7 mincritical
Thus Spoke…The Gentlemen
A recent leak of internal communications and backend data from 'The Gentlemen' RaaS operation has revealed the group's highly structured operational model and mature toolset. The threat actors actively exploit edge appliances and NTLM relay vulnerabilities for initial access, followed by extensive use of red-team tools and custom EDR evasion techniques to deploy their cross-platform ransomware.
Sens:■ ImmediateConf:highAnalyzed:2026-05-13Google
Authors: Check Point Research
ActorsThe Gentlemenzeta88hastalamuerteqbitquantProtagor
Source:
Check Point
IOCs · 39
- cveCVE-2024-55591FortiOS management interface vulnerability targeted for initial access
- cve
- cveCVE-2025-33073NTLM reflection vulnerability actively scanned for and exploited
- filenameREADME-GENTLEMEN.txtRansom note dropped by The Gentlemen ransomware
- filenamegentlemen.bmpWallpaper image dropped by the ransomware
- sha256025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712aThe Gentlemen Windows ransomware payload
- sha2561334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436fThe Gentlemen Windows ransomware payload
- sha2561af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2The Gentlemen Windows ransomware payload
- sha2561eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960cThe Gentlemen Linux ransomware payload
- sha25622b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67The Gentlemen Windows ransomware payload
- sha25624ac3588fb8cfbff63b7fdfcbc7dec1f3c60e54e6f949dd69d68e89e0c89d966The Gentlemen Windows ransomware payload
- sha2562ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5dThe Gentlemen Windows ransomware payload
- sha2563ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235The Gentlemen Windows ransomware payload
- sha2563c2182cb0bc7528829ef03f1b1745a92bcc47d917eb8870862488f21fdf1a6d6The Gentlemen Windows ransomware payload
- sha25648d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fdThe Gentlemen Windows ransomware payload
- sha2564a175eed927c0a477eafb8aa35a93c191748acaa78ac7aecd8ea3c4cd868887cThe Gentlemen Windows ransomware payload
- sha25651b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2The Gentlemen Windows ransomware payload
- sha2565dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dcaThe Gentlemen Linux ransomware payload
- sha25662c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8The Gentlemen Windows ransomware payload
- sha2566a3ab9e984a759d55af4e84487d1fc44683065cc9a1089d5aa4ad1c0e4e84a63The Gentlemen Windows ransomware payload
- sha256788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19The Gentlemen Linux ransomware payload
- sha256860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923The Gentlemen Windows ransomware payload
- sha25687d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546cThe Gentlemen Windows ransomware payload
- sha2568aa0cb69ca2777001e0f4ba0eaab0841592710e4cc5ccd6b0b526d78bbd8bfbaThe Gentlemen Windows ransomware payload
- sha2568c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892dbThe Gentlemen Windows ransomware payload
- sha25691415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1The Gentlemen Windows ransomware payload
- sha256994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3The Gentlemen Windows ransomware payload
- sha2569f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454The Gentlemen Windows ransomware payload
- sha256a7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0adThe Gentlemen Windows ransomware payload
- sha256b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6The Gentlemen Windows ransomware payload
- sha256c46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8The Gentlemen Windows ransomware payload
- sha256c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73The Gentlemen Windows ransomware payload
- sha256dce2e5cc00eff2493f8ced546dc51f9d5ef78c5ee56805906ec642dfa77a1c70The Gentlemen Windows ransomware payload
- sha256dfe696ff713318c53fb17731bd4a6585a02c085b590149b19847990b324a0be6The Gentlemen Windows ransomware payload
- sha256ec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd2The Gentlemen Windows ransomware payload
- sha256efaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108fThe Gentlemen Windows ransomware payload
- sha256f736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12The Gentlemen Windows ransomware payload
- sha256fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958The Gentlemen Windows ransomware payload
- urlhxxp://tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad[.]onionThe Gentlemen RaaS Data Leak Site (DLS)
Detection / HunterGoogle
What Happened
In May 2026, internal chats and data from a major ransomware group known as 'The Gentlemen' were leaked online. This leak exposed how the group operates, showing that they target internet-facing devices like VPNs to break into corporate networks. Once inside, they use advanced tools to bypass security software, steal sensitive data, and deploy ransomware. This matters because it gives defenders a rare, detailed look at the exact methods and tools a top-tier ransomware group uses. Organizations should urgently update their internet-facing systems, monitor for unusual network activity, and review their security logs for the specific tools mentioned.
Key Takeaways
- The Gentlemen RaaS internal database ('Rocket') and chats were leaked, exposing 9 core accounts and operational details.
- The group actively exploits edge devices (Fortinet, Cisco) and tracks modern vulnerabilities like CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073.
- Affiliates utilize a mature toolset including NetExec, RelayKing, Cloudflare tunnels, and custom EDR evasion tools (gfreeze, glinker).
- The group leverages stolen data from previous breaches to enrich and extort new victims, demonstrating a sophisticated dual-pressure tactic.
- The RaaS administrator (zeta88/hastalamuerte) actively participates in intrusions and manages a 90/10 profit-sharing model.
Affected Systems
- Fortinet FortiGate appliances
- Cisco edge devices
- Active Directory environments
- ESXi virtualization infrastructure
- Windows endpoints
Vulnerabilities (CVEs)
- CVE-2024-55591
- CVE-2025-32433
- CVE-2025-33073
Attack Chain
The Gentlemen RaaS gains initial access by exploiting exposed edge devices (e.g., Fortinet, Cisco) or purchasing access from brokers. They perform internal reconnaissance and privilege escalation using tools like NetExec, RelayKing, and PrivHound, often abusing ADCS and NTLM relay vulnerabilities. The group establishes persistence via Cloudflare tunnels and custom VPNs while disabling EDR solutions using BYOVD and ETW patching techniques. Finally, they exfiltrate data to NAS devices and deploy their custom Go-based ransomware locker across Windows and ESXi environments.
Detection Availability
- YARA Rules: Yes
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Check Point Research
The article provides a YARA rule designed to detect The Gentlemen Ransomware written in Go.
Detection Engineering Assessment
EDR Visibility: Medium — The group heavily utilizes custom EDR evasion tools (gfreeze, glinker), NTDLL unhooking, and ETW patching, which may blind EDR sensors during the later stages of the attack. Network Visibility: Medium — Initial access via edge device exploitation and NTLM relaying can be detected, but the use of Cloudflare tunnels and custom VPNs encrypts C2 traffic. Detection Difficulty: Hard — The actors use legitimate red-team tools (NetExec, Velociraptor) and actively patch ETW/unhook NTDLL, making behavioral detection challenging.
Required Log Sources
- Windows Event Logs (Security, System)
- Firewall/VPN Logs
- Active Directory Logs
- EDR Telemetry
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for unusual outbound connections to Cloudflare infrastructure originating from internal servers, which may indicate unauthorized tunneling (T1090.006). | Firewall/Proxy Logs, EDR Network Events | Command and Control | Medium |
| If you have visibility into Active Directory, monitor for anomalous certificate requests or ADCS misconfiguration exploitation patterns (T1649). | Active Directory Logs, Windows Event ID 4887 | Credential Access | Low |
| Consider hunting for the execution of known red-team tools like NetExec or RelayKing by analyzing command-line arguments and process ancestry. | EDR Process Execution Logs, Windows Event ID 4688 | Execution / Lateral Movement | Low |
Control Gaps
- Exposed management interfaces on edge devices
- Unpatched NTLM relay vulnerabilities
- Lack of ETW tampering detection
Key Behavioral Indicators
- Presence of 'buildx641' custom log parser
- Usage of 'gogo.exe' for port scanning
- Execution of 'EDRStartupHinder' or similar EDR blocking tools
- TOX IDs used in ransom notes or communication (e.g., F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E)
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Ensure all Fortinet and Cisco edge appliances are patched against known vulnerabilities (e.g., CVE-2024-55591, CVE-2025-32433).
- Restrict access to management interfaces of internet-facing devices to trusted IP addresses only.
Infrastructure Hardening
- Implement mitigations against NTLM relay attacks, such as enforcing SMB signing and LDAP channel binding.
- Audit Active Directory Certificate Services (ADCS) for misconfigurations that could allow privilege escalation.
- Block unauthorized use of tunneling services like Cloudflare Zero Trust or ngrok at the network perimeter.
User Protection
- Enforce multi-factor authentication (MFA) on all VPNs and external-facing portals.
- Monitor for and block the execution of unauthorized red-team tools and credential dumpers.
Security Awareness
- Train incident response teams on the dual-pressure extortion tactics used by modern RaaS groups.
- Educate administrators on the risks of storing sensitive credentials in easily accessible network shares or collaboration tools.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1078 - Valid Accounts
- T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay
- T1562.001 - Disable or Modify Tools
- T1090.006 - Use Alternate Communications Routing
- T1649 - Steal or Forge Authentication Certificates
- T1486 - Data Encrypted for Impact
Additional IOCs
- File Hashes:
1334f0189a8e6dbc48456fa4b482c5726ab7609f7fa652fcc4c1a96f2334436f(sha256) - The Gentlemen Windows ransomware payload1af419b36a5edefef387409e2b3248c9223f7dc49a4f7b15ea095d371c3a70b2(sha256) - The Gentlemen Windows ransomware payload22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67(sha256) - The Gentlemen Windows ransomware payload24ac3588fb8cfbff63b7fdfcbc7dec1f3c60e54e6f949dd69d68e89e0c89d966(sha256) - The Gentlemen Windows ransomware payload2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d(sha256) - The Gentlemen Windows ransomware payload3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235(sha256) - The Gentlemen Windows ransomware payload3c2182cb0bc7528829ef03f1b1745a92bcc47d917eb8870862488f21fdf1a6d6(sha256) - The Gentlemen Windows ransomware payload48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd(sha256) - The Gentlemen Windows ransomware payload4a175eed927c0a477eafb8aa35a93c191748acaa78ac7aecd8ea3c4cd868887c(sha256) - The Gentlemen Windows ransomware payload51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2(sha256) - The Gentlemen Windows ransomware payload62c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8(sha256) - The Gentlemen Windows ransomware payload6a3ab9e984a759d55af4e84487d1fc44683065cc9a1089d5aa4ad1c0e4e84a63(sha256) - The Gentlemen Windows ransomware payload860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923(sha256) - The Gentlemen Windows ransomware payload87d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c(sha256) - The Gentlemen Windows ransomware payload8aa0cb69ca2777001e0f4ba0eaab0841592710e4cc5ccd6b0b526d78bbd8bfba(sha256) - The Gentlemen Windows ransomware payload8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892db(sha256) - The Gentlemen Windows ransomware payload91415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1(sha256) - The Gentlemen Windows ransomware payload994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3(sha256) - The Gentlemen Windows ransomware payload9f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454(sha256) - The Gentlemen Windows ransomware payloada7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0ad(sha256) - The Gentlemen Windows ransomware payloadb67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6(sha256) - The Gentlemen Windows ransomware payloadc46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8(sha256) - The Gentlemen Windows ransomware payloadc7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73(sha256) - The Gentlemen Windows ransomware payloaddce2e5cc00eff2493f8ced546dc51f9d5ef78c5ee56805906ec642dfa77a1c70(sha256) - The Gentlemen Windows ransomware payloaddfe696ff713318c53fb17731bd4a6585a02c085b590149b19847990b324a0be6(sha256) - The Gentlemen Windows ransomware payloadec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd2(sha256) - The Gentlemen Windows ransomware payloadefaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108f(sha256) - The Gentlemen Windows ransomware payloadf736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12(sha256) - The Gentlemen Windows ransomware payloadfc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958(sha256) - The Gentlemen Windows ransomware payload5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca(sha256) - The Gentlemen Linux ransomware payload788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19(sha256) - The Gentlemen Linux ransomware payload
- Other:
CVE-2025-32433- Erlang SSH vulnerability evaluated by the group for Cisco exploitation