Leaked Internal Chat Exposes Gentlemen Ransomware’s Tactics, Victim Count, and Affiliate Pay Shift

The Gentlemen ransomware‑as‑a‑service group appeared in mid‑2025 and quickly added victims across manufacturing, healthcare, insurance, and energy sectors. Researchers noted the group’s reliance on initial‑access brokers, stolen credential markets, and a Go‑based encryptor that targets Windows, Linux, NAS, BSD, and ESXi systems. The leaked data, posted for free on a file‑sharing site after an attempted sale, includes chat timestamps matching Moscow work hours and images of compromised hosts.

The archive contains 8,200 lines of internal chat, revealing the group’s focus on VPN access via Fortinet edge devices and the use of the open‑source ZeroPulse repository for remote administration. Members discussed disabling endpoint defenses with an "EDR Killer" tool, modifying Group Policy Objects to gain domain admin privileges, and targeting NAS, Exchange, and backup systems to impede recovery. By April, the gang had publicly named over 340 victims who did not pay ransom on its leak site. For data‑only extortion, affiliate payouts were increased from a base 90% to 97% of each ransom payment.

The chat confirms that Gentlemen follows a classic ransomware playbook: credential‑based VPN intrusion, reconnaissance, privilege escalation, and deliberate disruption of backup infrastructure. Defenders should prioritize the following actions: - Patch Fortinet SSL‑VPN appliances against known flaws such as CVE‑2022-42475 and CVE‑2023-27997. - Enforce MFA and monitor for anomalous OpenConnect or ZeroPulse connections. - Deploy detection for MITRE ATT&CK techniques T1078 (Valid Accounts), T1133 (External Remote Services), T1562.001 (Disable or Modify Tools), and T1484 (Domain Policy Modification). - Restrict and audit privileged AD accounts, and enforce least‑privilege Group Policy. - Maintain offline, immutable backups and test restoration regularly. - Watch for signs of "EDR Killer" or living‑off‑the‑land abuse via PowerShell and Windows Command Shell (T1059.001, T1059.003).