Ransomware Affiliate Leaks Internal Details of 'The Gentlemen' RaaS Operation
A ransomware affiliate leak exposes the inner workings of a new ransomware group that splintered from Qilin, revealing advanced evasion techniques and internal tensions.
A ransomware affiliate known as 'hastalamuerte' has leaked detailed operational information about a new ransomware-as-a-service (RaaS) group called 'The Gentlemen,' according to research published by Group-IB on March 19. The leak provides rare visibility into the group's infrastructure, attack methods, and the internal disputes that are increasingly common in the driving force behind its formation.
The Gentlemen emerged from a dispute within the Qilin ransomware ecosystem, with experienced affiliates quickly establishing the new brand using existing tooling and infrastructure. The group operates a dual-extortion model, encrypting victim data and threatening to release it publicly to increase pressure on organizations to pay. Group-IB found that the group targets multiple platforms, including Windows, Linux, and ESXi environments, maximizing the impact of its attacks.
Initial access is primarily achieved through systematic exploitation of exposed FortiGate VPN devices, either by exploiting known vulnerabilities or brute-forcing credentials. Once inside, affiliates deploy automated lateral movement using PowerShell and Windows Management Instrumentation, harvest credentials, disrupt backups, and perform domain-wide encryption designed to minimize the time to ransom. The group also targets backup and security systems to hinder recovery efforts.
The Gentlemen employ advanced defense evasion techniques, including Bring Your Own Vulnerable Driver (BYOVD) to disable endpoint detection and antivirus tools, and aggressive log deletion to complicate forensic investigation. These methods allow the group to operate with a high degree of stealth and efficiency.
The leak also highlights growing tensions within the RaaS model. Affiliates who carry out attacks using rented infrastructure sometimes expose operators when disputes arise. In this case, 'hastalamuerte' publicly shared insights into the group's operations, offering a rare window into the partnerships that drive modern ransomware campaigns.
Group-IB noted that the evolution of groups like The Gentlemen reflects a broader trend toward more specialized and professionalized cybercrime. The combination of advanced evasion techniques and flexible attack infrastructure continues to challenge traditional security measures. At the same time, internal instability may create opportunities for disruption, with intelligence leaks such as this offering a clearer view of how modern ransomware campaigns are organized and executed.