Inside The Gentlemen RaaS Leak: Attack‑Defense Dynamics in Modern Ransomware

In May 2026, the ransomware‑as‑a‑service (RaaS) organization The Gentlemen surged to become the world’s second‑largest active ransomware group, accounting for roughly 10% of global attacks. That same month its own infrastructure was compromised, and internal chat logs, member lists, and negotiation records were sold on the dark web for $10,000, offering defenders a rare glimpse into its operations.

1. Organization Overview: From Qilin Affiliate to Industry Newcomer

The Gentlemen was founded in mid‑2025 and, within six months, rose to the second‑largest active ransomware group worldwide, with over 400 disclosed victims by May 2026.

Joint analysis by Check Point Research and KELA identifies a core team of about nine named operators led by the alias zeta88 (also known as hastalamuerte ). zeta88 previously served as an affiliate of the older RaaS group Qilin and left after a commission dispute, illustrating accelerating talent mobility within the ransomware ecosystem.

The group uses an attractive 90/10 revenue split —compared with the industry‑standard 80/20—granting a larger share to affiliates and quickly drawing experienced operators from competitors such as Black Basta. This “big reward, bold attacker” model distributes the scale‑up risk across many independent operators.

2. Initial Access: Edge Devices as Preferred Attack Surface

The Gentlemen’s entry stage is highly templated, relying almost exclusively on unpatched internet‑facing devices and stolen credentials .

Specifically, the group exploits two vulnerability classes:

CVE‑2024‑55591 : authentication bypass in Fortinet devices.

CVE‑2025‑32433 : remote code execution in Cisco devices.

Both target boundary security appliances—VPNs, firewalls, and remote‑access gateways—providing the first foothold inside corporate networks.

In addition to direct exploitation, the group purchases initial‑access credentials from third‑party brokers or from infostealer markets. Leaked chat logs show they order specific VPN login credentials on dark‑web forums as easily as online shopping.

3. Lateral Movement: AD Enumeration and Credential Replay

Once inside the perimeter, the group follows a highly scripted lateral‑movement sequence:

Active Directory enumeration : quickly locate domain controllers and high‑value assets.

NTLM relay attack (CVE‑2025‑33073) : exploit misconfigured AD Certificate Services to elevate privileges.

EDR disabling : terminate endpoint detection and response components in memory.

Legitimate admin tools : use Radmin, AnyDesk, and similar remote tools to evade detection.

Browser session hijacking : target Microsoft 365 and Okta web shells to steal sessions.

Data exfiltration : extract large volumes of sensitive data before encryption.

The final step deploys the ransomware via a single Group Policy push, achieving a “one‑click lock” across all networked endpoints, meaning the payload may sit dormant for days or weeks before detonation.

4. AI‑Powered Development: Building a Management Panel in Three Days

Chat logs reveal extensive use of AI coding assistants. Leader zeta88 employed Chinese models such as DeepSeek and Qwen (Tongyi Qianwen) to develop the entire RaaS management panel in just three days.

This demonstrates two implications for blue teams: AI tools are dramatically lowering the technical barrier for cybercrime, and monitoring for misuse of AI‑assisted development environments (e.g., GitHub Copilot, Cursor) should become part of SOC detection strategies.

5. Chain‑Reaction Victims: One Customer Becomes Two

The most alarming real‑world case occurred in April 2026. The Gentlemen first compromised a UK software‑consulting firm, stealing infrastructure documentation, credentials, and client access information. They then leveraged that data to attack the firm’s Turkish client.

The UK firm publicly claimed only “routine business data” was accessed, but internal chats disclose that the group deliberately published both companies’ information on a dark‑web leak site and labeled the UK firm as the “entry broker” for the Turkish attack, aiming to force the Turkish victim into legal action against the UK partner.

This illustrates that a breached supply‑chain partner can become a launchpad for attacks against your own organization.

6. Internal Leak Details: Hunters Turned Prey

On May 4 2026, administrator zeta88 admitted on an underground forum that the backend database had been breached, likely due to a compromise of the 4VPS hosting provider used for the group’s infrastructure.

Leaked data included six months of internal chat logs (Nov 2025 – Apr 2026), member rosters, ransom negotiation records, and tool‑development documents, sold for $10,000 on the dark web. Check Point Research obtained a portion before the data was removed and reported the incident to law enforcement.

7. Blue‑Team Defense Recommendations

Based on the attack‑chain analysis, defenders should prioritize the following:

1. Patch boundary devices as a board‑level priority

VPNs, firewalls, Fortinet, and Cisco edge devices are the primary entry points. CVE‑2024‑55591 and CVE‑2025‑32433 are actively exploited; patch management must be immediate.

2. Assume credentials are compromised

Multi‑factor authentication is necessary but not sufficient. Monitor Microsoft 365, VPN portals, and identity systems for anomalous login patterns—especially from new geolocations or devices.

3. Conduct regular Active Directory security audits

NTLM relay attacks and AD Certificate Services misconfigurations are core to lateral movement. Perform quarterly AD security assessments using MITRE ATT&CK techniques T1558, T1557, etc., to validate detection rules.

4. Detect during lateral‑movement phase

The real detection window is before ransomware detonation, during internal traversal. Look for abnormal LSASS process access, off‑hours admin actions, and behavior‑based anomalies rather than relying solely on ransomware signatures.

5. Isolate backup systems from the domain

The group targets NAS devices and backup infrastructure. Deploy offline, immutable backups and ensure backup systems reside outside the AD domain.

8. Conclusion

The Gentlemen exemplifies the “professionalized operation” model of modern ransomware: small teams, high revenue splits, AI‑assisted development, and a mature supply‑chain division of labor. While they did not invent new techniques, they packaged existing methods into a scalable commercial offering.

The leak provides defenders with first‑hand insight into internal ransomware operations and detailed TTPs for each attack stage. Mapping these to the MITRE ATT&CK framework and building targeted detection rules in SIEM/SOC platforms is the most effective response.