⚡ Key Takeaways

The Gentlemen ransomware group claimed ~332 public victims in 5 months of 2026 — outpacing Akira’s first-year count — by offering affiliates a 90% revenue cut, the highest in the RaaS market. Their multi-platform Go encryptor hits Windows, Linux, ESXi, and NAS simultaneously, with CVE-2024-55591 (FortiOS) as the primary entry vector. A leaked backend exposed ~14,700 pre-compromised FortiGate devices in their inventory.

Bottom Line: Patch FortiOS CVE-2024-55591 now, enforce AD tiering to block domain-wide detonation, and deploy network-egress DLP — because their double-extortion model means backups alone won’t end the incident.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
Medium
Algerian enterprises run ESXi/NAS environments and FortiGate appliances; the CVE-2024-55591 attack vector affects any unpatched FortiOS installation
Infrastructure Ready?
Partial
most Algerian firms lack dedicated data exfiltration detection and DLP at network egress; backup isolation is inconsistent
Skills Available?
Partial
DLP and EDR expertise is limited in the local market; AD tiering is rarely implemented in mid-market environments
Action Timeline
Immediate
Immediate action required — deadlines or windows of opportunity are short-term.
Key Stakeholders
CISOs, SOC teams, IT managers at Algerian enterprises and institutions using FortiGate, ESXi, or NAS infrastructure
Decision Type
Tactical
This article offers tactical guidance for near-term implementation decisions.

Quick Take: The Gentlemen’s primary entry vector — a CVE in FortiOS that was patched in early 2025 — remains exploitable in organizations that have not applied updates. Any Algerian enterprise running FortiGate appliances should verify patch status immediately. Beyond patching, the double-extortion model means backup-only recovery strategies are insufficient: exfiltration detection at network egress must be treated as equal priority to endpoint protection.

Advertisement

How a Startup Ransomware Gang Out-Hired the Market

When The Gentlemen ransomware group emerged in July 2025 — initially operating as “ArmCorp,” a splinter of the Qilin affiliate network — the threat-intel community noted another mid-tier entry into a crowded RaaS market. What nobody predicted was how quickly a single structural decision would transform a disgruntled group of former Qilin affiliates into the second most productive ransomware operation globally.

That decision was the 90/10 revenue split.

Established RaaS programs — RansomHub, LockBit 3.0, Akira — typically offer affiliates between 70% and 80% of collected ransoms. According to Halcyon’s threat assessment of The Gentlemen, only RansomHub had previously matched The Gentlemen’s 90% affiliate payout. For an operator who successfully extorts a $250,000 ransom — a documented The Gentlemen negotiation settled at $190,000 — the difference between an 80% and a 90% cut is $19,000 per deal. At scale, that differential is a recruiting machine.

The math works. The Gentlemen’s affiliate pool appears small but experienced: Group-IB’s analysis of the group’s operations documented a tight roster of named operators and a handful of distinct affiliate Tox IDs, all organized around a single administrator identity. Small teams, high margins, shared tooling — and a philosophy that maximum affiliate compensation attracts maximum affiliate talent.

By January 2026, the group was claiming 48 attacks per month. By February, 91. Growth comparable to LockBit 3.0’s early scaling, from a team that emerged only six months prior.

The Affiliate Economics That Changed the Market

The 90/10 model isn’t just a compensation choice — it’s a talent acquisition strategy that directly determines victim selection quality. When affiliates retain more, they invest more in high-value targeting and sophisticated initial access.

The Gentlemen’s affiliates demonstrate this in their tooling. Microsoft Security Blog’s technical dissection found a Go-based encryptor deploying 21 distinct remote execution techniques per target during its self-propagation phase — PsExec, WMIC, scheduled tasks, PowerShell WinRM, PowerShell WMI — covering nearly every remote execution pathway available in a Windows domain. This is not the work of entry-level operators. It is the product of experienced ransomware professionals who chose The Gentlemen precisely because it pays better.

The financial model explains another distinctive trait: geographical spread. Halcyon’s analysis found that only 7% of victims were US-based — an unusually low figure for ransomware operations, which typically concentrate on US targets for higher ransom ceilings. Instead, The Gentlemen’s top target country was Thailand (27 victims), with attacks distributed across 66 countries and 20 industry verticals including IT services, construction, manufacturing, financial services, and healthcare. Affiliates chasing volume — not just high-value single targets — exploit the 90% model across any geography that provides access.

Critically, the double-extortion approach underpins the economics. Affiliates exfiltrate data before encrypting it, creating two distinct leverage points: restore-or-pay versus publish-or-pay. Even in environments where backup infrastructure is intact and recovery is feasible, the prospect of sensitive data publication keeps ransom conversations alive. This is the “encryptionless” pressure the group wields: exfiltration alone can generate ransom payment even when encryption fails.

Advertisement

Platform Coverage: Why ESXi and NAS Are the Critical Risk

The Gentlemen’s multi-platform codebase — a Go encryptor for Windows and Linux, a C-based locker specifically for ESXi — is purpose-built for enterprise infrastructure. The targeting logic is deliberate: compromise one ESXi hypervisor and you potentially encrypt dozens of virtual machines simultaneously. Compromise a NAS device and you eliminate both primary data and backup copies in a single action.

The ESXi-specific payload adds autostart persistence and attacks VMware vSAN clusters simultaneously. Pre-encryption, it gracefully shuts down virtual machines before forcing termination, flushes caching buffers, and disables auto-recovery — leaving administrators with no viable rollback path from the hypervisor layer.

For Windows environments, the pre-encryption checklist is equally methodical: disable Microsoft Defender real-time monitoring, delete Volume Shadow Copies via vssadmin and WMIC, clear System/Application/Security event logs, remove prefetch files and RDP logs, terminate 40+ processes covering SQL Server, Oracle, MySQL, backup software, EDR agents, and Office applications. By the time encryption begins, the environment is isolated from both its defenses and its recovery tools.

Initial access centers on CVE-2024-55591, a critical FortiOS/FortiProxy authentication bypass. Group-IB’s forensic analysis found that operators maintained an inventory of approximately 14,700 pre-compromised FortiGate devices worldwide, supplemented by roughly 1,000 brute-forced FortiGate VPN credentials. An organization with a vulnerable, internet-facing FortiGate device may already be in that inventory — waiting for the right affiliate to activate the access.

Once inside, lateral movement uses Active Directory Group Policy hijacking for simultaneous domain-wide payload detonation. The attack-to-encryption timeline is measured in hours.

What Enterprise Security Teams Should Do

The Gentlemen’s model exploits three predictable failure modes: exposed edge appliances, flat Active Directory environments, and inadequate exfiltration detection. Each has a concrete mitigation path.

1. Patch and Segment Internet-Facing Appliances Immediately

CVE-2024-55591 (FortiOS/FortiProxy authentication bypass) is the primary documented initial access vector. Any organization running FortiGate, FortiProxy, or similar edge appliances that has not applied available patches is a candidate for The Gentlemen’s pre-built inventory. Patch cadence for internet-facing network appliances must be treated as a Severity-1 event — not a scheduled maintenance window. In parallel, segment management interfaces onto isolated OOB (out-of-band) networks inaccessible from the internet. If remote administration of edge appliances requires internet reachability, that is a network architecture problem, not a configuration problem.

2. Enforce AD Tiering and GPO Change Monitoring to Prevent Domain-Wide Detonation

Domain-wide Group Policy hijacking is the escalation step that converts a single-host compromise into a full enterprise encryption event. The Gentlemen’s affiliates can only execute this if they have reached Domain Controller access — typically via flat Active Directory environments with no tier separation. Implement AD tiering (Tier 0/1/2) so that compromise of a workstation or mid-tier server does not grant direct access to domain controller credentials. Monitor for unauthorized GPO creation and modification using tools like Microsoft’s Advanced Threat Analytics, Defender for Identity, or SIEM rules that alert on any GPO change not originating from approved administrator accounts. A single unauthorized GPO change is a critical incident signal — treat it as full compromise in progress.

3. Deploy DLP and Exfiltration Monitoring Before Encryption Runs

The Gentlemen’s double-extortion model means that even a successful recovery from encryption does not end the incident. If data was exfiltrated before the encryptor ran — and Huntress’s forensic analysis confirms defenders often cannot reliably detect the boundary between exfiltration and encryption phases — the organization faces ongoing publication threats. Deploy data loss prevention (DLP) at network egress points, configured to alert on large volumes of outbound encrypted traffic to unlisted destinations, unusual bulk file staging in temporary directories, and anomalous access patterns to file servers or NAS devices outside business hours. The exfiltration stage is slower and noisier than encryption — it is the detection window that most organizations miss.

4. Test Backup Isolation and Recovery Before an Incident

The pre-encryption checklist — Shadow Copy deletion, NAS targeting, VMware snapshot elimination — is designed to eliminate every recovery path available in a default enterprise environment. Test backup restoration from offline or air-gapped copies quarterly. Verify that backup management interfaces are not reachable from production networks. ESXi environments in particular require hypervisor-level snapshot policies that are not accessible via the same credentials used for VM administration.

The Bigger Picture: When Affiliate Economics Drive Threat Velocity

The Gentlemen’s rise is a case study in what happens when RaaS economics reach their logical extreme. The 90/10 split does not just attract affiliates — it attracts affiliates who have already operated inside competing programs, carry institutional knowledge of enterprise networks, and bring pre-built tooling and access inventories with them. Each defector from RansomHub, Qilin, or LockBit who joins The Gentlemen brings existing victim access and attack methodology.

This is why the growth curve is vertical rather than incremental. The Gentlemen did not build capability from scratch — it purchased it at a 10% premium over market.

For enterprise security teams, the structural lesson is this: the ransomware market now operates with the discipline of a competitive talent marketplace. Groups that offer better economics attract better operators. Better operators execute faster, more completely, and against harder targets. The threat velocity organizations experienced from LockBit at its peak is now the entry-level standard for any new group willing to pay affiliates appropriately.

The defensive posture required is not a reactive patch cycle. It is continuous adversarial assumption — treating edge appliance compromise as probable, Domain Controller access as the critical boundary to defend, and exfiltration detection as the last window before an incident becomes uncontrollable.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn
Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Advertisement

Frequently Asked Questions

What makes The Gentlemen’s 90/10 affiliate split significant for enterprise defenders?

The 90% affiliate revenue share attracts experienced ransomware operators who previously worked with competing groups like Qilin, LockBit, or RansomHub. These are not entry-level attackers — they bring pre-built tooling, existing network access inventories, and refined techniques for bypassing enterprise defenses. Higher affiliate compensation directly translates to higher operator quality and faster, more complete attacks.

Can organizations recover by restoring backups if The Gentlemen ransomware hits?

Not reliably. The Gentlemen’s pre-encryption routine specifically eliminates Volume Shadow Copies, VMware snapshots, NAS backup targets, and any backup software processes running on the network. More importantly, their double-extortion model means affiliates exfiltrate sensitive data before encrypting it — so even a full successful recovery from encryption leaves organizations facing a data publication threat that backups cannot resolve.

What is the single most effective defensive action against The Gentlemen’s initial access vector?

Patching CVE-2024-55591 in FortiOS/FortiProxy and segmenting FortiGate management interfaces away from internet exposure. The Gentlemen operators maintain an inventory of approximately 14,700 pre-compromised FortiGate devices — an organization with an unpatched, internet-facing FortiGate may already be in that inventory. Beyond patching, monitoring for unauthorized Group Policy changes in Active Directory provides early warning before domain-wide payload detonation.

Sources & Further Reading