Check Point Research published a detailed look inside The Gentlemen, a ransomware-as-a-service operation that has become one of the more active crews of 2026. The most useful part for defenders is not the drama of criminals leaking each other’s infrastructure. It is the operational pattern the leak exposes: ransomware groups are still turning exposed edge appliances, stolen credentials, NTLM relay paths, and remote access tooling into repeatable intrusion playbooks.
According to Check Point, the group’s internal backend database and chat material exposed accounts, affiliate coordination, tooling discussions, ransom negotiations, and targeting workflows. The leaked material reportedly showed operators discussing Fortinet and Cisco edge devices, OWA and Microsoft 365 credential logs, NTLM relay, EDR-kill tooling, ESXi locking, and recent CVEs. That is not exotic tradecraft. It is the same stack of weak points most small businesses, MSPs, and government contractors already have to manage every week.
What happened
The Gentlemen emerged around mid-2025 and runs as a ransomware-as-a-service affiliate program. Check Point says the group listed hundreds of victims in the first five months of 2026 and that leaked backend data gave researchers visibility into the roles behind the operation, including an administrator, affiliates, access brokers, and operators focused on credential logs, brute forcing, reconnaissance, persistence, and ransomware deployment.
The leak also highlights the business mechanics behind modern ransomware. Affiliates are recruited, access is sourced, tooling is shared, victims are selected, negotiations are tracked, and revenue is split. In one leaked negotiation example described by Check Point, a ransom demand started at $250,000 and ended with a $190,000 payment. For defenders, that matters because it shows how organized even “newer” ransomware programs can become once they standardize the intrusion pipeline.
Why it matters
The key lesson is that ransomware crews do not need a perfect zero-day to create major business impact. The reported workflow leans heavily on internet-facing infrastructure and identity weaknesses: VPNs, firewalls, OWA/M365 accounts, credential stuffing, data-breach lookups, relay paths, and post-compromise privilege escalation. Once inside, operators look for domain administrator access, backup and virtualization targets, EDR bypass options, and data that can be used for pressure.
That is especially relevant for SMBs and government contractors. Many organizations in that lane have a small IT team, legacy VPN exposure, inconsistent MFA coverage, limited logging retention, and too much trust between remote access, identity, file shares, backups, and hypervisors. That combination gives ransomware affiliates room to move from one compromised account or appliance into a full business outage.
Defensive takeaways
- Treat edge devices as Tier 0 exposure. VPNs, firewalls, remote access gateways, and management portals should have aggressive patch SLAs, MFA, restricted administration, and external exposure reviews.
- Audit Fortinet, Cisco, OWA, and M365 access paths. Look for stale accounts, weak conditional access, legacy authentication, impossible travel, suspicious mailbox rules, and unusual VPN logins.
- Harden against NTLM relay. Disable NTLM where practical, enforce SMB signing, review LDAP signing/channel binding, and monitor relay-prone authentication paths.
- Segment backups and virtualization platforms. ESXi, backup consoles, storage, and domain controllers should not be reachable from ordinary user segments or broad VPN pools.
- Plan for EDR-kill attempts. Enable tamper protection, monitor vulnerable driver abuse, restrict local admin, and alert on security tooling shutdown attempts.
- Watch for data-theft staging. Rclone, cloud tunnels, archive creation, unusual compression activity, and large outbound transfers are still common ransomware precursors.
Bulwark Black assessment
The Gentlemen leak is a reminder that ransomware defense is mostly about reducing operational leverage. Attackers are building repeatable pipelines around exposed access, weak identity, and poor segmentation. The best defensive move is to break that pipeline early: close exposed management paths, enforce MFA everywhere remote access exists, patch edge appliances quickly, contain identity blast radius, and make backups harder to reach than production data.
For organizations supporting government contracts, this also maps directly to compliance pressure. Asset inventory, vulnerability management, access control, incident response, audit logging, and recovery planning are not paperwork exercises. They are the controls that decide whether a ransomware affiliate gets one machine, one subnet, or the whole business.
Original source: Check Point Research — “Thus Spoke…The Gentlemen”
