A ransomware affiliate known as 'hastalamuerte' has revealed operational details about a group called The Gentlemen, shedding light on its tactics, techniques and internal disputes. New research by Group-IB, published on 19 March, provided rare insight into how the ransomware-as-a-service (RaaS) group operates, including its infrastructure, attack methods and affiliate relationships.
The Gentlemen Ransomware Group is described as a relatively new but rapidly evolving operation that emerged from a dispute within an existing RaaS ecosystem, with Qilin noted as part of its origins. The group uses a dual-extortion model, encrypting victim data and threatening to release it publicly, and targets Windows, Linux and ESXi environments, according to the report.
Systematic exploitation of exposed FortiGate VPN devices through vulnerabilities or brute forcing remains a primary initial access method, with affiliates deploying automated lateral movement, credential harvesting, backup disruption and domain-wide encryption to maximise impact and ransom timing. The report also highlights friction within the RaaS model, with affiliates sometimes exposing operators when disputes arise, and notes that internal instability may create opportunities for disruption.
According to Group-IB, the evolution of groups like The Gentlemen reflects a broader trend toward more specialised and professionalised cybercrime.