Check Point Research Publishes Findings Based on Leaked Internal Data from The Gentlemen Ransomware Group

Check Point Research, the threat intelligence arm of Check Point Software Technologies Ltd. (NASDAQ: CHKP), a pioneer and global leader in cybersecurity solutions, has published findings based on leaked internal data from the ransomware group The Gentlemen. The RaaS (ransomware-as-a-service) group The Gentlemen became the world’s second most active ransomware group in 2026, with more than 400 publicly disclosed victims. In May 2026, the group’s internal systems were compromised, exposing the full scope of its operations. The Gentlemen is organized around one administrator, zeta88／hastalamuerte, and is operated by around nine named operators. The administrator not only manages the platform but also directly participates in real encryption attacks. The administrator was found to be a former affiliate of the Qilin ransomware program, having learned tactics under an existing organization before launching a competing operation. The group’s initial access paths are almost entirely limited to unpatched edge devices and purchased credentials. Data stolen from one victim was later used to attack that victim’s customers, confirming a real-world chain of cascading compromise. The group also uses AI coding assistants based on Chinese AI models such as DeepSeek and Qwen to accelerate ransomware development. The administrator used AI-assisted coding to build the entire RaaS management panel in just three days. Check Point has notified law enforcement about the case. On May 4, 2026, the administrator of The Gentlemen admitted on an underground forum that the group’s internal backend database had been compromised and leaked. The incident is likely connected to the compromise of 4VPS, the hosting provider used by the group for its infrastructure. CPR obtained part of the leaked data before it was deleted. The data included internal chat logs, lists of operational members, ransom negotiation records, and discussions about tool operations. These materials provide a rare view into the internal workings of a ransomware operation from the defender’s perspective. The Gentlemen is a small but professional operation. The administrator zeta88 is likely the same person known as hastalamuerte and is responsible for creating ransomware, operating the RaaS panel, managing payments, and directly participating in attacks. Leaked internal chats included a message from the administrator saying “I’m locking” during an active encryption attack. The group offers affiliates a high 90:10 revenue split, compared with the industry-standard 80:20, helping attract experienced operators from competing programs including Qilin. zeta88 was also confirmed to have previously operated as a Qilin affiliate. The Gentlemen’s intrusion methods rely almost entirely on unpatched internet-facing devices, especially VPNs and appliances. The group exploits vulnerabilities including CVE-2024-55591 and CVE-2025-32433, buys access from third-party brokers, and uses credentials obtained from infostealer log markets. After gaining access, the group moves quickly: enumerating Active Directory, conducting NTLM relay attacks (CVE-2025-33073), disabling EDR, using legitimate administrative tools for lateral movement, stealing browser session data to access Microsoft 365 and Okta, and exfiltrating data. After these steps, the group deploys ransomware across the domain through Group Policy and attacks all connected endpoints simultaneously. Perhaps the most important finding for business leaders is that one compromise can lead to the next. In April 2026, The Gentlemen compromised a UK software consulting company and used stolen data, infrastructure documentation, credentials, and access information for customer environments to attack one of the company’s Turkish customers. The UK company officially stated that only ordinary business data had been accessed, but the leaked internal chats tell a different story. The Gentlemen later listed both companies on its data leak site and named the UK consulting firm as an “access broker” in the attack on the Turkish company, using this as a pressure tactic to encourage the Turkish company to take legal action against its partner. This shows that a breach of one organization can become an entry point into its customers. Data held on behalf of customers must be protected at the same level as an organization’s most critical assets. Security leaders should make patching edge devices a business priority, particularly VPNs, firewalls, and remote access gateways. They should assume credentials are already compromised; MFA is necessary but insufficient, and anomalous authentication patterns across Microsoft 365, VPN panels, and identity management systems must be monitored. Active Directory must be protected, as NTLM relay attacks and abuse of misconfigured AD Certificate Services are central to The Gentlemen’s playbook. Detection should focus on lateral movement, because once ransomware is triggered, containment is often nearly impossible. Backups must be truly isolated, as The Gentlemen specifically targets NAS devices and backup systems. Offline, immutable backups separated from the domain can determine whether an organization recovers or is forced to give in to attackers. The findings show that The Gentlemen represents the current state of professional ransomware: a small but organized team, a curated toolset, reusable attack methods, and a business model designed to attract skilled operators. The group did not invent new techniques; it scaled existing attack methods into a repeatable operating model and expanded by offering competitive affiliate terms. Because the group’s own infrastructure was compromised, defenders gained an unusual and highly detailed view of its operations. CPR has shared the findings with law enforcement, and an investigation is underway. For details including indicators of compromise, YARA detection rules, and affiliate TOX IDs, refer to the full CPR research report. Check Point customers are protected against The Gentlemen ransomware threats through Threat Emulation and Harmony Endpoint. This press release is based on an English-language blog post published on May 13, 2026, U.S. time.