The Gentlemen ransomware group is reported to have used LLMs to accelerate data analysis, social engineering, and tool development, helping it claim around 500 victims in less than a year. The article also describes its RaaS model, exploitation of infostealer-obtained credentials and unpatched Cisco and Fortinet devices, and its rapid response after a May 2026 data leak by moving communications to decentralized platforms. #TheGentlemen #Qwen #BlackBasta #Cisco #Fortinet
Keypoints
- The Gentlemen is described as a ransomware threat actor that claimed about 500 victims globally in under a year.
- The group uses LLMs to process stolen data quickly, extracting credentials, session cookies, and sensitive information in minutes.
- AI-assisted “vibe-coding” enabled the threat actor to build a negotiation platform in just three days.
- The group uses AI to tailor ransom emails and phone-based social engineering based on victim data.
- It reportedly learned from leaked materials belonging to other criminal groups, including Black Basta, to improve tactics and workflows.
- The operation follows a Ransomware-as-a-Service model, offering affiliates 90% of the ransom and relying on stolen credentials or exploitation of unpatched Cisco and Fortinet systems.
- The ransomware is distributed in multiple variants and includes a Go-based version with a –spread parameter that turns it into a self-replicating worm for lateral movement.
MITRE Techniques
- [T1078 ] Valid Accounts – The group gains access by using legitimate stolen credentials obtained through infostealer malware [‘purchase of legitimate credentials stolen through infostealer malware’]
- [T1595 ] Active Scanning – They search exposed systems for known unpatched weaknesses on Cisco and Fortinet devices [‘scan the network looking for known and unpatched vulnerabilities on Cisco and Fortinet devices’]
- [T1059 ] Command and Scripting Interpreter – The malware includes a Go-based component and command-line parameter handling for spreading functionality [‘The Go version includes the parameter –spread’]
- [T1021 ] Remote Services – The worm-like payload automates lateral movement across the enterprise network [‘automate encryption of the entire corporate network exploiting lateral movement’]
- [T1105 ] Ingress Tool Transfer – The attackers deploy ransomware variants and supporting tools across multiple environments [‘ransomware distributed in five variants (Windows, Linux, ESXi)’]
- [T1566 ] Phishing – AI is used to craft personalized extortion emails and contact attempts targeting victims [‘structure and personalize ransom emails and phone contact attempts’]
Indicators of Compromise
- [Threat actor / group names ] referenced entities – The Gentlemen, Black Basta
- [Software / model names ] AI tooling used in the operation – Qwen, LLM
- [Targeted vendor names ] exposed device ecosystems – Cisco, Fortinet
- [File / payload characteristics ] ransomware variants and behavior – Windows, Linux, ESXi, and a Go-based version with –spread
- [Infrastructure / communication context ] post-leak communications – decentralized platforms, C2 servers
- [Data types targeted ] stolen or extracted items used for access and extortion – credentials, session cookies, authentication tokens, and other sensitive data