The Gentlemen Ransomware Group Exposed: Internal Data Revelations

The Gentlemen Ransomware Group Exposed

Check Point Software Technologies, a pioneer in cybersecurity solutions, has released significant findings regarding the ransomware group known as 'The Gentlemen.' The internal data leak analyzed by the Check Point Research (CPR) team sheds light on the group's operations, identifying them as the second most active ransomware group globally in 2026, with over 400 reported incidents.

Overview of The Gentlemen

In May 2026, The Gentlemen's internal systems were compromised, exposing their operational framework. Central to the group is a single administrator, operating under the aliases 'zeta88' and 'hastalamuerte,' alongside approximately nine identified operators. This administrator not only manages the ransomware platform but also plays a direct role in executing encryption attacks.

Notably, the administrator has a background as a former affiliate of the Qilin ransomware program, indicating that they honed their tactics within an existing organization before launching their competitive group.

The initial access pathways exploited by The Gentlemen primarily involve unpatched edge devices and purchased credentials. Interestingly, data stolen from one victim has been used in subsequent attacks on that victim's customers, showcasing a cascading pattern of attacks confirmed by the CPR's findings.

Use of AI in Operations

The Gentlemen have been leveraging Chinese AI models such as 'DeepSeek' and 'Qwen' to expedite ransomware development. The administrator reportedly used AI coding assistance to create their entire RaaS (Ransomware as a Service) management panel within just three days.

On May 4, 2026, the group acknowledged a breach of their internal backend database on an underground forum, likely tied to the compromise of their hosting provider '4VPS.' CPR was able to acquire some of this leaked data before its deletion, which included internal chat logs, lists of operational members, ransom negotiation records, and discussions regarding tool operations. Such details provide a rare glimpse into the internal workings of a ransomware operation.

Organizational Structure

The structure of The Gentlemen is defined by a small yet professional team. The administrator, 'zeta88,' possesses significant responsibilities including creating ransomware, managing the RaaS panel, and handling payment processes, while also directly participating in attacks. Internal communications reveal that during live encryption attacks, this administrator communicated, “I’m locking,” emphasizing their active involvement.

The group offers a typically high revenue sharing ratio of 90 to 10 for affiliates, contrasting with the industry standard of 80 to 20. This favorable arrangement has attracted skilled operators, including those formerly from the Qilin program.

Attack Vectors

The infiltration methods of The Gentlemen predominantly target unpatched publicly accessible devices, with a notable focus on VPNs and appliances. They exploit vulnerabilities such as CVEs 2024-55591 and 2025-32433 and utilize purchased access from third-party brokers or credentials obtained from infostealer log markets. Post-intrusion, their rapid actions include Active Directory enumeration, NTLM relay attacks, EDR (Endpoint Detection and Response) disabling, lateral movement employing legitimate administrative tools, and data exfiltration. Following these actions, they deploy ransomware across the domain via group policies, targeting all connected endpoints simultaneously.

A Consequential Breach

Perhaps the most critical takeaway for business leaders is the realization that a breach can serve as a gateway to infiltrate their customers. In April 2026, The Gentlemen compromised a UK-based software consulting firm and later used stolen data to attack their Turkish clients. The UK firm claimed that only standard operational data had been accessed, but leaked internal chat communications paint a starkly different picture.

Eventually, The Gentlemen listed both firms on a data leak site, naming the UK consulting firm as the 'access intermediary' in the attacks against the Turkish company. This tactic pressures the Turkish company to pursue legal actions against their UK partner, illustrating how vulnerability in one organization can become a pathway for threats against another.

Recommended Security Actions

While The Gentlemen's attack chain is sophisticated, their points of entry are relatively straightforward. Consequently, the prioritization of defense strategies becomes clear:

1. Patch Edge Devices: Address vulnerabilities in VPNs, firewalls, and remote access gateways, which serve as the frontlines against breaches.
2. Assume Compromise: Implement multifactor authentication (MFA) but also monitor abnormal authentication patterns across platforms—acknowledge that credentials may already be compromised.
3. Protect Active Directory: NTLM relay attacks and misconfigured AD Certificate Services are central to their tactics; regular AD security assessments are crucial.
4. Detect Lateral Movement Early: Identifying attackers during their lateral movements can be key to preventing extensive damage.
5. Ensure Backup Isolation: The Gentlemen specifically target NAS devices and backup systems; confirming that backups are offline and immutable can be the deciding factor between recovery and succumbing to ransom demands.

The findings from this analysis exemplify the current state of professional ransomware operations. The Gentlemen's small yet organized team utilizes a well-crafted business model and a curated toolset to attract skilled operators and implement scalable attack strategies. Their recent breach has presented an unusual opportunity for defense perspectives to understand their operational realities. CPR has shared these findings with law enforcement, and investigations are underway.

For further detailed insights into Indicators of Compromise (IOC), YARA detection rules, and a list of affiliate TOX IDs, refer to the complete CPR investigation report. Check Point clients are protected against The Gentlemen ransomware threat through Threat Emulation and Harmony Endpoint solutions.