Ransomware Affiliate Exposes Details of 'The Gentlemen' Operation
Summary:
A recent investigation by Group-IB has uncovered the emergence and rapid evolution of "The Gentlemen," a Ransomware-as-a-Service (RaaS) operation led by a threat actor known as "hastalamuerte." Originally an affiliate of the Qilin ransomware group (operating under the name ArmCorp), the group branched out following a financial dispute over unpaid commissions. Since mid-2025, The Gentlemen have established a sophisticated operation that targets Windows, Linux, and VMware ESXi environments. They employ a dual-extortion model, encrypting critical systems while simultaneously exfiltrating sensitive data to a dedicated leak site (DLS) to compel payment.
The group’s primary differentiator is its highly organized "resource library" provided to affiliates. This includes an automated database of over 14,000 previously exploited FortiGate devices and a collection of "killers", custom tools designed to disable Endpoint Detection and Response (EDR) and Antivirus (AV) solutions. Their technical proficiency is further evidenced by their use of the Bring Your Own Vulnerable Driver (BYOVD) technique, which allows them to gain kernel-level privileges to terminate security processes that would otherwise block encryption.
Security Officer Comments:
The rise of The Gentlemen represents a significant professionalization of the "affiliate" mindset. For organizations, spanning manufacturing, healthcare, and critical infrastructure, the most concerning takeaway is the group’s focus on "low-hanging fruit" that yields high-impact results. By maintaining a massive inventory of compromised FortiGate devices (CVE-2024-55591), they have essentially turned initial access into a commodity. This means that even less-skilled affiliates can now launch devastating attacks against our members by simply "picking" a target from a pre-validated list.
The group’s use of BYOVD techniques and EDR-killing scripts suggests that traditional signature-based defenses are insufficient. If an attacker can sit at the kernel level, they effectively "blind" your security team before the first file is even encrypted. Second, the group’s strategic pivot toward ESXi and Linux environments targets the very core of modern data centers. For many of our members, an attack on the hypervisor level results in total operational paralysis, as it bypasses individual VM security and encrypts the underlying storage that houses hundreds of servers simultaneously.
Suggested Corrections:
To defend against the specific TTPs utilized by The Gentlemen and their affiliates, organizations should prioritize the following defensive measures:
Link(s):
https://www.infosecurity-magazine.com/news/ransomware-affiliate-gentlemen/
A recent investigation by Group-IB has uncovered the emergence and rapid evolution of "The Gentlemen," a Ransomware-as-a-Service (RaaS) operation led by a threat actor known as "hastalamuerte." Originally an affiliate of the Qilin ransomware group (operating under the name ArmCorp), the group branched out following a financial dispute over unpaid commissions. Since mid-2025, The Gentlemen have established a sophisticated operation that targets Windows, Linux, and VMware ESXi environments. They employ a dual-extortion model, encrypting critical systems while simultaneously exfiltrating sensitive data to a dedicated leak site (DLS) to compel payment.
The group’s primary differentiator is its highly organized "resource library" provided to affiliates. This includes an automated database of over 14,000 previously exploited FortiGate devices and a collection of "killers", custom tools designed to disable Endpoint Detection and Response (EDR) and Antivirus (AV) solutions. Their technical proficiency is further evidenced by their use of the Bring Your Own Vulnerable Driver (BYOVD) technique, which allows them to gain kernel-level privileges to terminate security processes that would otherwise block encryption.
Security Officer Comments:
The rise of The Gentlemen represents a significant professionalization of the "affiliate" mindset. For organizations, spanning manufacturing, healthcare, and critical infrastructure, the most concerning takeaway is the group’s focus on "low-hanging fruit" that yields high-impact results. By maintaining a massive inventory of compromised FortiGate devices (CVE-2024-55591), they have essentially turned initial access into a commodity. This means that even less-skilled affiliates can now launch devastating attacks against our members by simply "picking" a target from a pre-validated list.
The group’s use of BYOVD techniques and EDR-killing scripts suggests that traditional signature-based defenses are insufficient. If an attacker can sit at the kernel level, they effectively "blind" your security team before the first file is even encrypted. Second, the group’s strategic pivot toward ESXi and Linux environments targets the very core of modern data centers. For many of our members, an attack on the hypervisor level results in total operational paralysis, as it bypasses individual VM security and encrypts the underlying storage that houses hundreds of servers simultaneously.
Suggested Corrections:
To defend against the specific TTPs utilized by The Gentlemen and their affiliates, organizations should prioritize the following defensive measures:
- Patching and Perimeter Hardening: Immediate patching of FortiOS/FortiProxy is critical to remediate CVE-2024-55591. Beyond patching, organizations should restrict access to firewall management interfaces, ensuring they are not exposed to the public internet and are only accessible via trusted internal networks or multi-factor authentication (MFA).
- Driver Blocklisting and Integrity: To counter BYOVD attacks, enable Microsoft’s vulnerable driver blocklist and utilize Windows Defender Application Control (WDAC) or AppLocker in "Enforce" mode. This prevents the loading of known-vulnerable drivers that the group uses to disable security software.
- Hypervisor Security: Since the group specifically targets ESXi, ensure that ESXi management interfaces are isolated on a dedicated management VLAN with strict ACLs. Implement MFA for all administrative access to vCenter and ESXi hosts, and ensure that "Secure Boot" is enabled to prevent the execution of unsigned malicious code at the boot level.
- Credential Hygiene and Monitoring: The Gentlemen utilize brute-forcing and credential-dumping scripts. Organizations should move away from legacy authentication and implement FIDO2-based MFA where possible. Additionally, monitor for unusual use of legitimate administrative tools like vssadmin, schtasks, and PowerShell, which the group uses for persistence and shadow copy deletion.
Link(s):
https://www.infosecurity-magazine.com/news/ransomware-affiliate-gentlemen/