{"id":4896,"date":"2026-03-19T23:38:27","date_gmt":"2026-03-19T23:38:27","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/03\/19\/ransomware-affiliate-exposes-details-of-the-gentlemen-operation\/"},"modified":"2026-03-19T23:38:27","modified_gmt":"2026-03-19T23:38:27","slug":"ransomware-affiliate-exposes-details-of-the-gentlemen-operation","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/03\/19\/ransomware-affiliate-exposes-details-of-the-gentlemen-operation\/","title":{"rendered":"Ransomware Affiliate Exposes Details of &#8216;The Gentlemen&#8217; Operation"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A ransomware affiliate known as &#8216;hastalamuerte&#8217;\u00a0has revealed operational details about a group called The Gentlemen,\u00a0shedding light on its tactics, techniques and internal disputes.<\/p>\n<p>New research by Group-IB, published on March 19, provided\u00a0rare insight into how the ransomware-as-a-service (RaaS) group operates, including its infrastructure, attack methods and affiliate relationships.<\/p>\n<p>The leak also highlighted\u00a0growing tensions within cyber-criminal networks.<\/p>\n<h2><strong>The Gentlemen Ransomware Group: an Overview<\/strong><\/h2>\n<p>The research identified\u00a0&#8220;The Gentlemen&#8221; as a relatively new but rapidly evolving ransomware group that emerged from a dispute within an existing RaaS ecosystem with <u>Qilin<\/u>.<\/p>\n<p>Experienced affiliates quickly established this new brand using existing tooling and infrastructure. The group employs a dual-extortion model, encrypting victim data and threatening to release it publicly, increasing pressure on organizations to pay.<\/p>\n<p>Group-IB found that the group targets multiple platforms, including Windows, Linux\u00a0and ESXi environments.<\/p>\n<p>Systematic exploitation of exposed FortiGate VPN devices through vulnerabilities or brute forcing remains a primary initial access method. Once inside, affiliates deploy automated lateral movement, credential harvesting, backup disruption and domain-wide encryption designed to maximize impact and reduce time to ransom.<\/p>\n<p>Among the techniques observed by\u00a0Group-IB were:<\/p>\n<ul>\n<li>\n<p>Use of PowerShell and Windows Management Instrumentation for lateral movement<\/p>\n<\/li>\n<li>\n<p>Deployment of anti-forensic tools to erase traces after attacks<\/p>\n<\/li>\n<li>\n<p>Targeting of backup and security systems to hinder recovery<\/p>\n<\/li>\n<li>\n<p>Cross-platform encryption to maximize impact<\/p>\n<\/li>\n<\/ul>\n<p>The group also uses advanced defense evasion methods, including Bring Your Own Vulnerable Driver (BYOVD) and aggressive log deletion, to disable endpoint detection and antivirus tools and complicate forensic investigation.<\/p>\n<h2><strong>Affiliate Tensions and Broader Threat Landscape<\/strong><\/h2>\n<p>The report also highlighted friction within the RaaS model. Affiliates carrying out attacks using rented infrastructure sometimes expose operators when disputes arise.<\/p>\n<p>In this case, &#8216;hastalamuerte&#8217;\u00a0publicly shared insights into the group&#8217;s operations, offering rare visibility into ransomware partnerships.<\/p>\n<p>RaaS operations have expanded significantly in recent years, with more groups adopting structured affiliate programs that resemble legitimate business models. These ecosystems allow developers to scale attacks while outsourcing much of the operational risk.<\/p>\n<p><em>Read more on ransomware-as-a-service threats: Researchers Warn of New &#8220;Vect&#8221; RaaS Variant<\/em><\/p>\n<p>Group-IB noted that the evolution of groups like The Gentlemen\u00a0reflects a broader trend towards more specialized and professionalized cybercrime.<\/p>\n<p>The combination of advanced evasion techniques and flexible attack infrastructure continues to challenge traditional security measures. At the same time, internal instability may create opportunities for disruption, with intelligence leaks such as this offering a clearer view of how modern ransomware campaigns are organized and executed.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A ransomware affiliate known as &#8216;hastalamuerte&#8217;\u00a0has revealed operational details about a group called The Gentlemen,\u00a0shedding light on its tactics, techniques and internal disputes. New research by Group-IB, published on March 19, provided\u00a0rare insight into how the ransomware-as-a-service (RaaS) group operates, including its infrastructure, attack methods and affiliate relationships. The leak also highlighted\u00a0growing tensions within cyber-criminal<\/p>\n","protected":false},"author":2,"featured_media":4897,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4896","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4896-69ab55af-e75b-4a16-b162-63c1c195b7cc.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4896-69ab55af-e75b-4a16-b162-63c1c195b7cc-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4896-69ab55af-e75b-4a16-b162-63c1c195b7cc.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4896-69ab55af-e75b-4a16-b162-63c1c195b7cc.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4896-69ab55af-e75b-4a16-b162-63c1c195b7cc.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4896-69ab55af-e75b-4a16-b162-63c1c195b7cc.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4896-69ab55af-e75b-4a16-b162-63c1c195b7cc.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4896-69ab55af-e75b-4a16-b162-63c1c195b7cc.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4896-69ab55af-e75b-4a16-b162-63c1c195b7cc.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4896-69ab55af-e75b-4a16-b162-63c1c195b7cc.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2026\/03\/4896-69ab55af-e75b-4a16-b162-63c1c195b7cc-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4896","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4896"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4896\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4897"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}