Close Menu
Cybercrime and Ransomware

The Gentlemen RaaS Boosts Power with Fortinet & Cisco Edge Devices

Staff WriterBy No Comments3 Mins Read2 Views

Summary Points

  1. The Gentlemen, a newly emerged ransomware-as-a-service group in mid-2025, rapidly infected around 332 victims in just five months, primarily targeting Fortinet and Cisco edge devices using vulnerabilities and brute-force methods.
  2. The group operates via an affiliate model, with a 90/10 ransom split, attracting coordinated attackers who target perimeter devices, exploit known flaws, and establish long-term access through cloud tunneling before deploying ransomware.
  3. A leak of their internal database exposed operational data, revealing detailed attack workflows, negotiations, and a sophisticated double-extortion strategy involving data theft and weaponization of previous victims.
  4. To defend against The Gentlemen, organizations should focus on patching vulnerabilities, monitoring NTLM relay activity, securing Active Directory, and hardening internet-facing systems against their advanced intrusion tactics.

Key Challenge

In mid-2025, a new ransomware group called The Gentlemen emerged, rapidly transforming the cyber threat landscape. This organization operates as a ransomware-as-a-service (RaaS) platform, recruiting skilled affiliates through underground forums. Notably, its operational model favors a high payout to affiliates—90% of ransom payments—prompting many to join and escalate their attacks. By May 2026, the group’s activities had been extensive, with over 332 victims in just five months. The group primarily targets exposed network edge devices like Fortinet VPNs and Cisco systems, exploiting known vulnerabilities such as CVE-2024-55591 and CVE-2025-32433, to gain initial access. Once inside, they perform sophisticated network infiltration, exfiltrate data for leverage, and deploy custom ransomware. The group’s internal database, which was leaked online, revealed their structured organization, including their administrator, “zeta88,” who manages attacks alongside core members. Interestingly, the leak also exposed their detailed attack strategies, revealing how they coordinate and manipulate victims—sometimes turning earlier victims into leverage against new targets. This attack pattern, combined with their dual approach of data theft and ransomware deployment, signifies a dangerously advanced element in modern cyber threats. Reported by cybersecurity researchers from Check Point Research, these findings highlight the increasing need for organizations to bolster defenses, particularly by patching vulnerabilities and monitoring malicious activities like NTLM relay checks.

Critical Concerns

The issue “The Gentlemen RaaS Leverages Fortinet and Cisco Edge Devices for Initial Access” illustrates how cybercriminals exploit common network devices to break into your business. If attackers target Fortinet or Cisco edge devices, they can bypass defenses, gaining immediate entry. Consequently, your sensitive data becomes vulnerable to theft and damage. This breach not only disrupts operations but also erodes customer trust and invites costly legal repercussions. Therefore, any business relying on these devices must remain vigilant; otherwise, cybercriminals can quickly exploit weak spots, causing substantial harm to your security and reputation.

Possible Remediation Steps

Timely remediation of threats targeting ‘The Gentlemen RaaS Leverages Fortinet and Cisco Edge Devices for Initial Access’ is essential to prevent widespread network compromise, data breaches, and operational disruptions. Rapid response minimizes potential damage and restores security posture swiftly.

Mitigation Steps

  • Implement strict access controls at network boundaries.
  • Conduct regular firmware and software updates on Fortinet and Cisco devices.
  • Enable multi-factor authentication for administrative access.

Remediation Actions

  • Isolate compromised devices from the network immediately.
  • Perform thorough root cause analysis to identify exploited vulnerabilities.
  • Revoke any unauthorized credentials or access permissions.
  • Strengthen security configurations on edge devices based on best practices.
  • Notify relevant stakeholders and update incident response plans accordingly.

Advance Your Cyber Knowledge

Stay informed on the latest Threat Intelligence and Cyberattacks.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.