Ransomware Affiliate Exposes Details of 'The Gentlemen' Operation

The ransomware‑as‑a‑service (RaaS) model has reshaped the cyber‑crime landscape by turning malicious code into a commodified service. The Gentlemen, a newcomer that spun out of a dispute with the Qilin ecosystem, exemplifies this shift. Leveraging existing tooling, the group quickly established a brand that offers affiliates a turnkey solution for high‑value extortion. Their business model mirrors legitimate SaaS operations, with subscription‑style payouts and shared infrastructure, allowing rapid scaling while distributing operational risk across a network of independent actors.

The Gentlemen’s technical playbook combines dual‑extortion—encrypting data while threatening public release—with aggressive lateral movement across Windows, Linux and VMware ESXi environments. Initial access is frequently gained by exploiting unsecured FortiGate VPN appliances, either through known CVEs or brute‑force attacks. Once inside, affiliates deploy PowerShell scripts, Windows Management Instrumentation, and the Bring‑Your‑Own‑Vulnerable‑Driver (BYOVD) technique to bypass endpoint protections. They also target backup and security solutions, delete logs, and use anti‑forensic tools, dramatically reducing victims’ chances of recovery without paying the ransom.

The public leak by ‘hastalamuerte’ not only illuminates The Gentlemen’s methods but also underscores a growing fault line within RaaS ecosystems. Affiliate disputes can surface internal documentation, giving defenders a rare window into the operational hierarchy, infrastructure choices, and revenue streams of criminal groups. Security teams can leverage this intelligence to harden FortiGate VPNs, monitor BYOVD activity, and prioritize backup resilience. As ransomware operations become more specialized and business‑like, law‑enforcement and industry collaboration will be crucial to exploit these internal fractures and disrupt the profit engines of cyber‑crime. Proactive threat‑intelligence sharing will further diminish their attack surface.