GENTLEMEN RANSOMWARE LEAKS

The report analyzes a May 2026 leak from the Gentlemen ransomware group (420+ victims reported), detailing their primary TTPs (FortiGate SSL‑VPN panel brute‑force/config theft, LDAP abuse, SSL‑VPN tunnels), exfiltration tooling (MEGAcmd, rclone, MEGA hosting), operator infrastructure (Synology NAS staging, Russian-hosted IPs), victim artifacts (Windows DC backup XMLs, Proxmox backups), and operational issues (EDR interference, encryption problems), concluding the group operates as a RaaS using widely available tools.