The Gentlemen emerged in mid-2025 as a ransomware-as-a-service operation that has claimed over 400 victims across more than 70 countries, with particular focus on shipping and transportation and construction sectors. The group operates through a network of at least eight affiliate IDs communicating via the Tox messaging network, with the administrator actively participating in attacks alongside affiliates rather than delegating execution entirely. An internal database leaked by a disgruntled operator in early May 2026 exposed victim details and affiliate identifiers, providing an unusually detailed window into the operation's structure and geographic reach.
Initial access is established primarily via Remote Desktop Protocol using compromised credentials, and the group has tracked CVE-2024-55591, a Fortinet authentication bypass, as an alternative entry point through edge appliances. After gaining a foothold, operators deploy a SOCKS proxy client that masquerades as a legitimate Windows process from the Temp directory, establishing persistent command-and-control at two-minute polling intervals, and install AnyDesk as a secondary remote access channel to survive disruption of the primary implant. Scheduled tasks with names designed to blend into native Windows service nomenclature are used to ensure the proxy client relaunches automatically after reboots or process termination.
Before executing the encryptor, operators run a structured defense evasion sequence: PowerShell is used to disable Windows Defender real-time monitoring, stop the Defender service, and add broad antivirus exclusions covering the entire system volume. Security, System, and Application Windows event logs are then cleared to remove forensic traces of the intrusion. Where domain access is available, Group Policy Objects are abused for domain-wide encryptor deployment, and Fortinet-based environments have seen edge appliance compromise paired with this approach. Files encrypted by the ransomware receive the .fjn1jw extension and a ransom note is dropped in affected directories, completing the operational sequence.
IOCs (7)
Scan your environment for IOCs →IP ADDRESS 2
193.233.202.1777.110.122.137SHA256 FILE HASH 1
f918535f974591ef031bd0f30a8171e3da27a6754e6426a8ba095f83195661c8FILE NAME 4
G_hlm7jj_windows_amd64.exewin.exesvchost32.exeREADME-GENTLEMEN.txtDetections (10)
Enable detections →Connect your environment for suggestions and queries personalized to your security telemetry.
- Security Event Log Cleared
- Silently Installed RMM via Command Line Interpreter
- Remote login to Windows Followed By Defense Tampering
- Low-Privilege User Writing to NETLOGON Scripts
- Windows Event Log Enumeration and Clearing Attempt
- Masqueraded svchost Binary Executing from Windows Temp as SOCKS Proxy
- PowerShell Defender Disablement Sequence Prior to Ransomware Execution
- Group Policy Object or Configuration Manager Used to Distribute Encryptor Across Domain
- Ransomware Encryptor File Extension or Ransom Note Dropped to Disk
