Ransomware Insider Exposes ‘The Gentlemen’ Gang’s Secrets

A recent leak from within a cybercriminal network has provided an unprecedented look at the inner workings of a ransomware group known as The Gentlemen. This emerging threat actor, which operates on a ransomware-as-a-service (RaaS) model, has quickly developed sophisticated attack methods that pose a significant challenge to organizations across multiple platforms. The revelations come from an affiliate using the alias ‘hastalamuerte,’ who exposed operational secrets amid internal disputes, highlighting both the professionalization and the inherent instability within these criminal ecosystems.

Group-IB’s research, detailed in a March 19 report, indicates The Gentlemen formed following a split from another RaaS operation linked to Qilin. Leveraging pre-existing tools and infrastructure, experienced members rapidly stood up this new brand. The group employs a dual-extortion tactic, simultaneously encrypting a victim’s data and threatening to publish it online, a method that dramatically increases the pressure to pay the ransom.

Their attacks are notably cross-platform, targeting Windows, Linux, and ESXi environments. A primary point of entry is the systematic exploitation of FortiGate VPN appliances, where attackers leverage known vulnerabilities or use brute-force attacks to gain initial access. Once inside a network, the group’s affiliates execute a streamlined process designed for maximum disruption. This includes automated lateral movement, harvesting credentials, disabling backup systems, and ultimately encrypting data across the entire domain to speed up the extortion timeline.

Technical analysis revealed a suite of advanced techniques. For moving through a compromised network, the actors heavily rely on PowerShell and Windows Management Instrumentation (WMI). To obstruct recovery efforts, they deliberately target backup and security software. Furthermore, they utilize anti-forensic tools to wipe evidence from compromised systems after an attack.

Perhaps most concerning is their use of sophisticated defense evasion strategies. These include Bring Your Own Vulnerable Driver (BYOVD) attacks, which exploit legitimate but flawed drivers to disable security software, and the aggressive deletion of system logs. These actions not only neutralize endpoint protection but also severely complicate any subsequent forensic investigation.

The leak itself underscores a critical vulnerability within the RaaS model: internal conflict. The affiliate program structure, which allows developers to rent out their malware to others who carry out the attacks, often leads to disputes over profits and operations. In this instance, a disgruntled affiliate decided to publicly share sensitive details about The Gentlemen’s infrastructure and methods. Such leaks, while rare, offer invaluable intelligence to security researchers and law enforcement, providing a clearer picture of how these criminal partnerships function and where they might be most vulnerable.

The rise of groups like The Gentlemen reflects a broader shift in cybercrime toward specialized and business-like operations. The RaaS framework enables rapid scaling by distributing risk and leveraging a pool of freelance hackers. However, this professional facade often masks underlying tensions. While their advanced, flexible attack methods continue to test the limits of conventional cybersecurity defenses, the internal strife within these groups can create openings for disruption. Intelligence gained from insider leaks becomes a crucial tool in understanding and ultimately countering these evolving ransomware campaigns.