Leaked Data from The Gentlemen Ransomware Operation Exposes Operational Insights
TL;DR: On May 4, 2026, a database leak from The Gentlemen ransomware-as-a-service group unveiled details about their operations, including internal communications and victim negotiation tactics. The data reveals their focus on exploiting known vulnerabilities and maintaining a structured ransomware ecosystem.
Main Analysis:
The Gentlemen Ransomware group, which emerged in mid-2025, has become one of the most active players in the ransomware landscape, with about 332 victims reported in early 2026 alone. A significant breach on May 4, 2026, led to the exposure of their internal backend database, referred to as “Rocket,” which includes sensitive information on account management, operational tactics, and financial dealings. The administrator, known by the pseudonym Zeta88 (and possibly hastalamuerte), runs the infrastructure and also participates in the ransomware deployments, suggesting a hands-on approach within the team.
The leaked chats reveal insights about initial access methods focused on exploiting vulnerabilities in Fortinet and Cisco products, as well as leveraging NTLM relay techniques. Notably, the group actively tracks vulnerabilities like CVE-2024-55591 and CVE-2025-32433, assessing their efficacy against potential targets. Their negotiation tactics have also been exposed, as seen in a case where they reduced a ransom demand from $250,000 to $190,000 in negotiations with victims, emphasizing the dual pressure of legal ramifications on compromised firms.
Moreover, the group utilizes a well-established operational workflow, including credential scanning and privilege escalation strategies to gain deeper access within victim networks. They have a clear structure, with distinct roles for affiliates who support operations, which aids in executing attacks efficiently. The organizational chart and process maps referenced in the leaked data clarify how these roles collaborate on ransomware deployments and profit-sharing.
Defensive Context:
Organizations should be particularly vigilant if they use Fortinet or Cisco products, given that The Gentlemen have explicitly targeted these platforms. Enterprises that maintain exposed edge devices—especially VPN services—are at heightened risk of being compromised by this group, particularly when outdated configurations or default credentials are present.
Why This Matters:
The Gentlemen’s operational effectiveness, as demonstrated through their methodical approach to leveraging known vulnerabilities and structured negotiation tactics, poses a substantial threat to organizations relying on the mentioned technologies. Organizations in sectors that deal with sensitive data or that frequently engage in high-value transactions are particularly vulnerable.
Defender Considerations:
Defensive measures should focus on strengthening access controls and patching known vulnerabilities like those tracked by The Gentlemen. Additionally, monitoring for anomalous activity associated with TOX IDs linked to their operations can assist in detecting potential attacks that leverage the group’s complex exploitation strategies.
Indicators of Compromise (IOCs):
- TOX IDs associated with operational activities: 15CE8D5DB0BAC3BCBB1FA69F2E672CC54EFBEC7684DA792F3CBF8B007A9FEA1D16374560DFA5, and others linked to Zeta88.
- CVE-2024-55591: Related to FortiOS management interface.
- CVE-2025-32433: Erlang SSH vulnerability in Cisco products.
- CVE-2025-33073: NTLM relay vulnerabilities related to the group’s reconnaissance process.
