The Gentlemen Ransomware Threat Analysis

The Gentlemen Ransomware Threat Analysis

The Gentlemen Ransomware Threat Analysis

Published by AlienVault on 2026-05-13, the recent threat report titled Thus Spoke…The Gentlemen offers an unprecedented inside view of a ransomware‑as‑a‑service (RaaS) operation that has rapidly scaled to become one of the most prolific in 2026.

At the heart of the operation is the administrator known as zeta88 (also referenced as hastalamuerte). The leak of the internal backend database, dubbed Rocket, exposed nine active accounts, including the primary admin, and revealed operational workflows, toolsets, and affiliate relationships.

Security analysts should note that the leak provided a unique end‑to‑end view of the RaaS lifecycle—from initial access through credential exploitation, lateral movement, data exfiltration, and final ransomware deployment.

Key TTPs identified in the leaked chats include:

  • Initial Access: Exploitation of exposed Fortinet and Cisco edge appliances, NTLM relay and credential stuffing against web and VPN panels, and the use of third‑party bot brokers.
  • Privilege Escalation: Active use of tools such as NetExec, RelayKing, PrivHound, and RegPwn to acquire domain admin privileges.
  • Lateral Movement: Deployment of custom tunnels via Cloudflare Zero Trust, WireGuard, and OpenVPN to maintain persistent footholds.
  • Data Exfiltration: Utilization of NAS devices, backup infrastructure, and Veeam misconfigurations to collect large volumes of data.
  • Ransomware Deployment: The custom locker, “GLOCKER,” is designed to spread quickly across the network, bypassing EDR and AV solutions through ETW manipulation and other stealth techniques.

The group tracks modern CVEs such as CVE-2024-55591 on FortiOS, CVE-2025-32433 on Cisco Erlang SSH, and CVE-2025-33073 for NTLM reflection, indicating a proactive approach to vulnerability exploitation.

Financial operations are equally sophisticated. Payouts are conducted via chained Bitcoin transactions, with “buy desk” exchanges and QR‑code cash‑out methods to launder proceeds. The admin, zeta88, also distributes 90% of the ransom to affiliates, often splitting the share among multiple participants per campaign.

Recommendations for defenders include:

  1. Hardening Edge Devices: Immediately patch or isolate exposed Fortinet and Cisco appliances; disable unused management interfaces.
  2. Monitor NTLM Relay: Deploy monitoring for unusual NTLM traffic and enforce MFA on all privileged accounts.
  3. Detect EDR Evasion: Use behavioral analytics to identify ETW tampering, registry modifications, and known kill‑kit signatures.
  4. Segregate Network Segments: Limit lateral movement by enforcing strict segmentation and zero‑trust principles.
  5. Threat Hunting: Search for TOX identifiers such as F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E and related IP patterns in internal logs.

For deeper insight, analysts should review the full report at hxxp://research[.]checkpoint[.]com/2026/thus-spoke-the-gentlemen/ and the associated pulse at hxxp://otx[.]alienvault[.]com/pulse/6a04aad1cd2da41f0087f85d.

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading