The Gentlemen RaaS Targets Fortinet and Cisco Edge Devices for Initial Access

The Gentlemen ransomware group is using exposed edge devices, stolen credentials, and known vulnerability paths to break into corporate networks before deploying ransomware.

<a href="http://

1. Patch Fortinet, Cisco, Windows, VPN, firewall, and remote access systems quickly.
2. Remove public exposure from management interfaces wherever possible.
3. Enforce MFA on VPN, OWA, Microsoft 365, and admin portals.
4. Audit FortiGate and Cisco edge devices for suspicious logins and configuration changes.
5. Disable or restrict legacy NTLM where possible.
6. Enable SMB signing on critical Windows systems.
7. Review Active Directory for unconstrained delegation and risky privilege paths.
8. Harden EDR against tampering and alert on service changes.
9. Monitor for Cloudflare tunnels or unexpected outbound tunneling tools.
10. Keep tested offline backups separated from domain credentials.

Detection ideas for security teams

Detection should focus on behavior, not only indicators. A ransomware group that runs an affiliate model can change tooling from one intrusion to another.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Teams should monitor failed and successful VPN logins, new admin sessions, unusual geolocation patterns, and configuration changes on edge devices. They should also review sudden changes to EDR services, registry settings, backup systems, and virtualization hosts.

Network telemetry should flag unexpected tunnels, unusual outbound connections, and large archive uploads from file servers or administrator workstations.

• Repeated login attempts against VPN and firewall panels.
• New administrator accounts on edge devices.
• Configuration exports from Fortinet or Cisco appliances.
• RelayKing, ntlmrelayx, or other NTLM relay tooling activity.
• Suspicious use of Cloudflare tunnels or reverse proxies.
• EDR service stops, driver abuse, or security tool tampering.
• Large data transfers before encryption events.
• Linux and ESXi activity tied to ransomware staging.

The larger lesson from the Rocket leak

The Rocket leak gives defenders a rare look at how a modern ransomware service operates behind the scenes. It shows a group that blends criminal recruiting, affiliate management, vulnerability tracking, access brokers, and structured negotiation tactics.

The Gentlemen’s speed also shows why exposed edge devices remain a top ransomware risk. Once attackers control perimeter access, they can move from one appliance to a full-domain incident quickly.

For most organizations, the most effective response is clear: harden the edge, reduce credential exposure, close NTLM relay paths, monitor tunnels, and make sure ransomware recovery plans work before attackers test them.

FAQ