TheGentleman operates a RaaS model with a focus on high-impact, revenue-driven targets. The group systematically exploits FortiGate appliances as the primary entry point into corporate networks, subsequently deploying proprietary remote control infrastructure (G-BOT) and tunneling tools for lateral movement. Data exfiltration consistently precedes encryption, applying dual extortion pressure on victims. Operations have affected over 400 organizations across multiple continents since the group’s emergence in mid-2025.
Timeline and Evolution
-
July–August 2025: TheGentlemen emerges as a Russian-speaking RaaS operation. The first public data leak site post is recorded on September 9, 2025. Threat monitoring platforms attribute over 400 victims to the group from its early weeks.
-
November 2025: The group migrates internal communications from Mattermost to a self-hosted Tor-based Rocket.Chat instance. First documented FortiGate-based intrusions occur and initial confirmed victims are recorded.
-
December 2025: Email-based payload delivery infrastructure activated using HTML documents as primary vectors. Initial targets processed through the internal victim selection channel.
-
January 2026: G-BOT integrated as primary C2 platform; Velociraptor adopted as a supplementary remote access tool. Major telecom provider intrusion documented. Highest internal activity month recorded.
-
February–March 2026: NAS encryption campaign launched. Attacks against international maritime shipping companies and logistics operators. AI models integrated for negotiation assistance and analysis of stolen data.
-
April 2026: GPU rental for processing large volumes of exfiltrated data. The group actively monitors its position in public ransomware rankings, appearing as the second most active group of 2026.
-
May 2026: Communications infrastructure compromised following an attack on hosting provider 4VPS.SU. On May 8, the full internal communications corpus is released freely on underground forums, exposing victims, tooling, and group operations.
Attack Summary
| Phase | Description |
|---|---|
| Initial Access | Access via exploitation of FortiGate appliances (CVE-2024-55591). Use of openconnect client with VPN credentials extracted from compromised devices. VPN passwords are reused across unrelated victims under a group-branded naming pattern. |
| Internal Reconnaissance | SMB resource enumeration with NetExec (nxc) routed through SOCKS5 tunnels. LDAP credential extraction from FortiGate configurations for immediate Active Directory enumeration. BloodHound used for privilege escalation path mapping. |
| Credential Access | LSASS credential dumping with Mimikatz and patched builds for modern Windows versions. Browser secret extraction via DumpBrowserSecrets and XenAllPasswords. |
| Persistence & C2 | G-BOT beacon deployment (custom C2 with integrated SOCKS5 proxy per implant) and Velociraptor as supplementary remote control agent. Tunneling via Chisel with proxychains-based proxy chaining. |
| Lateral Movement | Remote execution via PsExec and WMI. Interactive access via RDP with stolen credentials. Pivoting through G-BOT implant SOCKS5 channels. |
| Exfiltration | Bulk data transfer via Rclone and WinSCP. Data staged in temporary directories or compressed before transfer to attacker-controlled infrastructure. |
| Pre-Encryption | Containers, virtual machines, and database services stopped via predefined scripts. Snapshots and volume shadow copies destroyed to eliminate recovery options. |
| Encryption | Linux locker deployed from /opt/updateamd with path, password, and ultrafast mode parameters. Hyper-V volumes encrypted directly at the hypervisor layer. Resulting extension: .i8p14s. Ransom note: README-GENTLEMEN.txt. |
| Impact & Destruction | Shadow copies deleted via vssadmin delete shadows and wmic shadowcopy delete. Recovery boot disabled with bcdedit. ESXi snapshots and NAS snapshots destroyed. |
Initial Access
The group gains entry into corporate networks primarily through exploitation of CVE-2024-55591 in FortiGate devices — a critical authentication bypass that exposes the management interface without credentials. Once on the device, operators extract full configuration files containing VPN credentials and LDAP bind parameters in plaintext. The openconnect client with --protocol=fortinet is the documented connection tool, with passwords reused across different targets under a group-branded naming scheme.
As a secondary vector, the group maintains the FOBOS Loader kit, which bundles multiple payload delivery methods: HTML smuggling, ClickFix variants, LNK files, MSI packages, Python droppers, polyglot files, and exploitation of CVE-2024-21412 for SmartScreen bypass. The kit also integrates Phemedrone Stealer v2.3.2 and stolen credential validation utilities.
Credential Access
LDAP bind credentials extracted from FortiGate configurations provide read access to the corporate directory without requiring an additional host compromise. On Windows systems the group uses Mimikatz and modified builds compatible with the latest OS updates, alongside KslKatz and KslDump for Kerberos ticket extraction. Browser-stored credentials are harvested via DumpBrowserSecrets and XenAllPasswords.
Persistence and Evasion
G-BOT and Velociraptor implants provide persistent control channels. G-BOT exposes a SOCKS5 proxy per beacon, allowing the attacker to route reconnaissance traffic through compromised hosts themselves. Internal communications document evaluation of EDR neutralization tooling, including a CrowdStrike-specific killer module available as premium tooling within the group’s ecosystem.
Lateral Movement
Internal network traversal is performed by routing enumeration tools such as NetExec through established SOCKS5 channels. Interactive access is achieved via RDP and SSH to ESXi hypervisors using administrator credentials. BloodHound is used to identify privilege escalation paths in Active Directory environments.
Exfiltration
Rclone is the primary transfer tool, complemented by WinSCP and cloud-mount client evaluations. Data is staged and compressed before transfer to attacker-controlled infrastructure. Internally documented capability for GPU-assisted processing of large exfiltrated datasets.
Encryption
The Linux locker is deployed from /opt/updateamd with path, password, and accelerated mode parameters. The group encrypts virtual disk volumes directly at the hypervisor layer in Hyper-V environments, bypassing security controls installed on guest machines and amplifying impact across all hosted systems in a single operation. The documented file extension in leaked samples is .i8p14s and the ransom note is deposited as README-GENTLEMEN.txt.
Victims and Geography
Documented victims include a commercial bank in Iraq, a financial services group in Mauritius, a Gulf cement manufacturer, a ceramics company in Spain, an Asian investment firm from which 1.5 TB of data was claimed, and international maritime shipping operators. Target selection is based on revenue criteria researched through business intelligence platforms, prioritizing organizations with turnover exceeding several hundred million dollars. The group’s geographic footprint is global, with documented presence in Europe, the Middle East, Asia, and the Americas.
Sources
- Ransom-ISAC: The Gentlemen Leak Analysis (Technical Intelligence Report, May 2026)
- RansomLook: Victim tracking data and repository analysis
- Unit 42 by Palo Alto Networks: Ransomware Group Analysis
- BleepingComputer: Ransomware News
- CrowdStrike Blog: Threat Intelligence Updates
Target Sectors
Sectors in which the TheGentleman group has concentrated its attacks.
High-priority target due to the volume and sensitivity of customer and transaction data. Documented attacks include commercial banks and financial services groups. Operational disruption creates additional payment pressure given the sector's regulatory criticality.
Targeted to disrupt production lines and steal industrial intellectual property. Downtime-intolerant manufacturing environments increase willingness to pay. Documented targets include ceramics and construction materials manufacturers.
The group has compromised international shipping companies and maritime transport operators. The volume of operational data and service continuity requirements create strong negotiation leverage. Logistics disruption produces cascading effects across global supply chains.
Targeted due to service criticality and high value of clinical data. Disruption of hospital systems can compromise patient care, creating additional incentives for immediate payment.
Targeted for large volumes of research and personal data. Complex academic infrastructures typically present a broad attack surface with limited security resources.
Targeted for citizen data value and service continuity dependencies. Public bodies with constrained security budgets represent relatively high-return targets.
Detection & Response Rules
Rules ready to import into SentinelOne XDR. Contact us for full access to the updated repository.
Detects execution of credential extraction tools such as Mimikatz, KslKatz, or KslDump targeting the LSASS process. Early detection is critical to interrupt lateral movement before domain credentials are compromised.
event.type = 'Process Creation' AND tgt.process.name = 'lsass.exe' AND tgt.process.cmdline IN ('dump', 'sekurlsa', 'kslkatz', 'ksldump')Detects processes running from temporary directories making HTTP/HTTPS/WebSocket connections on non-standard ports. Characteristic pattern of tunneling tools such as Chisel dropped by the attacker, which rarely reside in legitimate system paths.
event.network.protocolName in ('http', 'https', 'websocket') AND !(dst.port.number in (443, 8080, 8443)) AND src.process.image.path contains 'Temp' AND !(src.process.name in ('AdobeARMHelper.exe'))Alerts on vssadmin.exe or wmic.exe usage to delete volume shadow copies. A systematic pre-encryption step. Early detection preserves recovery points.
event.type = 'Process Creation' AND (tgt.process.cmdline CONTAINS 'vssadmin delete shadows' OR tgt.process.cmdline CONTAINS 'wmic shadowcopy delete')Detects nxc or netexec execution for SMB resource scanning across the internal network. Combined use with proxychains indicates an active tunnel is in place and internal reconnaissance is underway.
event.type = 'Process Creation' AND (tgt.process.name IN ('nxc', 'netexec') OR tgt.process.cmdline CONTAINS 'smb')Detects Rclone execution with copy or sync parameters targeting external services. The group uses Rclone alongside RcloneView for bulk pre-encryption data transfer.
event.type = 'Process Creation' AND tgt.process.name = 'rclone.exe' AND tgt.process.cmdline IN ('copy', 'sync', 'move') AND tgt.process.cmdline IN ('mega', 'dropbox', 's3', 'ftp')Identifies PsExec or PSEXESVC service on network hosts. Used by the group for simultaneous multi-host locker deployment.
event.type = 'Process Creation' AND (tgt.process.name = 'psexec.exe' OR tgt.process.name = 'PSEXESVC.exe')Alerts on unusual SSH logins to ESXi or Hyper-V hosts. The group accesses hypervisors to execute encryption directly against virtual disk volumes, maximizing impact without requiring per-VM compromise.
event.network.protocolName in ('ssh')