The Gentlemen Ransomware Group: Exploiting Fortinet Vulnerabilities with AI and Custom Frameworks
In the rapidly evolving landscape of cyber threats, a Russian-speaking ransomware group known as The Gentlemen has emerged as a formidable adversary in 2026. This group has swiftly ascended to become one of the most active ransomware operators, second only to Qilin. Their operations are characterized by a sophisticated blend of exploiting Fortinet vulnerabilities, integrating artificial intelligence (AI) into their strategies, and deploying custom command-and-control (C2) frameworks that often evade conventional security measures.
Decentralized Operations and Communication
Unlike traditional cybercriminal organizations that maintain centralized structures, The Gentlemen operate through a decentralized model. Nine distinct operator handles have been identified, coordinating across various time zones. Their primary mode of communication is a self-hosted Rocket.Chat instance on an onion site, with plans to transition to a Rust-based platform. This lean and distributed approach marks a significant departure from the rigid corporate setups previously observed in groups like Conti.
Insights from Internal Communications
In May 2026, the Ransom-ISAC research team extracted 3,366 messages from The Gentlemen’s Rocket.Chat server. These messages provided a rare glimpse into the group’s internal operations, including strategic plans, tooling discussions, and victim targeting methodologies. Analysts at Vectra AI noted that while the group’s tools have evolved considerably, the core vulnerabilities they exploit in victim networks have remained largely unchanged since 2022.
The leaked communications also revealed connections between The Gentlemen and earlier ransomware entities. A negotiator known as Tinker appeared in both Black Basta chats and The Gentlemen’s logs, indicating a continuity of personnel across different groups. Additionally, a shared Matrix homeserver, bestflowers247.online, was present in archives from both groups, providing concrete evidence of infrastructural links. This pattern underscores a broader trend: ransomware operators often rebrand rather than retire, carrying their expertise and access from one criminal enterprise to another, thereby diminishing the effectiveness of group takedowns.
Exploitation of Fortinet Vulnerabilities
Fortinet products have become a primary target for The Gentlemen. Their internal logs mention FortiGate 81 times, with specific reference to CVE-2024-55591, a FortiOS authentication bypass flaw, as their primary entry point into victim networks. Halcyon’s analysis corroborates this, noting the group’s brute-force attacks on approximately 1,000 Fortinet VPNs. In some instances, they utilized reused passwords like gentlemen25 and gentle26 across multiple victims, highlighting a systematic approach to exploiting known vulnerabilities.
Deployment of Custom Command-and-Control Frameworks
Once inside a network, The Gentlemen deploy a custom C2 framework named G-BOT. This previously undocumented control panel supports per-beacon SOCKS5 tunneling and uploads builders to temporary file-sharing sites, effectively replacing commercial tools like Cobalt Strike. This strategic shift complicates detection efforts for security teams that rely on known signatures, as G-BOT’s unique characteristics allow it to evade traditional security measures.
Targeting Hypervisors and Virtual Environments
The group’s tactics extend to targeting hypervisors directly. Their Linux-based locker attacks Hyper-V Volume Manager, encrypting at the hypervisor level. This method ensures that endpoint agents within virtual machines remain oblivious to the attack, as the encryption occurs outside their monitoring scope. The locker appends the extension .i8p14s to encrypted files and leaves a ransom note titled README-GENTLEMEN.txt, indicating a comprehensive approach that spares no layer of infrastructure.
Integration of Artificial Intelligence in Operations
The Gentlemen have effectively integrated AI into their operations, moving beyond novelty to practical application. Operators have referenced using AI models like GPT and Claude to assist with ransom negotiations. One operator described these models as automatic response writers, streamlining communication and potentially increasing the efficiency and effectiveness of their extortion tactics.
Implications for Cybersecurity
The emergence and rapid evolution of The Gentlemen underscore the dynamic nature of cyber threats. Their ability to exploit known vulnerabilities, develop custom tools, and integrate AI into their operations presents significant challenges for cybersecurity professionals. Organizations must adopt a proactive and comprehensive approach to cybersecurity, including regular patching of known vulnerabilities, continuous monitoring for unusual activities, and the implementation of advanced threat detection systems capable of identifying and mitigating sophisticated attacks.
Conclusion
The Gentlemen ransomware group exemplifies the modern cybercriminal’s adaptability and resourcefulness. Their operations highlight the critical need for organizations to stay vigilant, continuously update their security protocols, and foster a culture of cybersecurity awareness. As cyber threats continue to evolve, so too must the strategies employed to defend against them.
