Full Report
The compromised communications included 8,200 lines of text from an internal chat tool, plus images of infected systems, and message timestamps largely corresponding to people who work Moscow hours, he said. The chats reveal the preoccupations of a modern day ransomware-as-a-service group: Gaining access to a victim's VPN connections, using OpenConnect, questions about how to use command-and-control software to push payloads, he said. Also, the best YouTube videos for upskilling one's technical chops and how to use an "EDR Killer" tool. The challenge of "fake CVE scripts." The document dump includes the current bitcoin wallet address for handling incoming payments from victims.
Analysis Summary
# Threat Actor: The Gentlemen
## Attribution & Identity
- **Actor Name:** The Gentlemen
- **Identity:** Operates as a Ransomware-as-a-Service (RaaS) organization.
- **Location/Affiliation:** Timestamps and activity patterns largely correspond to Moscow business hours, suggesting a Russian-speaking or CIS-based membership.
- **Associations:** Surfaced in mid-2025; linked to discussions on the "Breached" cybercrime forum.
## Activity Summary
- **Current Status:** Suffered a significant data leak in May 2026, where 8,200 lines of internal chat logs, images, and operational data were posted to Breached and MediaFire.
- **Operations:** Engaging in large-scale ransomware infections involving data exfiltration (Double Extortion) and encryption.
- **Scale:** The group has listed over 340 victims on its data leak site as of April, significantly scaling its operations since late 2025.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting compromised credentials for edge networking gear, specifically **Fortinet** devices.
- **Reconnaissance:** Extensive mapping of victim environments to identify virtualization infrastructure, backup systems, and NAS devices.
- **Persistence & PrivEsc:** Modification of Group Policy Objects (GPOs) to obtain "Domain Admin" privileges in Active Directory.
- **Living-off-the-Land (LotL):** Utilizing legitimate enterprise IT admin tools to evade detection.
- **Evasion:** Active use of "EDR Killer" tools and research into disabling endpoint security software.
- **Defense Disruption:** Targeting and disrupting NAS systems, Exchange servers, and backup infrastructure to prevent data recovery.
- **Upskilling:** Evidence of members using YouTube tutorials to technical skill-building and researching "fake CVE scripts."
## Targeting
- **Sectors:** Manufacturing, Healthcare, Insurance, Energy (State-owned utilities), and Finance.
- **Geography:** Global footprint with specific clusters in Thailand, the United States, and Romania.
- **Victims:**
- Sony (claimed)
- Barclays (claimed)
- Complexul Energetic Oltenia (Romanian power producer)
## Tools & Infrastructure
- **Malware:** Custom ransomware payloads (RaaS model).
- **VPN/Connectivity:** OpenConnect for gaining access to victim VPNs.
- **Administration:** ZeroPulse (GitHub Repository) for remote administration of compromised systems.
- **Command & Control:** Specialized C2 software for pushing payloads (specific family not named).
- **Financial:** Bitcoin (BTC) for ransom payments; specific wallet addresses were included in the leak.
## Implications
The Gentlemen represent an aggressive, mid-tier RaaS group that prioritizes operational scale and thorough environmental "preparation" before encryption. The leak demonstrates that while they are technically proficient in Active Directory exploitation and EDR evasion, they still rely on public repositories and community-based learning (YouTube). Their impact on critical infrastructure (energy) and major financial institutions indicates a high-risk profile for enterprise environments.
## Mitigations
- **Fortify Edge Devices:** Immediate patching of Fortinet infrastructure and enforcement of Multi-Factor Authentication (MFA) on all VPN connections to prevent initial access via compromised credentials.
- **Active Directory Hardening:** Audit GPO changes and monitor for unauthorized Domain Admin escalations.
- **Immutable Backups:** Implement offline or immutable backups, as the group specifically targets NAS and backup servers to prevent recovery.
- **EDR Protection:** Use EDR solutions with "tamper protection" enabled to defend against the actor's "EDR Killer" toolsets.
- **Asset Discovery:** Maintain an updated inventory of all storage arrays and virtualization hosts, as these are primary targets for this actor’s reconnaissance phase.