Summary
Key Points:
- The Gentlemen Ransomware-as-a-Service (RaaS) group experienced a significant data leak, exposing operational details and accounts, including that of the administrator, zeta88.
- The leak revealed their methods for initial access through vulnerabilities in Fortinet and Cisco devices, as well as NTLM relay techniques. The group has been linked to over 332 victims in early 2026.
- Organizations should enhance security on exposed edge devices, monitor for known vulnerabilities (e.g., CVE-2024-55591), and implement robust credential management practices.
Technical Details: The leaked data includes discussions on exploiting CVEs such as CVE-2024-55591 (FortiOS management interface), CVE-2025-32433 (Cisco SSH vulnerability), and CVE-2025-33073 (NTLM relay). The group uses various tools for lateral movement and EDR evasion.
MITRE ATT&CK Techniques:
- T1078 - Valid Accounts (Defense Evasion)
- T1190 - Exploit Public-Facing Application (Initial Access)
- T1003.001 - OS Credential Dumping: LSASS Memory (Credential Access)
- T1021.001 - Remote Services: Remote Desktop Protocol (Lateral Movement)
- T1562.001 - Impair Defenses: Disable or Modify Tools (Defense Evasion)
IOCs Mentioned:
- TOX IDs: F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E
- Ransomware Hashes: Windows - 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a; Linux - 1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19
This summary provides actionable intelligence to enhance defenses against the evolving tactics of The Gentlemen RaaS group.
Join the discussion — sign up to comment, upvote, and save articles.