Inside The Gentlemen RaaS: A Deep Dive Operation Guide

Overview

In the constantly shifting landscape of ransomware-as-a-service (RaaS), The Gentlemen has emerged as a formidable player, second only to the most prolific groups in victim count. Following the leak of their internal backend database (Rocket) on May 4, 2026, we gained unprecedented visibility into their affiliate program, technical infrastructure, and negotiation tactics. This guide dissects the group's operations—from initial access to payment extraction—providing a rare end-to-end view that security professionals can use to strengthen defenses. Whether you are a blue team analyst, a threat intelligence researcher, or a cybersecurity student, understanding The Gentlemen will sharpen your ability to detect and respond to modern RaaS campaigns.

Inside The Gentlemen RaaS: A Deep Dive Operation Guide
Source: research.checkpoint.com

We will cover the group's structure, their preferred initial access vectors, the shared toolset, CVE exploitation patterns, dual-pressure negotiation strategies, and the lessons learned from the database leak. By the end, you'll have a concrete checklist of indicators and defensive measures.

Prerequisites

Before diving into the step-by-step analysis, ensure you have a basic understanding of:

  • Ransomware attack lifecycle (initial access, lateral movement, encryption, ransom demand)
  • Common network services (VPN, OWA, M365, NTLM, SMB)
  • Command & Control (C2) frameworks (like SystemBC, Cobalt Strike)
  • TOX messenger and underground forum terminology
  • Basic scripting (PowerShell, Python) for hunting IoCs

Step-by-Step Analysis of The Gentlemen Operations

Step 1: Understanding the Group’s Structure and Roles

The leak exposed nine accounts, including the administrator zeta88 (aka hastalamuerte). This individual is responsible for:

  • Running the infrastructure (servers, databases, panel)
  • Building the locker binary and RaaS panel
  • Managing affiliate payouts
  • Effectively acting as the program’s administrator

Additionally, by correlating ransomware samples, researchers identified 8 distinct affiliate TOX IDs, meaning the admin not only manages affiliates but also participates directly in some infections. This dual role is a common mistake for other groups to emulate—centralizing power creates single points of failure (as evidenced by the leak).

Step 2: Initial Access Vectors and Exploitation of CVEs

The internal chats listed three primary initial access paths:

  • Fortinet and Cisco edge appliances – leveraging vulnerabilities in VPN or firewall interfaces.
  • NTLM relay attacks – exploiting weak NTLM authentication in internal networks.
  • OWA/M365 credential logs – stealing credentials from Outlook Web Access or Microsoft 365 logs.

The group actively tracked and evaluated modern CVEs, including:

  • CVE-2024-55591 – a remote code execution in a popular edge device.
  • CVE-2025-32433 – a privilege escalation in a widely used VPN product.
  • CVE-2025-33073 – a critical flaw in a cloud authentication service.

Actionable tip: Ensure your edge devices are patched against these specific CVEs. If you find logs showing exploitation attempts, treat them as high priority.

Step 3: Division of Roles and Shared Toolset

The database leak revealed a clear division of labor:

  • Access brokers – sell initial footholds (e.g., RDP, VPN access).
  • Penetration testers – move laterally and escalate privileges.
  • Locker operators – deploy ransomware and manage encryption.
  • Negotiators – handle ransom demands and payment.

Shared tools included:

  • SystemBC – a C2 proxy used for persistence and tunnelling.
  • Mimikatz – for credential dumping.
  • BloodHound – for Active Directory enumeration.
  • Cobalt Strike – for post-exploitation.

Step 4: Negotiation Tactics – The Dual-Pressure Approach

Screenshots from leaked negotiations show a successful payment of 190,000 USD (anchor demand 250,000 USD). More telling is the dual-pressure tactic: After stealing data from a UK software consultancy, they reused that data to attack a company in Turkey. During negotiations, they portrayed the UK firm as the “access broker” and provided “proof” to the Turkish victim that the intrusion originated from the UK side, encouraging the Turkish firm to consider legal action against the consultancy. This non-technical manipulation increases psychological pressure and often leads to quicker payments.

Inside The Gentlemen RaaS: A Deep Dive Operation Guide
Source: research.checkpoint.com

Defensive insight: Train your incident response team to recognize and document non-technical coercion. If attackers mention third-party breaches, verify the legitimacy before reacting.

Step 5: The Leak and Its Implications

On May 4, 2026, the admin acknowledged the leak of the Rocket database. The leak exposed operational data, including affiliate identities, victim lists, and technical configurations. Check Point Research obtained a partial dump, which confirmed the group’s high activity: 332 victims in five months. This volume makes The Gentlemen the second most productive RaaS operation in early 2026 among groups that list victims publicly.

For defenders, this leak is a goldmine: it provides a concrete list of compromised systems, techniques, and even negotiation scripts. By studying it, you can preemptively harden your environment.

Common Mistakes to Avoid

Mistake 1: Underestimating the Insider Threat

The leak originated from within the group—likely a disgruntled affiliate or an external attacker who compromised the admin’s account. Never assume your own group is immune to leaks. Implement strict access controls, audit logs, and regular credential rotation even within your red team or research team.

Mistake 2: Ignoring Non-Technical Attack Vectors

The Gentlemen’s negotiation tactics exploited victim psychology—instigating legal disputes between companies. Don’t focus solely on technical IoCs. Prepare scripts and procedures for handling extortion that involves third-party accusations.

Mistake 3: Failing to Correlate CVE Exploitation Patterns

Many organizations patch only when a CVE is widely publicized. But attack groups actively track emerging zero-days. Subscribe to threat intelligence feeds that monitor underground forums for CVE discussions. If The Gentlemen were testing CVE-2024-55591, your edge devices should have been patched before the group fully weaponized it.

Mistake 4: Overlooking Credential Logs

The group harvested OWA/M365 credential logs. Many IT teams don’t monitor authentication logs for anomalous access. Implement SIEM rules that flag multiple failed logins from unusual geolocations, especially against admin accounts.

Summary

The Gentlemen RaaS operation provides a textbook example of a modern cybercrime franchise: clear role division, cutting-edge CVE exploitation, and psychological leverage in negotiations. The database leak of May 2026 exposed their inner workings, giving defenders a rare advantage. By understanding their initial access paths (Fortinet/Cisco appliances, NTLM relay, OWA logs), their shared toolset (SystemBC, Cobalt Strike), and their dual-pressure negotiation style, you can build more resilient defenses. Key takeaways: patch known CVEs used by the group, monitor authentication logs, prepare for non-technical extortion tactics, and always secure internal databases—even within your own team. The Gentlemen might be prolific, but their own leak shows that no RaaS group is invulnerable.

Further reading: Check Point Research’s full report on The Gentlemen is available at Step-by-Step Analysis links above for specific technical details.

Tags:

Recommended

Discover More

Speed Up Page Loads with V8's Explicit Compile Hints: A Practical GuideSecuring Your Chat History: Meta's Guide to End-to-End Encrypted BackupsA Comprehensive Guide to Trinitite: Unique Crystals from the Trinity Nuclear TestWindows 11 Pro at a Fraction of the Cost: What You Get for Just $106 Key Insights About Stack Allocation in Go for Faster Programs