Full Report
Key Points Introduction The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. Its operators advertise the service across multiple underground forums, promoting their ransomware platform and inviting penetration testers and other technically skilled actors to join as affiliates. In 2026, based on victims listed on the data leak site (DLS), […] The post Thus Spoke…The Gentlemen appeared first on Check Point Research.
Analysis Summary
# Threat Actor: The Gentlemen
## Attribution & Identity
- **Actor Name:** The Gentlemen
- **Role:** Ransomware-as-a-Service (RaaS) operator.
- **Key Personnel:**
- **zeta88** (aka **hastalamuerte**): Principal administrator. Responsible for infrastructure maintenance, building the locker (ransomware), managing the RaaS panel, and handling affiliate payouts.
- **Identity/Affiliates:** Internal database leaks exposed 9 accounts and 8 distinct affiliate TOX IDs.
- **Origins:** Emerged mid-2025; heavily active in Russian-speaking/international underground forums.
## Activity Summary
Emerging in mid-2025, The Gentlemen became one of the most prolific RaaS groups by early 2026, listing **332 victims** on their Data Leak Site (DLS) in the first five months of that year alone. They are currently ranked as the second most productive RaaS operation by volume. In May 2026, their internal backend database (named "Rocket") was leaked, revealing operational details, negotiation logs, and strategic collaborations.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of edge appliances (Fortinet, Cisco), NTLM relay attacks, and credential harvesting via M365/OWA logs.
- **Vulnerability Research:** Actively tracks and exploits modern CVEs:
- **CVE-2024-55591**
- **CVE-2025-32433**
- **CVE-2025-33073**
- **Dual-Pressure/Extortion:** Uses stolen data from one victim to facilitate attacks on another (e.g., using a compromised consultancy as a scapegoat to pressure a downstream target).
- **Evasion:** Employment of "EDR-kill" packages and "SystemBC" for C2 persistence.
- **Encryption:** Uses a locker written in **Go (Golang)** with variants for both Windows and Linux. Supports silent mode and targeted encryption of UNC network shares.
## Targeting
- **Sectors:** Software consultancy, critical infrastructure, and general enterprise targets.
- **Geography:** Global, with specific mentions of the **United Kingdom** and **Turkey**.
- **Victims:** Listed 332 victims on DLS; one associated C2 server revealed potential access to over **1,570 victims**.
## Tools & Infrastructure
- **Malware:**
- **The Gentlemen Ransomware:** Written in Go (Windows/Linux versions).
- **SystemBC:** Used for proxying traffic and maintaining C2.
- **Infrastructure:**
- **Rocket:** The group’s internal backend database.
- **Data Leak Site (DLS):** Used for public shaming and extortion.
- **NAS Storage:** Used for staging exfiltrated data.
- **Communication:** Internal channels named `INFO`, `general`, `TOOLS`, and `PODBOR`.
## Implications
The Gentlemen represent a highly professionalized RaaS model characterized by rapid scaling and technical sophistication. Their "second place" ranking in productivity suggests an efficient affiliate onboarding process and an aggressive exploitation cycle of new CVEs. Their willingness to use "inter-victim" pressure (blaming one victim for the breach of another) adds a complex legal and reputational layer to their extortion tactics.
## Mitigations
- **Patch Management:** Prioritize remediation of edge gateway vulnerabilities (Fortinet/Cisco), specifically those listed (CVE-2024-55591, CVE-2025-32433, CVE-2025-33073).
- **Hardening:** Implement NTLM relay protections (such as SMB Signing and EPA) and move toward Phishing-Resistant MFA for M365/OWA environments.
- **Detection:**
- Deploy the provided YARA rule to identify the Go-based ransomware binary.
- Monitor for indicators of `SystemBC` activity and unauthorized tools attempting to disable EDR/AV solutions.
- **Third-Party Risk:** Monitor for suspicious activity originating from partner/consultancy environments, as the group leverages "island hopping" tactics.