The Gentlemen RaaS Leverages Fortinet and Cisco Edge Devices for Initial Access

A ransomware group that only surfaced in mid-2025 has already made a significant mark on the threat landscape. The Gentlemen, a ransomware-as-a-service (RaaS) operation, has quickly risen to become one of the most active ransomware programs in the world, with around 332 published victims in just the first five months of 2026 alone.

The group runs its operation through an affiliate model, advertising its platform on underground forums and inviting skilled individuals to join as partners. Affiliates take home 90% of every ransom payment, while the operator keeps just 10%.

That aggressive split has attracted a steady stream of participants, helping the group scale its attacks at a rapid pace.

Analysts from Check Point Research have been closely tracking The Gentlemen and recently obtained a rare look inside the group’s inner workings after an internal database leak surfaced on underground forums.

On May 4, 2026, the group’s administrator publicly acknowledged that their backend system, known internally as “Rocket,” had been compromised and that sensitive operational data had been exposed.

The leaked material included internal chat logs from channels named INFO, general, TOOLS, and PODBOR. These conversations gave researchers an end-to-end view of how the group runs its campaigns, from initial access and reconnaissance all the way through ransom negotiations and payouts.

Targeting Fortinet and Cisco Edge Devices

In one documented case, the group negotiated a final ransom payment of 190,000 USD after starting with an initial demand of 250,000 USD.

What makes The Gentlemen particularly dangerous is how tightly organized they are despite being affiliate-based. The leak identified nine named accounts working together in a coordinated way, with the administrator, known as zeta88 or hastalamuerte, personally involved in carrying out attacks alongside managing the overall program.

The group’s preferred method for breaking into a target’s network starts at the perimeter. Their main focus is on exposed edge devices such as Fortinet FortiGate VPN appliances and Cisco systems, which are commonly found at the entry points of corporate networks. Once they find a vulnerable or misconfigured device, they use it as a gateway inside.

To gain that initial foothold, the group combines several approaches. They brute-force login panels, exploit known security flaws, and purchase ready-made access from underground brokers.

Three vulnerabilities they actively track include CVE-2024-55591, affecting the FortiOS management interface, CVE-2025-32433, an Erlang SSH flaw relevant in Cisco environments, and CVE-2025-33073, tied to NTLM relay attacks.

One key operator known as qbit was specifically observed scanning for Fortinet VPNs and running NTLM relay checks using a tool called RelayKing.

After getting a foothold, the group pivots deeper into the network. They perform Active Directory reconnaissance, escalate privileges, and disable security tools using purpose-built evasion kits.

They also use cloud-based tunneling through services like Cloudflare to maintain reliable, long-term access without being detected. Only once the network is firmly in their control do they deploy their custom ransomware locker and begin encrypting systems.

A Sophisticated Double-Extortion Playbook

The Gentlemen do not stop at encryption. They exfiltrate data before deploying their locker and use it as leverage in negotiations. In a notable case from April 2026, the group breached a software consultancy in the United Kingdom, stole sensitive client data, and then reused that same data weeks later to assist an attack against a company in Turkey, where they had also gained initial access through a vulnerable VPN appliance.

In the Turkish operation, the group published the UK consultancy as the supposed “access broker” on their data leak site, creating pressure on both victims simultaneously.

This tactic, where earlier victims are weaponized against future ones, signals a notable shift in how ransomware groups think about stolen data. Ransom demand letters drafted by zeta88 also emphasized regulatory exposure and reputational damage to push victims into paying faster.

For defenders, the patterns seen in this campaign highlight clear areas that need attention. Organizations should prioritize patching internet-facing systems, particularly VPN appliances and firewalls.

Monitoring for NTLM relay activity, hardening Active Directory configurations, and ensuring that EDR solutions are tamper-resistant are all meaningful steps that can reduce exposure to groups operating with this level of sophistication.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.