Executive Summary
The Gentlemen is a ransomware-as-a-service (RaaS) operation that emerged in July 2025 and achieved third place globally in Q1 2026, claiming over 340 victims across 17 countries. The group was founded by a threat actor using the alias Hastalamuerte, an experienced former Qilin affiliate who departed that programme following a dispute over an unpaid commission of approximately $48,000. What distinguishes The Gentlemen from the dozens of RaaS operations that emerge and collapse each year is the methodical, deliberate approach its operators bring to every stage of the operation — from access acquisition to affiliate management to victim extortion.
The group entered the ecosystem with a significant structural advantage: a pre-compiled stockpile of compromised FortiGate device access accumulated during Hastalamuerte’s time as a Qilin affiliate, providing immediate, validated entry points into corporate environments across multiple geographies without the need to conduct initial access campaigns from scratch. Combined with a market-leading 90% affiliate revenue share and a deliberate geographic strategy targeting regions underserved by US-centric ransomware groups, The Gentlemen’s ascent from zero victims to the global top three in nine months represents one of the most significant entrants to the ransomware ecosystem in recent years.
Threat Actor Profile
The Gentlemen was founded by Hastalamuerte, a Russian-speaking threat actor with documented prior activity as an affiliate within the Qilin ransomware programme. The founding of The Gentlemen was precipitated by a financial dispute with Qilin operators over an unpaid commission of approximately $48,000 — a common catalyst for the formation of breakaway RaaS operations by experienced affiliates who possess both the technical skills and the network access inventory to immediately build a competing programme.
Hastalamuerte’s transition from affiliate to operator demonstrates the career progression pathway within the ransomware ecosystem that makes it so resilient: experienced affiliates gain the operational knowledge, tooling familiarity, and access inventory to found competing groups, ensuring the ecosystem regenerates even as law enforcement disrupts existing operations.
The group’s name and communication style deliberately project a veneer of professionalised criminality — structured workflows, measured victim communication, and deliberate leak-site activity — in contrast to the chaotic, erratic behaviour of many peer groups. This is not merely aesthetic. Structured operations attract higher-quality affiliates, produce more consistent extortion outcomes, and reduce the operational security errors that lead to law enforcement disruption.
By April 2026, The Gentlemen had claimed over 340 victims on its dark web leak site, with Check Point’s telemetry analysis of the group’s SystemBC command and control infrastructure revealing a botnet of more than 1,570 victims — indicating that the publicly claimed victim count significantly understates actual operational scope.
TTPs and Tradecraft
The Gentlemen’s attack methodology is technically sophisticated and operationally mature for a group of its age. It combines weaponised vulnerability exploitation with commercial offensive tooling and custom evasion techniques.
Initial Access: The FortiGate Stockpile
The primary initial access vector is exploitation of CVE-2024-55591, a critical authentication bypass vulnerability in Fortinet FortiOS and FortiProxy that allows unauthenticated attackers to gain super-administrator privileges on affected devices. This vulnerability became the group’s primary entry point.
Critically, The Gentlemen entered operations with a pre-compiled operational database of approximately 14,700 already-exploited FortiGate devices globally, accumulated during Hastalamuerte’s tenure as a Qilin affiliate. This stockpile provided the group with immediate, validated access to corporate networks that competitors would have needed months of scanning and exploitation to acquire. In addition, the group maintained approximately 969 validated brute-forced FortiGate VPN credentials ready for deployment.
This access inventory is central to understanding The Gentlemen’s rapid victim accumulation: rather than conducting initial access campaigns, affiliates draw from the stockpile, selecting targets based on geography, sector, and estimated revenue.
Post-Compromise: Reconnaissance and Credential Abuse
Following initial access via the FortiGate vector, operators conduct network reconnaissance to understand Active Directory structure, identify high-value systems, and enumerate backup infrastructure. Compromised credentials are validated and used to achieve lateral movement via conventional techniques.
Cobalt Strike and SystemBC serve as the primary command and control frameworks during post-compromise operations. Cobalt Strike provides the interactive beacon framework for hands-on-keyboard operator activity, while SystemBC — a SOCKS5 proxy malware — provides resilient tunnelled C2 communications that blend with legitimate encrypted traffic.
Domain-Wide Detonation via Group Policy
The Gentlemen’s ransomware deployment methodology is optimised for maximum simultaneous impact. Rather than deploying the ransomware payload to individual systems, operators use Active Directory Group Policy Objects (GPOs) to push the ransomware locker simultaneously to every computer in the domain. This approach achieves several objectives: it maximises the number of systems encrypted before any alert is raised; it overwhelms incident responders who cannot remediate dozens or hundreds of simultaneously encrypted systems; and it denies any recovery window in which backups might be identified and protected.
The group drops a PowerShell command prior to detonation to disable Windows Defender and other security tooling across domain-joined systems.
Defense Evasion: BYOVD Kernel Privilege Escalation
One of The Gentlemen’s most technically noteworthy capabilities is its use of a Bring Your Own Vulnerable Driver (BYOVD) technique for security software termination. The group deploys a repurposed legitimate driver — ThrottleBlood.sys, derived from the legitimate ThrottleStop CPU management utility — to exploit CVE-2025-7771, a vulnerability in the driver that grants kernel-level privileges.
Once kernel access is achieved, the attacker can terminate protected security processes — including EDR agents that run as protected processes and cannot be killed by standard user-mode or administrative commands. This renders organisations’ primary endpoint defence capability ineffective at precisely the moment it is most needed.
Data Exfiltration and Dual Extortion
Prior to encryption, The Gentlemen routinely exfiltrate victim data for double-extortion leverage. Data is staged in local directories (commonly C:\ProgramData\data) before exfiltration via WinSCP using SFTP or WebDAV protocols to attacker-controlled infrastructure. The dual-extortion model — threatening both operational encryption and public data exposure — provides leverage even against organisations that can restore from backups.
Victim communication is conducted exclusively via the Tox peer-to-peer encrypted messaging platform, which provides operators with communications security and plausible deniability.
The Go-Based Locker
The Gentlemen’s ransomware payload is written in Go (Golang) — a cross-platform language increasingly favoured by ransomware operators because it compiles to native executables for Windows, Linux, NAS, and BSD systems from a single codebase. This cross-platform capability enables the group to encrypt not only Windows domain members but also Linux-based backup servers, VMware ESXi hosts, and network-attached storage devices that are critical to recovery operations.
Targeting and Victim Sectors
The Gentlemen’s targeting strategy is deliberately non-US-centric — a calculated differentiation from most established RaaS operations that concentrate on the North American market and face higher law enforcement attention as a result.
Geographic Distribution: While the United States and Thailand recorded the highest individual victim counts, Asia overall accounted for approximately 46% of all victims — a striking regional concentration that reflects the group’s geographic strategy and its affiliates’ access inventory. Victims span 17 countries across North America, Europe, Asia, and the Middle East.
Sector Targeting:
- Manufacturing — the most affected sector, reflecting the group’s targeting of environments with large, interconnected Windows domain infrastructure and high operational disruption tolerance for ransom payment
- Technology — IT companies, managed service providers, and technology firms with broad customer reach
- Healthcare — despite most RaaS groups claiming to avoid healthcare, The Gentlemen has demonstrated willingness to target healthcare organisations
- Financial Services — banks, insurance companies, and financial services firms
- Construction — a frequently targeted sector due to high data sensitivity (contracts, bid documentation) and typically weaker cyber defences
The group’s targeting by sector reflects an emphasis on environments that rely heavily on shared infrastructure — large Active Directory domains — where the GPO detonation technique achieves maximum impact.
Historical Incidents and Impact
July-August 2025 — Launch and Initial Campaigns: The Gentlemen’s first victims appeared on its dark web leak site in late July 2025. The group rapidly established operational tempo, claiming victims across multiple geographies in its first weeks of operation — a pace made possible by the pre-stockpiled FortiGate access inventory.
Q4 2025 — Rapid Escalation: Through Q4 2025, The Gentlemen sustained victim accumulation that placed it outside the top ransomware groups but on a clear upward trajectory. The 90% affiliate commission attracted experienced affiliates from other RaaS programmes seeking higher returns.
Q1 2026 — Top Three Globally: Check Point Research’s Q1 2026 ransomware report placed The Gentlemen third globally in victim count, alongside Qilin and Akira. The group, Qilin, Akira, and LockBit collectively accounted for 41% of all ransomware victims in the quarter. Going from zero victims in August 2025 to the global top three by March 2026 represents the fastest documented ascent to top-tier status in the modern RaaS era.
Internal Breach: In a notable development, The Gentlemen’s own operations were partially exposed by an internal breach in early 2026, with operational data including victim lists, affiliate communications, and internal infrastructure details leaked. This event did not materially impede the group’s operations, but provided security researchers with unprecedented visibility into the group’s TTPs and affiliate network structure.
Defensive Implications
The Gentlemen’s attack chain presents specific defensive priorities that organisations should address immediately, particularly those with Fortinet infrastructure.
FortiGate Patching is Critical: CVE-2024-55591 and predecessor Fortinet vulnerabilities remain the group’s primary entry vector. Any organisation running Fortinet FortiOS or FortiProxy should treat patch currency for these products as a board-level priority. The existence of a 14,700-device compromised access stockpile means that many organisations may already be in The Gentlemen’s inventory without knowing it — a compromised FortiGate device should be treated as a potential pre-positioned threat regardless of whether an active attack is underway.
FortiGate Integrity Verification: Organisations should conduct active integrity checks on FortiGate and FortiProxy devices, checking for indicators of compromise including unexpected administrator accounts, unusual configuration changes, and signs of CVE-2024-55591 exploitation. Fortinet has published guidance for post-exploit detection.
BYOVD Defence: The ThrottleBlood.sys BYOVD technique requires specific countermeasures: implement Windows Defender Application Control (WDAC) or similar driver allowlisting to prevent loading of vulnerable drivers. Microsoft’s recommended block rules for known vulnerable drivers should be applied. Verify that EDR solutions are configured with tamper protection that is not susceptible to kernel-level attacks.
Group Policy Monitoring: Implement change monitoring and alerting for Active Directory Group Policy Objects. Unexpected GPO creation or modification — particularly GPOs that push scripts or executables — should trigger immediate investigation. Consider deploying Privileged Access Workstations (PAWs) for all Domain Administrator activity to reduce credential exposure.
Backup Protection: The cross-platform Go locker targets Linux backup servers and ESXi hosts specifically to destroy recovery options. Maintain offline, immutable backups that cannot be reached from domain-joined systems. Test recovery procedures regularly.
Network Monitoring for SystemBC: Implement detection rules for SystemBC C2 traffic patterns. The malware uses encrypted SOCKS5 proxy communications that can be detected through behavioural analysis even when the content is encrypted.
The Gentlemen’s rapid ascent is a warning about the structural resilience of the ransomware ecosystem: experienced affiliates who part ways with established RaaS programmes do not exit the ecosystem — they found new ones, bringing their access inventory and technical skills with them. Disrupting existing groups addresses symptoms; the access stockpile model means that the threat persists regardless of which brand name is on the leak site.