LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile The Gentlemen

The Gentlemen: The RaaS Group That Outran Its Origins

Launched by a disgruntled former Qilin affiliate in mid-2025 following an unpaid commission dispute, The Gentlemen has become one of the most active ransomware operations in the world -- reaching second place globally in Q1 2026 with over 1,570 linked victims.

By Ransomware Tracker ·
the-gentlemenransomwareraasqilinfortiosdouble-extortiongo-ransomware
Threat Level
8/10
Sectors Targeted
government
healthcare
manufacturing
education
Ransomware Family
The Gentlemen

The ransomware-as-a-service ecosystem regularly produces successor groups — affiliates who split from established operations to launch their own. Most don’t last. The Gentlemen is an exception. Launched in July–August 2025 following a $48,000 commission dispute with Qilin, the group has grown faster than almost any RaaS operation in recent memory, publishing 332 victims in the first five months of 2026 alone and ranking second globally in Q1 2026 by victim count.

Origins: A Forum Dispute That Became a Rival Operation

The Gentlemen traces to a single public arbitration post on the RAMP cybercrime forum dated 22 July 2025. A Russian-speaking threat actor operating under the aliases hastalamuerte and zeta88 — previously running an affiliate crew called ArmCorp under the Qilin operation — accused Qilin operators of withholding $48,000 in commissions earned from successful intrusions.

The dispute went unresolved. Within weeks, hastalamuerte launched The Gentlemen as an independent RaaS platform, taking experience and, critically, a pre-existing stockpile of compromised access credentials with him.

The 90% Affiliate Model

The Gentlemen’s RaaS structure is deliberately designed to attract capable operators. Affiliates receive a 90% revenue share — among the highest in the industry. Standard RaaS models typically offer 70–80% to affiliates; The Gentlemen’s model inverts this, with operators retaining minimal margin and compensating by running lean infrastructure and relying on affiliate quality rather than volume.

The affiliate count is small — approximately 20 members — and affiliates retain full control over victim negotiations. Coordination uses TOX protocol for operational security. The result is a high-trust, high-capability model that more closely resembles a selective criminal organisation than a conventional RaaS marketplace.

Technical Capabilities

Ransomware Locker

The Gentlemen’s ransomware is a custom Go-based locker, built specifically for the operation rather than adapted from a leaked or licensed existing codebase. It targets Windows, Linux, NAS, and BSD systems. Go is consistent with 2025–2026 trends among capable ransomware groups: compiled binaries are harder to analyse than C/C++ equivalents, run without dependencies as static binaries, and cross-compile easily for multiple platforms.

Primary Initial Access: CVE-2024-55591

The group’s most distinctive capability is its pre-built database of compromised FortiGate access. CVE-2024-55591 is a critical authentication bypass in FortiOS and FortiProxy that allows unauthenticated attackers to gain super-admin access via crafted requests to the Node.js management websocket module. The Gentlemen’s operator database reportedly contains approximately 14,700 already-exploited FortiGate devices globally, supplemented by 969 validated brute-forced VPN credentials.

This stockpile explains the group’s rapid expansion. Rather than spending time on initial access operations, affiliates can be handed working credentials to enterprise networks and proceed directly to internal reconnaissance. The model is efficient and scales without requiring technical sophistication from all affiliates.

Post-Access Tradecraft

Once inside, The Gentlemen affiliates demonstrate above-average technical capability. Documented tactics include custom antivirus-killing tooling, Windows event log manipulation for defence evasion, and double-extortion via a dedicated leak site. Exfiltration typically precedes encryption; the threat of data publication is used as additional leverage in negotiations.

An April 2026 incident documented affiliates using access to a compromised UK software consultancy to pivot into a Turkish client organisation — explicit access-broker labelling in their internal tooling suggests structured secondary access sales alongside direct extortion.

Victim Profile and Victimology

The Gentlemen’s targeting is broad rather than sector-focused. Their internal database — partially leaked in May 2026 — showed over 1,570 linked victims across 17+ countries. The geographical breakdown shows 13% US victims, with significant concentrations in Thailand, the UK, Brazil, Germany, and India. Sector distribution spans government entities, educational institutions, healthcare, and manufacturers.

The broad targeting reflects the affiliate model: different affiliates bring different access sets and different targeting preferences. The operator’s role is infrastructure and proceeds processing, not victim selection.

The Leak That Exposed the Operation

In April–May 2026, The Gentlemen suffered an operational security failure: internal chat logs and operational database records were leaked, revealing affiliate coordination details, operator-affiliate communications, and victim processing workflows. The leak was attributed to a disgruntled affiliate — an irony given the group’s own origin in an affiliate dispute.

The leaked data gave intelligence organisations and incident responders detailed insight into the group’s operations. It is unusual for a RaaS operation of this scale to suffer such a comprehensive internal breach within its first year, and raises questions about the group’s long-term operational security discipline.

Detection and Response

Initial access via FortiOS CVE-2024-55591 should be the primary focus for organisations running affected FortiGate appliances. Check Point, Mandiant, and CISA have all published indicators specific to this exploitation pattern. Organisations should audit FortiGate management interface exposure, apply patches for CVE-2024-55591 immediately if not already done, and review VPN authentication logs for anomalous super-admin activity.

Network detection for The Gentlemen’s Go-based locker is available from multiple vendors. Behavioural indicators — mass file rename events, shadow copy deletion, and unusual outbound data transfers prior to encryption — remain the most reliable detection signals regardless of the specific locker variant in use.

Given the group’s use of pre-compromised credentials, organisations in sectors with significant FortiGate deployment (manufacturing, government, healthcare) should treat any unexamined FortiGate credential set as potentially compromised and rotate accordingly.

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting