Tables Turned: Gentlemen Ransomware Group Suffers Data Leak

Fraud Management & Cybercrime , Ransomware Tables Turned: Gentlemen Ransomware Group Suffers Data Leak Internal Communications Dumped Online, Revealing Fresh Victims, Repeat Tactics Mathew J. Schwartz (euroinfosec) • May 11, 2026     Credit Eligible Get Permission Image: Carlo Semlinsky/Shutterstock A ransomware organization is suffering an extreme case of turnabout is fair play through a data breach that splaying internal correspondence across the internet. See Also: AI Pushes Cyberattacks to New Speed Levels "The Gentlemen" surfaced as a ransomware-as-a-service organization in mid-2025 with - as SOCRadar has noted - little intention of playing nice. Hints that The Gentlemen suffered a data breach first surfaced on May 4, in a post to cybercrime forum Breached with the subject line "The Gentlemen - hacked data for sale," requested $10,000, payable in bitcoin, "for the full data," with samples available on request. Whether or not someone paid isn't clear, but on Friday, the same user listed a link to file-sharing site MediaFire, for downloading the stolen data for free. "What makes the material especially interesting is that it appears to show the operational side of a modern ransomware ecosystem in real time, including infrastructure management, target selection, backend development and OPSEC practices," said Milivoj Rajić, head of threat intelligence at cybersecurity firm DynaRisk, who's been poring over the leaked data. The compromised communications included 8,200 lines of text from an internal chat tool, plus images of infected systems, and message timestamps largely corresponding to people who work Moscow hours, he said. The chats reveal the preoccupations of a modern day ransomware-as-a-service group: Gaining access to a victim's VPN connections, using OpenConnect, questions about how to use command-and-control software to push payloads, he said. Also, the best YouTube videos for upskilling one's technical chops and how to use an "EDR Killer" tool. The challenge of "fake CVE scripts." The document dump includes the current bitcoin wallet address for handling incoming payments from victims. The leaked messages suggest that The Gentlemen hacked into Sony and Barclays, stealing perhaps a terabyte of data from each, as well as details of non-disclosure agreements, which the group has been threatening to release if it doesn't get paid. They also reveal that many of the group's intrusions appear to have begun with compromised credentials for edge networking gear built by Fortinet, and to regularly involve the use of the open-source ZeroPulse GitHub Repository for remotely administering compromised systems. Aside from the precise tactics and questions revealed, Rajić said the messages highlight a focus on large-scale ransomware infections, including "encrypting corporate infrastructure," as well as "preparing the environment before launching encryption across the network." To effect this, the group typically performs extensive reconnaissance. "Rather than immediately deploying ransomware, the group carefully mapped the environment, searched for virtualization infrastructure, backup systems, NAS devices and critical servers to maximize impact," he said. The Gentlemen also regularly discussed ways to disable endpoint security tools and to avoid endpoint detection and response tools, modify Group Policy Objects and gain "domain admin" privileges in Active Directory, giving them unrestricted access to an IT environment, Rajić said. Along the way, the attackers used living-off-the-land tactics, referring to the use of legitimate enterprise IT admin tools, which makes spotting malicious activity more difficult, and sought to disrupt backup and storage systems. "The actors specifically focused on NAS systems, Exchange servers, storage arrays and backup infrastructure - a common ransomware tactic designed to prevent recovery after encryption," he said. Relative Newcomer The Gentlemen already amassed more than a dozen victims in Thailand and the United States by the time researchers cataloged it as an ongoing cybercrime enterprise. By the end of last year, the group's list of victims included manufacturing, healthcare and insurance organizations, plus a Christmastime disruption of Romanian state-owned power producer Complexul Energetic Oltenia. As of April, the group had listed over 340 non-paying victims on its data leak site, reported cybersecurity firm S-RM. How many victims did pay a ransom to the group, or what it's earned, isn't clear. The Gentlemen has regularly recruited affiliates through darkweb sites, trumpeting the power of its Go-based malware to deliver "silent encryption," across Windows, Linux, NAS, BSD and ESXi systems, said cybersecurity firm ZeroFox. The group relies on initial access brokers, promising to share revenues, as well as marketplaces of stolen credentials - also known as clouds of logs harvested by information stealing malware - to source ways of accessing victims, researchers said. The ransomware operation has been able to quickly update its crypto-locking malware, including in April after researchers at Canadian cybersecurity firm Bedrock Safeguard released a free decryptor for the group's malware. In response, "the group issued a same-day patch, highlighting a highly responsive development cycle," ZeroFox researchers said. The group updated in April how it splits profits with affiliates. It continued to promise a base rate for affiliates of 90% of every ransom paid, with the rest going to operators but the group said that affiliates would receive 97% of every ransom paid for data-only extortion attacks, meaning no systems get crypto-locked. This shift likely belies an attempt "to adapt to market conditions and attract affiliates who prefer lower operational risk," ZeroFox said.