Tables Turn on 'The Gentlemen' RaaS Gang With Data Leak

Tables Turn on 'The Gentlemen' RaaS Gang With Data Leak

Newsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsEndpoint SecurityChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsbyAlexander CulafiMay 22, 20264 Min ReadApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryThreat IntelligenceCyber RiskVulnerabilities & ThreatsCybersecurity OperationsNewsTables Turn on 'The Gentlemen' RaaS Gang With Data LeakAn OPSEC failure provides a window into what helped the ransomware group rise: a generous affiliate model, opportunistic TTPs, and an effective organizational structure.Nate Nelson,Contributing WriterMay 13, 20264 Min ReadSource: Guy Corbishley via Alamy Stock PhotoOne of the world's most prolific ransomware operations has itself been breached, offering unique insight into its inner workings.In only the first five months of 2026, the Russian cybercriminal gang that calls itself "The Gentlemen" has published sensitive data belonging to around 332 different organizations. It has compromised many more organizations than that, surely, as its leak site does not include victims that pay their ransoms. According to Check Point Research, these numbers have made The Gentlemen the second most productive ransomware group on the planet this year, just short of Qilin.On or just before May 4, The Gentlemen got a taste of its own medicine when an anonymous group compromised its internal back-end database. Those hackers are now selling just over 16GB of The Gentlemen's internal communications, tooling, and other data for $10,000 in Bitcoin."It is a reputational hit, but we do not expect it to significantly disrupt their operations or reduce their effectiveness," says Eli Smadja, Check Point's group manager for product R&D. Still, even the 44MB of stolen data the anonymous hackers leaked to prove the veracity of the rest of it has proven interesting. Check Point Research analyzed the sample, gaining new insight into The Gentlemen's operational structure, its tactics, techniques, and procedures (TTPs), and some of its quirks.Related:Chinese APTs Share Linux Backdoor in Central Asia Telco AttacksHow The Gentlemen OperateThe head Gentleman goes by "zeta88" online. Zeta88 builds and maintains the group's locker malware, curates the tooling around it, runs all of the infrastructure, and more. They also select targets, assigns two or three fellow Gentlemen to attack those targets, and manage negotiations and payouts.Zeta88's operations guys are "qbit" and "quant." Qbit specializes in scanning for vulnerable edge devices, performing reconnaissance, and establishing persistence in targeted environments, and quant specializes in gaining access via logs and credentials. A tertiary group of seven grunts includes red teamers, an access broker, and even an advertising specialist. Though not evidenced in the leaked sample, presumably, some number of affiliates orbits around this circle of 10.Forcing a bunch of cybercriminals into a corporate pyramid might not sound like a bright idea, but the power structure is balanced by a generous payment model for lower-level collaborators. Every time The Gentlemen extorts a payment out of a victim, zeta88 enjoys 10% of it, but the other hackers involved get to split the other 90%.Related:Verizon DBIR: Enterprises Face a Dangerous Vulnerability GlutSmadja also attributes the group's success to its tight organizational structure. "The clear division of responsibilities within the group also plays a major role. Much like any well-run organization, having defined roles and workflows translates directly into higher productivity and, in their case, a higher volume of successful breaches," he says.Besides its tight ship, he adds, "One of the group's key strengths is the hands-on involvement of the main administrator, who came up as an affiliate and understands the operation from the ground up. Having the main RaaS administrator come from an affiliate background gave them a significant head start, helping them reach the top tier in a remarkably short period of time."What Else You Should Know About The GentlemenThe Gentlemen takes advantage of critical, known vulnerabilities and exploitation techniques to get into targeted systems and pair them with almost 30 different tools to support its locker. It uses a variety of scanners and VPNs, tools for gaining remote access to systems, and several techniques for evading endpoint detection and response (EDR) and antivirus programs, such as the bring-your-own-vulnerable-driver tactic. Check Point describes the toolset as "fairly mature," if not particularly unique.Related:Stealer Spoofs Google, Microsoft & Apple, Then Backdoors macOSMembers have toyed with more cutting-edge ideas, like developing an in-house large language model (LLM)-based program for some vague malicious purposes. They've already used LLMs to assist with code development, but while their dreams are bigger, the practical limitations of current artificial intelligence (AI) technology have gotten in the way. After reporting that they vibe-coded an admin panel in three days, zeta88 warned that "you have to understand everything and think like crazy even with [neural networks], because they're all dumb (even if smart)."The Gents also keeps up with its colleagues in the ransomware business, gossiping about them (Dragon Force: cool; Chaos: meh) but also learning from them. In one leaked chat foreshadowing its own future, the gang discussed ways to benefit from last year's Black Basta leak. Their greatest interest was in their colleagues' approach to code signing.Smadja thinks it unlikely that The Gentlemen's own breach would much edify other hackers. "What they have built is the product of experience, and nothing disclosed in the leak reveals a secret formula or unique technical advantage," he says. "It is possible the leak could inspire other affiliates to spin up their own RaaS operations, but given that some established groups already offer a 90/10 payout split, building your own operation is not an obviously attractive proposition for most."About the AuthorNate NelsonContributing WriterNate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media.He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify.He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Cybersecurity for Resource-Constrained OrganizationsAI-Powered Credential Security: Intelligence Without ExposureMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackThurs, June 25, 2026, at 1pm ESTDefending in the Shadow Era: When the CVE Feed Goes DarkTues, June 16, 2026 at 1pm ESTBuilding SecOps That Make the Most of Every DollarThurs, July 9, 2026 at 1pm ESTAI-Powered Cybersecurity for Resource-Constrained OrganizationsThurs, June 18, 2026, at 1pm ESTAI-Powered Credential Security: Intelligence Without ExposureWed, June 17, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Br