Thus Spoke…The Gentlemen

Check Point Research provides a detailed analysis of The Gentlemen ransomware-as-a-service (RaaS) operation, which emerged in mid-2025 and became one of the most active RaaS programs in early 2026 with approximately 332 published victims in five months. Following a leak of the group's internal database and chat logs, researchers mapped the group's organizational structure, identifying administrator 'zeta88/hastalamuerte' and roughly 9 named operators. The leaked chats reveal their attack playbook: initial access via exposed VPN/firewall appliances (Fortinet, Cisco), privilege escalation, heavy EDR/AV evasion using ETW tampering and BYOVD techniques, lateral movement, data exfiltration, and final ransomware deployment. The group actively tracks CVEs including CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073, uses tools like NetExec, RelayKing, Velociraptor, and Cloudflare tunnels, and experiments with Chinese LLMs (DeepSeek, Qwen) for coding assistance and data triage. Financial operations include Bitcoin payouts with AML evasion strategies, and the group reuses stolen data from one victim to facilitate attacks on others.