Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: raas (3 articles)Clear

The Gentlemen ransomware adds worm-like spread, tops 478 victims

The Gentlemen, a ransomware-as-a-service operation tracked by Microsoft as Storm-2697, has been upgraded with a self-spreading mode and now claims 478 victims across dozens of countries and industries. Written in Go and obfuscated to evade analysis, its optional --spread switch turns a single-machine infection into a network worm that deploys the encryptor to every reachable system, using stolen or reused credentials to move laterally. A --wipe switch destroys recoverable data and forensic traces. On each host it disables Defender, weakens firewall and authentication settings, and adds scheduled tasks for persistence. Initial access often comes through compromised Fortinet edge-device credentials.

Check
Hunt for The Gentlemen's persistence markers (scheduled tasks named UpdateSystem or UpdateUser, Run keys GupdateS and GupdateU), and audit Fortinet edge devices for compromised or reused credentials.
Affected
Windows-based organizations, plus Linux, NAS, BSD, and ESXi systems; networks with flat segmentation and shared credentials are most exposed to the worm-like lateral spread.
Fix
Enforce unique credentials and phishing-resistant MFA, segment networks to limit lateral movement, keep offline tested backups, patch and monitor Fortinet edge devices, and harden Defender against tampering.

Backend of 'The Gentlemen' ransomware operation leaked - 9 named operators, ransom chat transcripts, and chain-victimization tactics now public

The Gentlemen, the second most prolific public ransomware operation of 2026 with over 320 listed victims, has had its own internal database leaked. Check Point Research and others obtained the data after a breach of the group's hosting provider 4VPS exposed their Rocket backend. The leak unmasks roughly 9 named operators centered on an administrator known as zeta88 (aka hastalamuerte), who built the RaaS panel in three days using DeepSeek and Qwen AI coding assistants, runs payouts, and joins encryption events personally. Internal chats also confirm chain-victimization: in April the group hit a UK software consultancy and then weaponized stolen client credentials to compromise one of the consultancy's customers in Turkey.

Check
Pull historical access logs for Fortinet and Cisco edge appliances and check for credentials matching infostealer log dumps, then hunt for NTLM relay activity consistent with CVE-2025-33073 in Windows event logs.
Affected
Organizations exposed to The Gentlemen include any running FortiGate or Cisco edge gear with CVE-2024-55591, CVE-2025-32433, or CVE-2025-33073 unpatched, and downstream clients of compromised IT service providers.
Fix
Patch CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Enforce MFA on every edge-management interface, rotate credentials that appear in infostealer logs, and load Check Point's 'Thus Spoke The Gentlemen' IoCs into your EDR and firewall blocklists.

The Gentlemen ransomware operation hiding 1,570+ unreported victims per Check Point C2 analysis - 5x larger than leak site suggests

Check Point researchers gained visibility into a SystemBC command-and-control server used by an affiliate of The Gentlemen ransomware-as-a-service operation and found over 1,570 compromised corporate networks that have not been publicly disclosed. The group's own data leak site only lists about 320 victims, meaning the real footprint is nearly 5x larger than public reporting suggests. The Gentlemen emerged in July 2025 and has become one of the most prolific RaaS operations. It uses a Go-based locker targeting Windows, Linux, NAS, and BSD systems, operates a classic double-extortion model, and abuses legitimate drivers plus custom tooling to bypass defenses. SystemBC is a SOCKS5 tunneling proxy that uses RC4-encrypted C2 communications and can download and execute additional malware in memory. Attack chain: initial access via internet-facing services or compromised credentials, followed by reconnaissance, Cobalt Strike deployment, SystemBC tunneling, lateral movement using Group Policy Objects for domain-wide compromise, then the encryptor. A notable TTP: during lateral movement, The Gentlemen pushes a PowerShell script that disables Windows Defender real-time monitoring, adds broad exclusions for staging shares and its own process, shuts down the firewall, re-enables SMB1, and loosens LSA anonymous access controls before deploying the ransomware binary on each reachable host. The ESXi variant shuts down virtual machines, adds persistence via crontab, and inhibits recovery. Victim geography spans US, UK, Germany, Australia, and Romania.

Check
Audit your environment for SystemBC indicators and GPO abuse patterns. The Gentlemen's 1,570+ victim count means there's a meaningful chance you or your peers are already compromised without knowing it.
Affected
Any organization with internet-facing services (VPN gateways, RDP, remote admin portals) or weak credential hygiene is at risk of initial access. Environments where Windows Defender exclusions can be modified via GPO, where SMB1 can be re-enabled, or where LSA anonymous access controls can be loosened are at acute risk of the full attack chain. VMware ESXi environments are specifically targeted by a Linux variant.
Fix
Hunt for SystemBC: look for outbound SOCKS5 connections to non-corporate destinations, RC4-encrypted traffic patterns, and unexpected tunneling processes. Alert on any GPO modification that adds Windows Defender exclusions, disables real-time monitoring, re-enables SMB1, or loosens LSA anonymous access settings - these are near-certain indicators of ransomware staging. For ESXi, monitor for unauthorized crontab modifications and VM shutdown commands. Review privileged credentials used in GPO management - compromise of a single GPO admin account gives attackers domain-wide ransomware deployment capability. Confirm backups are offline and immutable; The Gentlemen's ESXi variant actively inhibits recovery.