Published on May 14, 2026
The Gentlemen RaaS Leverages Fortinet and Cisco Edge Devices for Initial Access
Severity
Critical
Detail
Security researchers have identified increased activity from The Gentlemen, a ransomware-as-a-service (RaaS) group that emerged in mid-2025 and quickly became one of the most active ransomware operations globally. The group reportedly published around 332 victims during the first five months of 2026. The Gentlemen operates through an affiliate-based model where partners carry out attacks and receive 90% of ransom payments, while the operators keep 10%. This aggressive profit-sharing model has helped the group rapidly expand its operations.
Researchers obtained insight into the group’s activities after an internal database leak exposed chat logs, operational details, tools, and negotiation tactics used by the ransomware operators. The group mainly targets exposed edge devices such as Fortinet FortiGate VPN appliances and Cisco Systems to gain initial access into corporate networks. Attackers use brute-force attacks, exploit known vulnerabilities, and purchase stolen access from underground brokers.
After gaining access, the attackers perform reconnaissance, move laterally across the network, escalate privileges, disable security tools, and maintain persistence using cloud-based tunneling services. Before encrypting systems, the group also steals sensitive data to pressure victims into paying ransom demands. The group reused stolen data from previous victims to support future attacks, showing an increasingly aggressive double-extortion strategy.
How?
The attack begins by targeting exposed internet-facing devices such as Fortinet FortiGate VPN appliances and Cisco edge systems. Attackers gain initial access by using stolen credentials, brute-force attacks, exploiting known vulnerabilities, or purchasing access from underground brokers. Once inside the network, they perform reconnaissance activities to identify critical systems, conduct Active Directory enumeration, and escalate privileges.
The attackers then disable or bypass security tools and establish persistent access using cloud-based tunneling services to avoid detection. Before deploying the ransomware, they exfiltrate sensitive data from the environment to use as leverage during ransom negotiations. After securing full control of the network, The Gentlemen ransomware is deployed to encrypt systems and disrupt operations. After securing full control of the environment, the attackers deploy The Gentlemen ransomware to encrypt systems and demand payment.
Indicator of Compromise (IoC)
| Type | Indicator | Description |
| File Name | README-GENTLEMEN.txt | Ransom note file |
| File Name | gentlemen.bmp | Ransomware wallpaper file |
| File Name | Gentlemen_system | Internal ransomware identifier |
| TOX ID | F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E | RaaS Administrator (zeta88 / hastalamuerte) |
| SHA-256 | 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a | The Gentlemen Windows Ransomware |
| SHA-256 | 1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c | The Gentlemen Linux Ransomware |
Recommendation
The following measures can help reduce the risk of compromise and improve detection capabilities:
- Patch and secure all internet-facing VPNs, firewalls, and edge devices.
- Monitor for suspicious NTLM relay activity and brute-force login attempts.
- Enforce multi-factor authentication (MFA) for all remote access services.
- Review Active Directory activity for unusual privilege escalation attempts.
Conclusion
The Gentlemen ransomware group has rapidly evolved into a highly active and organized threat actor by targeting vulnerable Fortinet and Cisco edge devices for initial access. Their use of affiliate-driven operations, double-extortion tactics, and persistent access techniques makes them a significant risk to organizations worldwide. The campaign highlights the importance of securing internet-facing systems, monitoring suspicious network activity, and strengthening overall ransomware defense strategies to reduce the likelihood and impact of compromise.
Source
https://cybersecuritynews.com/the-gentlemen-raas-leverages-fortinet-and-cisco-edge-devices/