That expansion matters because The Gentlemen does not appear to be relying on a single encryptor or a narrow target list. Researchers describe a modular ransomware-as-a-service setup offering lockers for Windows, Linux, NAS, BSD and ESXi environments, giving affiliates the flexibility to move across the mixed systems commonly found inside large organisations. The structure mirrors a wider criminal model in which core developers supply code, infrastructure and support, while affiliates handle access, lateral movement and extortion.
Gentlemen accelerates affiliate-led cyber pressure is how the campaign now reads for defenders watching the group’s trajectory. What makes the threat more serious is not simply the number of claimed victims, but the signs of industrialisation behind the operation. Group-IB has described The Gentlemen as a roughly 20-member ransomware service that evolved from an earlier affiliate operation and has built a sizeable stockpile of compromised FortiGate devices and validated VPN credentials to help attackers get inside enterprise networks faster.
The chronology suggests a group that moved from obscurity to visibility within months. Group-IB said the first known Windows sample carrying The Gentlemen branding appeared in July 2025, while its leak site appears to have been active from about the same period before gaining broader attention in September. Around the same time, a dispute over unpaid affiliate commissions with Qilin operators surfaced on an underground forum, giving investigators an unusual glimpse into the financial tensions that can sit behind ransomware partnerships.
Access has become one of the group’s clearest strengths. Researchers say The Gentlemen has leaned heavily on CVE-2024-55591, a critical authentication bypass flaw affecting vulnerable FortiOS and FortiProxy systems, which can allow a remote attacker to gain super-admin privileges through crafted requests to the Node. js websocket module. Fortinet marked the vulnerability as known to be exploited, and official advisories and public vulnerability records show affected version ranges and patch paths published in January 2025.
Group-IB said the operation maintains a database of roughly 14,700 already exploited FortiGate devices globally, alongside hundreds of validated VPN credentials. Even allowing for the reality that criminal inventories can contain stale or duplicate entries, that kind of access pool lowers the barrier to entry for affiliates and helps explain how newer ransomware brands can scale quickly without building every component from scratch.
A separate Check Point investigation adds another layer. During incident response work tied to a Gentlemen affiliate, researchers observed the deployment of SystemBC, a long-used proxy malware associated with covert tunnelling, payload delivery and internal pivoting in human-operated intrusions. Telemetry from a related command-and-control server showed more than 1,570 infected systems, with the profile pointing more strongly towards companies and organisations than home users. Most were in the United States, followed by the United Kingdom and Germany. Check Point stopped short of saying SystemBC is fully integrated into The Gentlemen ecosystem, noting that the link could instead reflect tooling chosen by one affiliate.
That caution is important. Public victim claims on leak sites, underground forum boasts and intrusion artefacts do not always tell the same story. Some claimed victims may never have been encrypted. Some attacks may involve affiliates who work across multiple ransomware brands. What is established, though, is that The Gentlemen is behaving like an ambitious service operation seeking to attract partners with breadth: multi-platform lockers, access to tools for disabling security software, and infrastructure designed to ease movement inside a victim’s network. Group-IB said the group has used bring-your-own-vulnerable-driver techniques to kill endpoint protection and has been studying or borrowing from other ransomware families to improve its own code.
For enterprises, the lesson is that the threat no longer sits only with long-established names. The ransomware market has become more fragmented, and that fragmentation can work in favour of emerging groups when affiliates migrate, rebrand or shop for better commercial terms. Industrial and corporate targets remain attractive because downtime is costly, security stacks are unevenly maintained, and edge devices such as firewalls and VPN appliances can still offer a direct route inside when patching slips.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
