MDR
Solutions
Partners
About
Resources
Enterprise Windows domains, VPN gateways, Fortinet and Cisco edge appliances, VMware ESXi/vCenter, Veeam Backup & Replication, backup infrastructure, NAS platforms, Active Directory, RDP/SMB/SSH services, and cloud-connected corporate environments.
The Gentlemen is a fast-scaling ransomware-as-a-service group first observed in mid-2025, using a Go-based encryptor, double extortion, affiliate operations, and aggressive self-propagation to compromise organisations globally.
Activity began around July-August 2025, expanded to affiliates in September 2025, and escalated significantly by early-to-mid 2026, with roughly 330 public victims across more than 70 countries and a much larger suspected compromise pipeline.
Internet-facing VPNs and edge appliances, exposed Fortinet FortiGate/FortiProxy systems, Cisco/Erlang SSH services, Windows NTLM/SMB workflows, RDP, SMB admin shares, SSH, VMware ESXi, Veeam backup systems, Active Directory, and unmanaged remote management tools.
Compromise is driven by weak or stolen valid credentials, exposed remote services, exploited public-facing applications, NTLM relay/reflection, BYOVD abuse using vulnerable drivers, backup and virtualization authentication weaknesses, and insufficient segmentation around privileged infrastructure.
Initial access typically comes through stolen domain credentials, brute-forced accounts, phishing, exposed VPNs, or exploited Fortinet/Cisco edge systems. Operators then conduct discovery, dump credentials, escalate privileges, disable defenses, move laterally via RDP/SMB/SSH/PsExec/WMI/PowerShell, exfiltrate data, and deploy ransomware broadly through self-propagation.
Successful exploitation enables domain-wide ransomware deployment, encryption of endpoints and servers, theft of sensitive data, disruption of backups, ESXi and production system compromise, endpoint protection termination, service stoppage, shadow copy deletion, and business interruption.
High risk to manufacturing, technology, business services, healthcare, and consumer services. The group is financially disciplined, operationally mature, and notably willing to target healthcare, which removes the comforting fantasy that criminals have boundaries. They do not.
Enforce phishing-resistant MFA across VPN, VDI, RDP, privileged accounts, backup consoles, and vCenter. Patch Fortinet, Cisco, VMware, Veeam, Windows, VPN, firewall, and backup platforms. Restrict internet-facing RDP, block unauthorised RMM tools, enable vulnerable-driver blocking, segment critical systems, harden backup infrastructure, and remove standing domain admin access.
Prioritise investigation of VPN, Fortinet, Cisco, RDP, SMB, SSH, Veeam, VMware, and Active Directory activity. Hunt for credential dumping, LSASS access, suspicious service creation, PsExec/WMI/PowerShell execution, shadow copy deletion, backup tampering, BYOVD activity, unauthorised RMM deployment, and large-scale data staging or cloud exfiltration. Preserve EDR, VPN, DNS, firewall, proxy, AD, backup, and vCenter logs outside the compromised domain.
Smarttech247 report: “Escalated Activity from ‘The Gentlemen’ Ransomware Group.” Key sources cited in the report include ransomware.live, Check Point Research, Microsoft Security, Trend Micro, Cybereason, CISA, NIST, and MITRE ATT&CK. Key CVEs: CVE-2024-55591, CVE-2025-32433, CVE-2025-33073, CVE-2025-7771, CVE-2024-37085, and CVE-2023-27532.
Trusted by clients worldwide
Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.
.jpg)