Inner Workings of 'The Gentlemen' RaaS Leaked by Affiliate, Exposing TTPs and FortiGate Exploitation

Executive Summary

On March 20, 2026, the internal tactics, techniques, and procedures (TTPs) of a new Ransomware-as-a-Service (RaaS) group called The Gentlemen were publicly leaked by one of its own affiliates. The affiliate, using the handle "hastalamuerte," exposed the group's entire operational playbook, reportedly due to a financial dispute. The leak provides valuable threat intelligence on the group, which is an offshoot of the established Qilin ransomware operation. Key details reveal that the group targets vulnerable Fortinet FortiGate VPN appliances for initial access and employs a sophisticated set of tools for lateral movement, data exfiltration, and encryption across Windows, Linux, and ESXi environments. This public infighting provides a unique opportunity for defenders to understand and counter a new ransomware threat.

Threat Overview

The leak offers a fascinating glimpse into the professionalization and internal politics of the ransomware ecosystem.

• The Group: The Gentlemen is a new RaaS player that spun off from the Qilin ransomware group. This structure allows the core developers to focus on the malware while affiliates handle the intrusion and deployment.
• The Motive: The leak by "hastalamuerte" was an act of revenge, demonstrating the inherent instability in a trust-based criminal enterprise. Financial disputes are a common source of conflict.
• The Playbook: The leaked information constitutes the group's operational manual, detailing their preferred methods from initial access to impact.

Technical Analysis (Based on Leaked TTPs)

The Gentlemen's playbook reveals a modern, multi-stage ransomware attack methodology.

1. Initial Access: A primary vector is the exploitation of vulnerabilities in Fortinet FortiGate VPN appliances (T1190 - Exploit Public-Facing Application). This continues a long trend of ransomware groups targeting unpatched edge devices.

2. Execution & Lateral Movement: Once inside a network, the group uses common but effective living-off-the-land techniques. They leverage PowerShell (T1059.001 - PowerShell) and Windows Management Instrumentation (WMI) (T1047 - Windows Management Instrumentation) to move between systems and execute commands.

3. Defense Evasion: The group employs several techniques to avoid detection and hinder response:

   • Bring Your Own Vulnerable Driver (BYOVD): (T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions) This technique is used to disable or bypass security products (EDR) by loading a legitimate but vulnerable driver to execute code in the kernel.
   • Anti-Forensics: The group actively compromises backup systems to prevent recovery and deletes logs (T1070.004 - Indicator Removal: File Deletion) to cover their tracks.

4. Impact: The group follows a dual-extortion model.

   • Data Exfiltration: They steal sensitive data before encryption to use as leverage.
   • Encryption: The ransomware payload is capable of encrypting files on Windows, Linux, and VMware ESXi hosts (T1486 - Data Encrypted for Impact), allowing them to cripple both standard servers and virtualized infrastructure.

Impact Assessment

While the leak itself does not describe a specific victim, it provides a blueprint for the potential impact of an attack by The Gentlemen.

• Cross-Platform Encryption: The ability to encrypt ESXi hosts is particularly damaging, as it allows the attackers to take down dozens or hundreds of virtual machines at once, causing a complete operational shutdown.
• Dual-Extortion: Victims face the dual threat of having their operations halted and their sensitive data leaked publicly if they do not pay the ransom.
• Disrupted Operations: The targeting of backup systems is designed to make recovery from the attack as difficult as possible, increasing the pressure on the victim to pay.

Cyber Observables for Detection

Based on the leaked TTPs, defenders can hunt for the following:

Detection & Response

• Threat Intelligence: Incorporate the leaked TTPs into your threat intelligence platform and detection rules. This is a rare opportunity to get ahead of a new threat.
• EDR/SIEM: Create specific detection rules for the sequence of activities described: FortiGate exploit followed by PowerShell/WMI lateral movement, followed by access to backup servers or ESXi hosts.
• Behavioral Analysis: Use behavioral analytics to detect the abuse of legitimate tools like PowerShell and WMI for malicious purposes.

Mitigation

• Patch Management: The first line of defense is to patch internet-facing devices like FortiGate VPNs. This is a core tenet of MITRE Mitigation M1051 - Update Software.
• Network Segmentation: Segment your network to prevent attackers from moving laterally from an IT system to a critical ESXi environment. Restrict access to ESXi management interfaces. This aligns with D3FEND Network Isolation (D3-NI).
• Immutable Backups: Ensure you have offline and/or immutable backups that cannot be compromised by an attacker who has gained administrative access to your network.
• Application Control: Use application control policies to prevent the loading of unauthorized or known-vulnerable drivers, which can mitigate BYOVD attacks. This is a form of D3FEND Executable Allowlisting (D3-EAL).