NOTE: This is a Report based on the leaked Artifacts of Gentlemen Ransomware that appeared in May 2026. To get a complete picture of Gentlemen Ransomware, you can watch out the post published by RANSOM-ISAC here. 

Following is the structure of this Article:-

• INTRODUCTION
• BRAND IMAGE ANALYSIS
• TARGET DISCUSSION
• CHAT ANALYSIS
•  1. PENETRATION METHOD
•  2. MOST DISCUSSED VICTIM: ELUNDINI
•  3. UNSUCCESSFUL ATTEMPTS
•  4. OPERATIONAL COMMANDS
• HOW IT ALL STARTED?
• LEAK ANALYSIS
•  1. NAS -> 1.txt
•  2. NAS -> 99
•  3. MEGA-> gdpr data
•  4. SESSIONS
•  5. MEGA -> Backup_2025–07–30_033020
• GENTLEMEN RANSOMWARE ATTACK FLOW
• GENTLEMEN INFRASTRUCTURE
• CONCLUSION

INTRODUCTION

The Ransomware Group marked its presence since September 2025, infecting about 420+ victims (as of May 2026), is one of the fastest Ransomware Group in the Dark Web space, which turned to a RAAS Platform. 

This report discusses about the latest leak (May 2026) of Gentlemen Ransomware which appeared on various forums. 

BRAND IMAGE ANALYSIS

Let’s get started with their official logo on their DLS. The official logo used by the group are developed using ChatGPT GPT-4o, OpenAI API

Following are some of the juicy metadata that can be extracted from this logo:-

Here, we are going to discuss about some of the relevant topics discussed by the Gentlemen Ransomware Group (Leaked Chats).

TARGET DISCUSSION

The group member “quant” gained access to the Email Inbox of IT Head of an Egyptian Bank with the provided screenshot:

Regarding another screenshot from the threat actor:-

This is a Proxmox VE (PVE) backup log screenshot, specifically showing the output of a vzdump backup job.

KEY DETAILS

Backup Summary:

VMIDNameStatusTimeSize101WIN-SRVok3h 40m 32s1.393 TiB102OEL7ok1h 7m 32s249.02 GiB

• Total running time: 4h 48m 4s
• Total size: 1.636 TiB

Backup Command Used:

vzdump 101 102 --prune-backups 'keep-daily=3,keep-monthly=1,keep-weekly=1' 
--quiet 1 --mode snapshot --compress zstd --fleecing 0 
--notification-mode notification-system

What it shows:

• Two VMs being backed up — a Windows Server (VM 101) and an Oracle Enterprise Linux 7 (VM 102)
• Backup mode: Snapshot
• Compression: zstd
• Storage destination: /mnt/pve/ALNILE3_5T/dump/
• The log shows incremental progress of VM 101’s backup with read/write speeds around 115–130 MiB/s

It’s essentially a Proxmox backup job that completed successfully for both VMs.

CHAT ANALYSIS

Upon scouring through the chat logs, a few interesting indicators came to limelight such as:-

1. PENETRATION METHOD

FortiGate SSL-VPN + Web Panel Brute Force / Config Theft

This is by far their primary and most relied-upon attack vector. They are heavily specialized in it.

Breakdown:

• Core Reliance:
• Hunting large lists of exposed FortiGate devices (from leaked HTML datasets)
• Brute-forcing the web admin panel (common creds: admin/admin123!, root/gentle26, support_forti / Support_forti2024!, etc.)
• Once inside → dumping configuration (show user local, show user ldap, show vpn, etc.)
• Exploiting LDAP integration to quickly get Domain Admin credentials
• Configuring SSL-VPN tunnels for persistent internal access

This pattern is repeated dozens of times throughout the chat. Almost every successful operation starts with a FortiGate.

Other tools / techniques they use a lot (but secondary):

2. MOST DISCUSSED VICTIM: ELUNDINI

By a significant margin, Elundini is the most heavily discussed target throughout the log.

The actors dedicated a large portion of the conversation to it: Reconnaissance, Domain Admin Access, Troubleshooting Trust Issues, NAS (HP MSA), ESET Panel, GPO Deployment, Locker Execution on clusters

There are many detailed back-and-forth messages about:

• Lateral movement problems (trust relationship failures)
• Ransomware deployment specifics (locker CLI flags, shares, GPO)
• EDR (ESET) handling
• Pivoting and data exfiltration attempts
• Post-compromise operations and issues they faced

Other notable victims discussed were:-

• Manufacturer from Singapore
• Software Provider from Mexico
• Banking Institute from Mongolia

3. UNSUCCESSFUL ATTEMPTS

There are various unsuccessful attempts faced by the Group.

A. FortiGate / VPN Configuration Issues (Very Common)

• Difficulty setting up proper routes and policies after gaining access. Many times they get VPN access but “no routes” or “policies not working.”
• Problems with IPsec VPN when SSL-VPN is restricted — they repeatedly say it’s harder and less reliable.
• VPN sessions dropping or failing to pass traffic properly.
• “Failed to parse HTTP response” and certificate / connection errors with openconnect.

B. Domain / Trust Relationship Problems (Major Headache)

• Elundini.gov.za had repeated STATUS_TRUSTED_RELATIONSHIP_FAILURE errors.
• Domain Controllers becoming unreachable or crashing during operations.
• They had to create GPOs just to reset machine trust passwords.
• Some machines accepted Domain Admin credentials but others rejected them.

C. Encryption / Locker Issues

• Locker not encrypting certain files (especially .avhdx files on clusters because they were locked by other hosts).
• Slow encryption on large NAS/storage (30TB+).
• Need to run the locker manually on every folder because the recursive mode was too slow or unreliable.
• Some hosts going offline / crashing during mass encryption.
• EDR (especially ESET) blocking or quarantining the locker when deployed via GPO.

D. EDR / AV Evasion Drawbacks

• ESET Web Console in domain → hard to fully disable centrally.
• Killers working when run manually but failing or being blocked when pushed via GPO.
• Multiple discussions about needing better EDR killers (they have 9 versions but still face issues).

E. General Operational Drawbacks

• Many FortiGate panels already dead, locked, or previously compromised (“this HTML is cooked”).
• Targets with very weak networks but also targets that were “too messy” (too many routers, bad configs).
• Brute-force sometimes yielding credentials that don’t work for VPN (only for panel).
• Internal scanning blocked by firewalls/EDR → need pivots and proxies.
• Some high-revenue targets turned out to be low value or hard to monetize.

F. Tooling / Execution Issues

• nxc / scanning tools getting blocked or crashing hosts.
• Problems with PetitPotam / NTLM relay on patched systems.
• Custom tools (panel, locker, killers) needing frequent fixes.

4. OPERATIONAL COMMANDS

The most number of commands are:

A. Custom Locker (Most Repeated Execution Command)

BASH

locker.exe — password <pass> — full — ultrafast — keep

locker.exe — password wbwNZteb — path “E:\” — system — superfast — keep
/opt/update — password wbwNZteb — path “/volume1/DATA/…” — ultrafast — keep

This is by far the most used command during the ransomware phase.

B. NetExec (nxc) Scanning

BASH

nxc smb 10.0.1.0/24
nxc smb 192.168.10.0/24
nxc winrm 10.0.1.0/24
proxychains nxc smb 10.0.1.0/24

C. Mass PsExec Deployment

BASH

psexec \\* -u DOMAIN\Admin -p Password -c -f locker.exe
psexec \\* -u DOMAIN\Admin -p Password -s -c killer.exe

D. Gogo Scanner (Network Discovery)

BASH

./gogo.exe -p 22,53,80,443,445,3389,5985,8443,9443 -i 192.168.1.0/24 — ping

E. Share Opening + Everyone Full Control

BASH

net share C$=C:\ /grant:everyone,FULL
net share D$=D:\ /grant:everyone,FULL

for /f “tokens=1 delims=:” %d in (‘wmic logicaldisk get caption’) do net share %d$=%d:\ /grant:everyone,FULL

Other notable commands used were:-

• wevtutil cl → clearing event logs
• openconnect — protocol=fortinet … → connecting to FortiGate VPN
• Gpupdate /force + GPO related commands

These 5 patterns cover the majority of their operational commands.

HOW IT ALL STARTED?

On 5th May 2026, a user with the username “n789” appeared on various Dark Web Forums and started to post the following thread simultaneously:-

Following day, the threat actor posted a sample of Gentlemen Ransomware Leak to the thread to maintain the genuinity:

2 days later, the threat actor again popped up and posted another leak link in the thread:-

Few hours back (on 21st May 2026), the member again posted another leak to the thread. 

Hence, we are going to analyze the last posted breach here as the above leaks were already covered by Ransom ISAC and I too contributed a tiny bit 🙂 which you can find here. 

Upon visiting the MediaFire link, 2 folders are presented namely MEGA and NAS. And the whole leak was uploaded/modified on 21st May, 2026. 

As this is tagged as “Gentlemen Ransomware Leak”, we can possibly take it as the same (however we should X-Check other parameters too)!

Moving forward with the assumed possibility, we can confirm that MEGA and NAS (both folders) belongs to the Gentlemen Ransomware Group. 

Exploring NAS

The folder “99” contains 4 screenshots from a Ransomware Member named “zeta88”. 

NOTE: We will be discussing the leaked images in a separate section moving forward.

Exploring MEGA

Here, we can see 3 folders with Backup, Egypt and GDPR-Data. When I checked the files:

GDPR -> data about the Threat Actors (which we will be discussing later)
Backup -> 14 XML files of Victim Data (which we will be discussing later)
Egypt -> Victim information from Egypt (not our priority atm)

LEAK ANALYSIS

In this section, we are going to inspect above mentioned leak (some shall be excluded as client/victim data will not be included as whole). 

1. NAS -> 1.txt

While exploring the text file titled “1.txt”, it is found that a /etc/shadow file from a Linux-based system of the Attacker (The Gentlemen). From the leaked Image (which you will find below) it can be confirmed that it’s a Synology NAS.

File Structure

• Format as in username:$hash: lastchg:min:max:warn:inactive:expire:…
• Most system accounts are locked (* or no password).
• Real password hashes exist for a handful of custom/admin accounts.

Here is the list of Gentlemen Group Members along with their Password Strength and Change Date.

Observing usernames, we found there are 15 profiles.

3NT3R
admin
B1d3n
C0CA
d0wnloAd1
equal1z3r
F3N1X
Gblog88
guest
JLL
LDW
n0n3
PRTGRS
W1Z
zeta88

Upon analyzing the security posture, they uses modern SHA-512 crypt ($6$) for almost all accounts (much better than old DES or MD5). “guest” still uses weak MD5 ($1$) — very crackable. Several accounts have min:0 or very permissive aging settings.

2. NAS -> 99

Upon navigating to next leak, we can see 4 screenshots are shared as the following:-

3. MEGA-> gdpr data

This folder contains the Mega Records used by the Gentlemen Ransomware Group for victim’s data breach. 

NOTE: This underlines the fact that the group is making use of MEGA platform for their Data Leaks, as Mega Links are appeared on their DLS, hence the same can be confirmed.

6 tiny files are listed and following data can be obtained from those files. But 1 file named “Sessions.json” will be break down for further analysis.

Email: elsignore@onionmail.org
IP: 194.87.31.69:36137
Country: NL
Other Email: thegentlemen88@atomicmail.io
Firstname: The
Lastname: G
Device Token: K6sen1eMEcg7Iuh6p2uraDVnK4t4sjhDdhmqSGZp5uY
Has Backup Recovery Key: Yes (1)
Timestamp: September 13, 2025
Last Update: October 16, 2026
File Related IPs
================
194.87.31.69:36142
194.87.31.69:36248
194.87.31.69:50482
194.87.31.69:40415
178.130.46.120:30261
178.130.46.120:25380
178.130.46.120:10535
192.42.116.104:18616
NL

4. SESSIONS

This is a MEGA cloud storage sessions.json file — it logs all active and historical login sessions to a MEGA account, almost certainly the exfiltration staging account used by the Gentlemen Ransomware operators. 

Session 1 — Active Tor/VPN Browser Session

Created    : 2026-04-28 (Unix: 1777611717)
Last Active: 2026-04-28
User-Agent : Firefox 128.0 on Linux x86_64
IP         : 192.42.116.104 (NL)
Status     : ALIVE ✅

192.42.116.104 is a known Tor node operated by Church of Cyberology (AS 215125) in the Netherlands. This is the most recent session — someone actively accessed the MEGA account via Tor just recently. Likely the operator checking/managing the exfiltrated data.

Session 2 — Primary MEGAsync Exfiltration Session (RU)

Created    : 2025-12-13
Last Active: 2026-04-22
User-Agent : MEGAsync 6.2.2.0 on Windows 10.0.19044
IP         : 178.130.46.120:6157 (RU)
Status     : Inactive ❌
Additional IP: 89.185.80.134 (US)
  └── First seen: 2025-03-14 | Last seen: 2026-04-18

178.130.46.120 is a Russian IP (Global Connectivity Solutions LLP) that appears repeatedly across sessions — this is very likely the operator’s primary working IP. The additional IP 89.185.80.134 might be a VPS or proxy they also operated from.

Session 3 — MEGAcmd Exfiltration (RU)

Created    : 2025-12-22
Last Active: 2026-04-18
User-Agent : MEGAcmd 2.3.0.0 on Windows 10.0.19044
IP         : 178.130.46.120:47004 (RU)
Status     : Inactive ❌

MEGAcmd is a command-line tool — this session was used for scripted/automated bulk uploads, consistent with large-scale data exfiltration. 

Same Russian IP found as Session 2.

Session 4 — rclone Exfiltration (RU)

Created    : 2025-12-22
Last Active: 2025-12-22
User-Agent : rclone v1.71.0
IP         : 193.228.128.2:49756 (RU)
Status     : Inactive ❌

rclone is a popular tool used by ransomware groups for cloud exfiltration. This is a different Russian IP — possibly a dedicated exfiltration server/VPS.

 The session was short-lived (same day created/last active), suggesting a one-time bulk transfer.

Session 5 — MEGAcmd Secondary Session (RU)

Created    : 2025-12-13
Last Active: 2025-12-22
User-Agent : MEGAcmd 2.3.0.0 on Windows 10.0.19044
IP         : 178.130.46.120:41290 (RU)
Status     : Inactive ❌
Additional IP: 92.39.211.142 (RU)
  └── First seen: 2025-03-14 | Last seen: 2025-12-14

Another IP 92.39.211.142 (hosted with MTS PJSC) from Russia appears — possibly the same operator on a different connection or another team member.

Session 6 — MEGAsync Initial Setup (RU)

Created    : 2025-12-13
Last Active: 2025-12-13
User-Agent : MEGAsync 6.0.0.3 on Windows 10.0.19044
IP         : 178.130.46.120:41231 (RU)
Status     : Inactive ❌

Short-lived session on the same day the account was likely set up for this operation. Same primary Russian IP.

Session 7 — Early MEGAsync Session

Created    : 2025-10-12
Last Active: 2025-12-13
User-Agent : MEGAsync 6.0.0.3 on Windows 10.0.19044
IP         : 194.87.31.69 (NL)
Status     : Inactive ❌
Additional IP: 178.130.46.120 (RU)
  └── First seen: 2025-11-20 | Last seen: 2025-12-06

194.87.31.69 is hosted with Global Connectivity Solutions LLP — a hosting provider popular with Russian threat actors. The Russian IP 178.130.46.120 also shows up here as additional activity, confirming it’s the same operator switching infrastructure. This is the second time, an IP is being flagged fro same Hosting Provider.

Session 8 — Brief MEGAsync (RU)

Created    : 2025-11-20
Last Active: 2025-11-20
User-Agent : MEGAsync 5.16.0.2 on Windows 10.0.19044
IP         : 178.130.46.120:64175 (RU)
Status     : Inactive ❌

Brief one-day session. Older MEGAsync version (5.16.0.2) — possibly a different machine belonging to the same operator.

Session 9 — Initial Browser Recon (NL VPS)

Created    : 2025-10-12
Last Active: 2025-10-13
User-Agent : Firefox 128.0 on Windows 10 x64
IP         : 194.87.31.69 (NL)
Status     : Inactive ❌
Additional IPs:
  └── 2a12:a800:2:1:45:138:16:82 (DE) — seen 2025-10-14
  └── 2a03:e600:100::2 (AT) — seen 2025-10-12

The two IPv6 addresses (Germany and Austria) suggest VPN/TOR exit nodes — the operator was browsing via VPN and TOR before switching to the NL VPS for uploads. This is the earliest session, suggesting the MEGA account was set up around October 12, 2025.

TIMELINE RECONSTRUCTION

IOC IN A NUTSHELL

IP             NOTES
====================    
178.130.46.120 ->  Primary operator IP (RU) — appears in 5 sessions
193.228.128.2  ->  rclone exfiltration server (RU)
194.87.31.69   ->  NL VPS (Global Connectivity Solutions LLP)
192.42.116.104 ->  Tor exit node (NL) — active session
89.185.80.134  ->  Secondary US IP
92.39.211.142  ->  Secondary Russian IP
IPv6: 2a12:a800:2:1:45:138:16:82  ->  VPN exit (DE)
IPv6: 2a03:e600:100::2            ->  VPN exit (AT)
TOOL
====
rclone v1.71.0 -> Used for bulk exfiltration
MEGAcmd 2.3.0.0 -> Command-line MEGA uploads
MEGAsync 6.2.2.0 -> GUI MEGA client
OS: Windows 10.0.19044 -> Operator's machine (Build 21H2)
Browser: Firefox 128.0 -> Used for account management

The Russian IP 178.130.46.120 is the strongest attribution lead — it appears across 5 separate sessions spanning months, making it very likely the operator’s real or near-real working IP rather than a one-time proxy. 

5. MEGA -> Backup_2025–07–30_033020

This section consists of 14 XML files as previously noted. From the folder title, it can be assumed that this folder is a backup which got created on 30th July 2025 during an operation of Gentlemen Ransomware Group. 

Upon analyzing a file from the list, following details are uncovered:-

Machine Details:

Machine name: TDC1
Platform: AMD64
OS: Windows 10.0 (Windows Server 2016/2019/2022 style)
Firmware: UEFI (FirmwareType = 2)
Boot drive: C:\Windows
2 GPT disks, with the primary disk being ~932 GB (999653638144 bytes)
Drives: C: (NTFS, system), D: (NTFS, "New Volume"), plus EFI, Recovery, and Microsoft Reserved partitions
2 CD-ROM devices (E: and F:)

Components Backed up:

TasksStore - Windows Task Scheduler data
WriterMetadataStore - VSS writer metadata
PerformanceCounters - Windows performance counter data
System Files and Win32 Services Files - core OS files
ASR (Automated System Recovery) - full disk/partition layout for bare-metal restore
WMI - Windows Management Instrumentation database
Registry - Windows Registry hive
SYSVOL - Active Directory SYSVOL share (this confirms TDC1 is a Domain Controller)
NTDS (ntds database component) - Active Directory database (again confirming it's a DC)
COM+ REGDB - COM+ component registration database

It is found that this is a successful Windows Server backup manifest from a machine called TDC1 that is a Domain Controller. Everything backed up successfully (backupSucceeded="yes" on all components). It was a copy-type backup (backupType="copy") with a snapshot ID of aa1829e2-3cea-4cae-80f3-74982bba87f5.

This confirms the fact that this is a successful Data Exfiltration from one of the Victim (from Sri Lanka) of Gentlemen Ransomware which traced back to July 2025. 

All VSS Writer XMLs share the snapshot prefix 93c2f61f-3c8e-4272-b437-d7da697773e1, confirming they originate from a single backup snapshot of TDC1 (Victim).

In a Nutshell, we can see the XML files and what it does…

GENTLEMEN RANSOMWARE ATTACK FLOW

Following the technical artifacts uncovered in the leak, we are able to re-create the Attack Cycle of Gentlemen Ransomware Group. Here is the complete Attack Cycle of Gentlemen (observed from a Victim Environment).

To view the full resolution of the above image, you can find it here.

GENTLEMEN INFRASTRUCTURE

From the leaked files, it is evident that:-

• The attacker’s own Synology NAS ran MEGAcmd and rclone, confirmed by dedicated service accounts MEGAcmd and sc-rclone visible in the /etc/shadow file alongside other operator accounts
• This device served as the staging and upload platform — keeping exfiltration activity off the victim DC and routing through their own controlled infrastructure
• Multiple human operator accounts with SHA-512 hashed credentials in the shadow file suggest a small team operating from this shared NAS

CONCLUSION

The leaked internals of Gentlemen Ransomware gives a broader aspect of Modus Operandi, Internal Communication Styles and their Infrastructure. 

The leaked data again proves that the group does not possess any secret sauce (like BB or LockBit) to infect/target their victims. All the tools are freely available, using it’s maximum potential to reap profits. 

Follow me on Twitter for interesting DarkWeb/InfoSec Short findings and Stay Tuned with THE RAVEN FILE!