rather than standing on its own as a central aspect of operations.
Tooling has undergone notable transformations, with The Gentlemen opting for a custom command-and-control platform named G-BOT in place of conventional frameworks like Cobalt Strike. The G-BOT framework enables SOCKS5 tunneling and utilizes public file-sharing platforms, including temp.sh and 0x0.st, for the delivery of payloads. This shift reflects broader development trends, as previous efforts by Black Basta, which involved the Breaker C2 framework with diverse communication channels (TCP, DNS, ICMP), also illustrated a move towards proprietary tools aimed at evading detection.
Interestingly, endpoint detection and response systems have evolved from being merely avoided to actively bypassed. The leaked documents reference advanced techniques such as NTDLL unhooking and direct syscall execution, showcasing a maturation in defensive evasion strategies. One insider claimed that tools capable of disabling leading EDR solutions command prices around $5,000, underscoring the emergence of a robust underground market for capabilities focused on evading detection.
The leak also sheds light on an increasing emphasis on hypervisor-level attacks. The Gentlemen have been found specifically targeting Hyper-V environments, engaging in encryption of virtual machine storage right at the host level. By adopting this method, the actors can essentially render guest-based monitoring tools impotent, leaving endpoint security in the dark about ongoing encryption activities.
Post-exploitation activities remain consistent with historical trends among ransomware operations. Tools like LummaC2, Phemedrone Stealer, and DumpBrowserSecrets have been utilized for credential harvesting, capturing user-stored information through various means. The group has utilized Volume Shadow Copy backups of NTDS.dit for domain compromise, granting full access to credentials. Data exfiltration practices have also adhered to traditional methods, with rclone being employed to transfer stolen data from a Synology NAS staging server to MEGA cloud storage.
Among the exposed configurations was an active exfiltration address linked to an IP, 193.228.128.2, operating over port 2222, indicating the intricacies of their operational framework.
In conclusion, the Gentlemen ransomware leak reinforces a vital pattern within ransomware operations: while innovation increasingly gravitates toward evasion techniques, infrastructure, and scale, the fundamental methods of intrusion remain strikingly consistent. Exploiting edge devices, harvesting credentials, and leveraging trusted tools for data exfiltration continue to prove effective, indicating persistent gaps in defense strategies despite numerous public disclosures and ongoing threat intelligence reports.