A ransomware affiliate known as 'hastalamuerte' has revealed operational details about a group called The Gentlemen, shedding light on its tactics, techniques and internal disputes.
New research by Group-IB, published on March 19, provided rare insight into how the ransomware-as-a-service (RaaS) group operates, including its infrastructure, attack methods and affiliate relationships.
The leak also highlighted growing tensions within cyber-criminal networks.
The Gentlemen Ransomware Group: an Overview
The research identified "The Gentlemen" as a relatively new but rapidly evolving ransomware group that emerged from a dispute within an existing RaaS ecosystem with Qilin.
Experienced affiliates quickly established this new brand using existing tooling and infrastructure. The group employs a dual-extortion model, encrypting victim data and threatening to release it publicly, increasing pressure on organizations to pay.
Group-IB found that the group targets multiple platforms, including Windows, Linux and ESXi environments.
Systematic exploitation of exposed FortiGate VPN devices through vulnerabilities or brute forcing remains a primary initial access method. Once inside, affiliates deploy automated lateral movement, credential harvesting, backup disruption and domain-wide encryption designed to maximize impact and reduce time to ransom.
Among the techniques observed by Group-IB were:
Use of PowerShell and Windows Management Instrumentation for lateral movement
Deployment of anti-forensic tools to erase traces after attacks
Targeting of backup and security systems to hinder recovery
Cross-platform encryption to maximize impact
The group also uses advanced defense evasion methods, including Bring Your Own Vulnerable Driver (BYOVD) and aggressive log deletion, to disable endpoint detection and antivirus tools and complicate forensic investigation.
Affiliate Tensions and Broader Threat Landscape
The report also highlighted friction within the RaaS model. Affiliates carrying out attacks using rented infrastructure sometimes expose operators when disputes arise.
In this case, 'hastalamuerte' publicly shared insights into the group's operations, offering rare visibility into ransomware partnerships.
RaaS operations have expanded significantly in recent years, with more groups adopting structured affiliate programs that resemble legitimate business models. These ecosystems allow developers to scale attacks while outsourcing much of the operational risk.
Read more on ransomware-as-a-service threats: Researchers Warn of New "Vect" RaaS Variant
Group-IB noted that the evolution of groups like The Gentlemen reflects a broader trend towards more specialized and professionalized cybercrime.
The combination of advanced evasion techniques and flexible attack infrastructure continues to challenge traditional security measures. At the same time, internal instability may create opportunities for disruption, with intelligence leaks such as this offering a clearer view of how modern ransomware campaigns are organized and executed.