Hasta la vista, Hastalamuerte: An Overview of The Gentlemen’s TTPs

This Group-IB report documents The Gentlemen ransomware operation (a 2025 RaaS emerged from Qilin affiliates), detailing verified initial-access methods (critical CVE-2024-55591 FortiGate exploitation and large-scale FortiGate credential brute-force), post-compromise tooling and techniques (NetExec/nxc, BYOVD for EDR/AV termination, scripts for credential theft and GPO abuse), confirmed malware samples and IOCs (file hashes, C2/exfiltration endpoints), observed victim impact (domain-wide encryption, backup/VM disruption, ~94 disclosed victims) and prioritized mitigations including MFA, patching, EDR with driver-load monitoring, segmented/offline backups, and continuous threat intelligence.