TheGentlemen Ransomware Toolkit Found on Russian Proton66 Server

On 2026-03-12 Hunt.io discovered an exposed Proton66 open directory hosting a structured TheGentlemen RaaS operator toolkit (126 files, ~140MB) containing Mimikatz logs with harvested NTLM hashes, comprehensive pre-encryption scripts (notably z1.bat) that disable protections, delete VSS snapshots, create SMB shares, install backdoors (ngrok/RustDesk) and clear logs, plus two exposed ngrok auth tokens and numerous dual-use utilities — providing strong evidence of active ransomware operations, actionable IOCs, and mapped MITRE ATT&CK TTPs.