Introduction
Published by Group-IB on 2026-03-21, the report titled Gentlemen TTPs Analysis Report offers an in‑depth look at a newly surfaced ransomware-as-a-service operation known as The Gentlemen. The threat actor, led by the pseudonymous hastalamuerte, has evolved from an affiliate of the Qilin RaaS to a fully independent group capable of orchestrating widespread extortion campaigns. The analysis draws on incident data, malware reverse engineering, and underground intelligence to map the adversary’s tactics, techniques, and procedures (TTPs) across the entire attack lifecycle.
Key Findings
- The Gentlemen’s initial access vector is a critical authentication bypass (CVE-2024-55591) in FortiOS/FortiProxy, giving attackers “super_admin” privileges without credential validation.
- They maintain a database of approximately 13,400 compromised FortiGate devices worldwide, supplemented by 969 brute‑forced VPN credentials.
- Brute‑force attacks use a vast dictionary of default usernames and passwords, often appended with obfuscated garbage strings to test honeypots.
- Execution relies heavily on PowerShell and Python scripts to establish persistence, disable defenses, and spread laterally via SMB and RDP.
- Data exfiltration is performed with a masqueraded rclone binary (avastrclone.exe) configured to use SFTP to the external host 194[.]87[.]31[.]69.
- The ransomware payload encrypts user data, drops a README‑GENTLEMEN.txt, and deletes forensic evidence such as event logs, shadow copies, and Defender configurations.
Attack Lifecycle
Initial Access
The attackers exploit the authentication bypass by sending crafted WebSocket requests that bypass session checks, creating a super_admin account. Once inside, they enumerate the network, identify LDAP integration, and select targets with high-value data and weak credentials.
Execution & Persistence
PowerShell scripts install the Windows PowerShell Web Access feature, create scheduled tasks for rclone execution, and add malicious accounts to the Domain Admins group. Python scripts (userpassfort.py) harvest credentials from Fortinet configuration files and launch credential stuffing attacks via NetExec.
Lateral Movement
SMB shares are abused to spread the malware, while RDP access is granted to attacker-controlled accounts. Group Policy modifications enable SMB services and disable security settings, facilitating rapid domain-wide propagation.
Defense Evasion
Criminals use BYOVD techniques, loading vulnerable signed drivers (ThrottleBlood.sys, viragt64.sys) to terminate EDR and AV processes. They also tweak registry keys to disable Windows Defender real‑time monitoring and remove logs with wevtutil commands.
Exfiltration
Rclone is configured with a custom SFTP profile pointing to 194[.]87[.]31[.]69, and the malware schedules a hidden task to run rclone at startup, ensuring continuous data theft.
Impact
Beyond encryption, The Gentlemen’s code stops backup services (Veeam, Acronis), deletes shadow copies, and tears down VMware services, ensuring victims cannot recover without paying the ransom. The presence of a README file and double‑extortion tactics further pressure organizations into compliance.
Recommendations
- Patch all internet-facing FortiGate devices immediately and enforce strict authentication mechanisms.
- Implement multi‑factor authentication for all privileged accounts and enforce password complexity for VPN users.
- Deploy advanced EDR solutions with driver‑load monitoring to detect BYOVD attacks.
- Segment networks to isolate critical infrastructure and limit lateral movement.
- Maintain offline backups and verify restoration procedures regularly.
- Use AI‑based threat detection platforms that can analyze suspicious PowerShell, Python, and rclone activity.
- Configure group policies to block SMB access from untrusted networks and enforce Windows Defender real‑time protection.
- Monitor for scheduled tasks named “SafeSync” or similar and investigate any unauthorized rclone binaries.
Additional Resources
For further insight, review the full threat report at hxxps://www[.]group-ib[.]com/blog/hastalamuerte-gentlemen-raas-ttps/ and the pulse on AlienVault at hxxps://otx[.]alienvault[.]com/pulse/69bf251d671d99c66668c716/.

