The Gentlemen RaaS: How Fortinet & Cisco Edge Devices Became the Fastest Lane to Your Network (And How to Stop It) + Video

Listen to this Post

Featured Image

Introduction

The Gentlemen ransomware‑as‑a‑service (RaaS) operation has surged from its mid‑2025 debut to become the second‑most active ransomware threat globally, publishing over 330 victims in the first five months of 2026 alone. Unlike traditional ransomware campaigns that rely on phishing or drive‑by downloads, The Gentlemen systematically targets exposed Fortinet FortiGate VPN appliances and Cisco edge devices as primary initial access vectors, exploiting known vulnerabilities, brute‑forcing login panels, and purchasing ready‑made access from underground brokers.

Learning Objectives

  • Identify the specific CVEs exploited by The Gentlemen against Fortinet and Cisco infrastructure, and understand how each vulnerability enables initial access.
  • Analyze the group’s complete TTPs (Tactics, Techniques, and Procedures) as documented by Check Point Research and S2W, including post‑exploitation, lateral movement, and defense evasion.
  • Implement immediate mitigation measures—patching, firewall hardening, and detection rules—to defend against current and future RaaS campaigns targeting edge devices.

You Should Know

  1. The Edge‑Device Playbook: How The Gentlemen Breach Your Perimeter

The Gentlemen’s operational model is built around speed and scale. Affiliates receive 90% of each ransom payment, a generous split that has lured experienced threat actors away from competing cartels. The group maintains an inventory of approximately 14,700 compromised FortiGate devices alongside hundreds of validated brute‑forced credentials. After internal communications leaked in early May 2026, researchers gained rare visibility into the group’s end‑to‑end workflow, from reconnaissance to negotiation.

The standard attack chain follows this pattern:

 Attacker enumeration of Fortinet VPN appliances (observed scanning activity)
nmap -p 443 --script http-title -iL fortinet-targets.txt
 Identifying FortiGate SSL-VPN portals
curl -k https://<target-ip>:8443/remote/login
 Checking for CVE-2024-55591 (authentication bypass) 
 Successful exploitation enables super-admin access without credentials

Upon gaining a foothold, the group performs immediate privilege escalation, creates backdoor accounts (e.g., MicrosoftSupporte), and disables security tools using “Bring Your Own Vulnerable Driver” (BYOVD) techniques. PowerShell remote access is enabled (T1059.001), and NetExec is leveraged for credential harvesting via SMB, WinRM, and NTLM relay attacks.

2. Critical Vulnerabilities Under Active Exploitation

The Gentlemen actively tracks and exploits three primary vulnerability classes in Fortinet and Cisco infrastructure:

2.1 CVE‑2024‑55591 – FortiOS Authentication Bypass

This vulnerability affects FortiOS management interfaces and allows an unauthenticated attacker to gain super‑admin privileges. S2W’s analysis confirms The Gentlemen used this flaw for initial intrusion, creating backdoor accounts and compromising system configuration files.

Mitigation commands (FortiGate CLI):

 Check current firmware version
get system status | grep "Version"
 Disable HTTP/HTTPS administration access from untrusted interfaces
config system global
set admin-sport <custom_port>
set admin-https-redirect disable
end
 Restrict admin access to trusted IP ranges
config system admin
edit <admin_name>
set trusthost1 <trusted_network> 255.255.255.0
next
end

2.2 CVE‑2025‑33073 – NTLM Relay Attacks

The Gentlemen leverages this weakness through a tool called RelayKing, performing NTLM relay checks against vulnerable Cisco environments. Attackers intercept authentication traffic and relay it to other systems, gaining unauthorized access.

Windows‑side detection for NTLM relay activity:

 Enable NTLM auditing to detect relay attempts
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LmCompatibilityLevel /t REG_DWORD /d 5 /f
 Check event logs for unusual NTLM authentication patterns
Get-WinEvent -LogName "Security" | Where-Object {$<em>.Id -in (4624,4625,4776)} | 
Select-Object TimeCreated, Id, Message | 
Where-Object {$</em>.Message -like "NTLM"}

2.3 CVE‑2026‑20131 – Cisco FMC Root‑Level RCE (Zero‑Day Used by Interlock)

Although initially associated with the Interlock ransomware, this CVSS 10.0 vulnerability in Cisco Secure Firewall Management Center (FMC) enables unauthenticated remote code execution as root via insecure Java deserialization. Amazon threat intelligence confirmed active exploitation 36 days before public disclosure, beginning January 26, 2026.

Step‑by‑step FMC hardening (Cisco CLI):

 Verify FMC version
show version
 Apply Cisco patch (consult advisory cisco-sa-fmc-rce-NKhnULJh)
 Restrict FMC management interface to internal networks only
configure network management-ip <internal_ip> <subnet_mask>
 Disable web interface if not required
no ip http server
no ip http secure-server
 Implement access-list filtering for management access
access-list 100 permit tcp <trusted_network> <wildcard_mask> host <fmc_ip> eq 443
access-list 100 deny ip any any log

3. Post‑Exploitation TTPs: From Foothold to Full Encryption

Once inside, The Gentlemen deploys a mature toolkit that includes SystemBC (proxy malware), Velociraptor (remote access), NetExec (Active Directory discovery), and customized tools like DumpBrowserSecrets for session hijacking. The group abuses legitimate code‑signing certificates to make malware appear benign, a tactic borrowed from Black Basta.

Command‑line detection for SystemBC C2 communication (Linux):

 Monitor unusual outbound connections to known malicious IPs
ss -tunap | grep -E '194.87.31.69|176.120.22.127'
 Check for rogue tunneling services
lsof -i | grep -E 'CLOUD|TUNNEL|PROXY'
 Identify hidden processes (common evasion technique)
ps auxf | grep -E '[.]$' 

Windows endpoint hardening against ransomware deployment:

 Disable SMB1 (commonly re-enabled by attackers)
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
 Block PowerShell execution from unauthorized locations
Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope LocalMachine
 Enable Windows Defender ASR rules to block ransomware behavior
Add-MpPreference -AttackSurfaceReductionRules_Ids 'd4f940ab-401b-4efc-aadc-ad5f3c50688a' -AttackSurfaceReductionRules_Actions Enabled
 Disable WSH and WMI for non-admin users via Group Policy
 (Prevents lateral movement via PsExec, WMI, scheduled tasks)

4. Cross‑Platform Capability: Windows, Linux, ESXi

The Gentlemen offers lockers written in Go for Windows, Linux, NAS, and BSD, plus a separate C locker specifically targeting VMware ESXi hypervisors. The ESXi locker shuts down all virtual machines, copies itself to `/bin/.vmware-authd` (mimicking a legitimate VMware daemon), then encrypts virtual disk files.

ESXi‑specific detection and hardening:

 Check for unauthorized processes masquerading as VMware services
ps -c | grep -E 'vmware-authd|vpxa|hostd' | grep -v '/usr/lib/vmware'
 Audit SSH access (attackers often enable SSH for persistence)
grep "PermitRootLogin" /etc/ssh/sshd_config
 Restrict ESXi shell access
esxcli system settings advanced set -o /UserVars/ESXiShellTimeOut -i 0
esxcli network firewall ruleset set -r sshServer -e false
  1. API Security and Cloud Tunneling: Evasion at Scale

The Gentlemen uses Cloudflare Tunnels and legitimate API endpoints to maintain covert, long‑term access without triggering traditional alerts. A critical lesson from Fortinet’s recent disclosures—specifically CVE‑2026‑35616 (CVSS 9.8), an improper access control vulnerability in FortiClient EMS—is that API layers often become the weakest link. This flaw allowed unauthenticated attackers to invoke privileged API endpoints directly, granting remote code execution without any credentials.

Hardening APIs on Fortinet devices (REST API configuration):

 Restrict API access to trusted hosts only
config system api-user
edit <api_user>
set trusthost <internal_ip_or_subnet> <netmask>
set api-trusthost <enabled>
next
end
 Enforce client certificate authentication for API access
config system api-user
edit <api_user>
set certificate <certificate_name> required
next
end
 Disable unused API services
config system global
set admin-api disable
end

For Cisco FMC API hardening:

 Create dedicated API admin with least privilege
api_admin add <username> --role "MonitorOnly"
 Enforce TLS 1.3 and disable older ciphers
configure api-settings set protocol tlsv1.3
 Log all API access for audit
configure logging api enable --level DEBUG

6. Detection Rules and IOCs

The Gentlemen’s internal leak exposed critical indicators, including Tox IDs and server infrastructure. Organizations should implement the following Sigma‑style detection rules:

Detection for NTLM relay and NetExec activity (Sysmon + PowerShell):

 Monitor for suspicious SMB share creation (T1021.002)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=11} | 
Where-Object {$<em>.Message -match "\\\\ADMIN$|\\\\C$"}
 Detect WinRM remote access anomalies
Get-WinEvent -LogName "Microsoft-Windows-WinRM/Operational" | 
Where-Object {$</em>.Id -in 6,91,241}

Linux‑based detection for The Gentlemen’s tooling:

 Check for SystemBC persistence (common cron entries)
crontab -l 2>/dev/null | grep -E 'curl|wget|nc|socat'
 Detect Velociraptor client installations
ls -la /etc/velociraptor/ /opt/velociraptor/ 2>/dev/null
 Monitor for NTLM relay tools (RelayKing indicators)
netstat -tunap | grep 445

What Undercode Say

  • Perimeter is the new battleground. The Gentlemen’s reliance on Fortinet and Cisco edge devices confirms that exposed management interfaces and VPN concentrators have become the most effective initial access vectors for modern RaaS. If your FortiGate or Cisco FMC is internet‑facing without MFA and strict IP restrictions, assume it is already compromised.

  • API security is non‑negotiable. The FortiClient EMS vulnerabilities (CVE‑2026‑35616, CVE‑2026‑21643) demonstrate that API layers often bypass traditional firewall protections. Every API endpoint—whether on FortiGate, Cisco FMC, or any management platform—must be authenticated, authorized, and restricted to trusted networks.

  • Defense must shift from reactive to predictive. The Gentlemen exploited CVE‑2026‑20131 as a zero‑day for 36 days before public disclosure. Organizations cannot rely solely on vendor patches; they must implement compensating controls: MFA everywhere, network segmentation, continuous API traffic monitoring, and regular red‑team exercises that simulate RaaS TTPs.

Prediction

The Gentlemen’s affiliate‑first economic model—90% payouts to attackers—will likely become the standard for next‑generation RaaS operations, accelerating the fragmentation of ransomware syndicates into agile, specialized cells. As defenders improve detection of traditional phishing, expect even greater targeting of network edge devices, with automated vulnerability scanning tools becoming the primary breach vector. Organizations that fail to harden their Fortinet and Cisco infrastructure against the specific TTPs documented here will face encryption of both endpoints and virtualized workloads within hours of initial compromise, not days.

▶️ Related Video (66% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Varshu25 Ransomware – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky