A $48,000 commission dispute spawned one of the most aggressive ransomware groups of 2026. And the group itself got hacked back. Gentlemen RaaS was born from a breakup, scaled to 478+ victims across 66 countries, and exposed an uncomfortable truth: nearly 15,000 FortiGate firewalls remain unpatched months after a fix became available.
The origin: $48,000 and a breakup
The operator known as Hastalamuerte was a Qilin affiliate under the codename ArmCorp. In July 2025, Qilin withheld approximately $48,000 in commissions. Hastalamuerte severed ties and launched the independent Gentlemen RaaS.
The affiliate split explains the scale: 90/10, against the industry standard of 80/20. Per Halcyon, only RansomHub had previously matched that ratio. With 90% of the ransom going to the affiliate, Gentlemen attracted experienced operators fast. In under a year: 478+ victims listed on the leak site, 66 countries. Per Halcyon, scale that rivals LockBit 3.0 in the same timeframe.
The entry vector: unpatched FortiGate firewalls
Gentlemen's initial access is direct: unpatched FortiGate firewalls. CVE-2024-55591 (auth bypass, CVSS 9.6 per Fortinet) in FortiOS allows attackers to circumvent authentication and gain administrative access. Per Group-IB, the group maintains approximately 14,700 compromised FortiGate devices and 969 validated VPN credentials obtained via brute force.
The public patch was released in January 2025 (advance communications to customers occurred in December 2024). Nearly 15,000 compromised devices in mid-2026 means perimeter patching remains the weakest link in corporate security chains. At Tech86, we see this repeatedly: the perimeter is where organizations invest most in firewalls and least in maintenance.
The encryptor: from single-host to self-propagating worm
Microsoft published the technical dissection on May 28 (tracking: Storm-2697). The encryptor has a --spread argument that transforms it from a single-host encryptor into a self-propagating worm. When activated, it attempts 21 simultaneous lateral movement techniques: PsExec, WMI, scheduled tasks, services, PowerShell remoting, SMB shares, and others. Blocking one is not enough.
The encryption is robust: each file receives an ephemeral Curve25519 + XChaCha20 pair. Unique key per file. Per Microsoft, this makes decryption without the operator's private key functionally impossible. Large files are partially encrypted in chunks for speed — the goal is to maximize damage in the shortest time possible.
The group patches their own decryptors on the same day they are published. The Bedrock Safeguard decryptor works only if you captured a memory dump during active encryption — it exploits Go not zeroing heap memory. There is no universal decryptor.
The irony: the extortionist got extorted
On May 4, the group's internal Rocket.Chat database leaked: 16.22 GB, 3,366 messages. Per Check Point, which analyzed the chats, the leak exposed 9 named operators, the FortiGate exploitation pipeline, AI-assisted development (LLMs "abliterated" with safety filters removed to code ransomware and draft negotiations), and the admin's real identity.
According to KrebsOnSecurity (June 10, 2026), OSINT investigation identifies the Gentlemen administrator as Alexander Andreevich Yapaev, 36, from Izhevsk, Russia. The identification is based on correlation of aliases in criminal forums, leaked Russian government database records, and social media profiles — there is, to date, no confirmation via judicial action or government sanction. LinkedIn lists him as head of B2B marketing at Uralenergo Udmurtia. He built the RaaS panel in 3 days with AI assistants.
The symmetry is the central point: a group that built its operation on double extortion had its own internal communications leaked through extortion. The Rocket.Chat was the coordination channel — and became the largest intelligence source on the group's operations.
The operational lesson
The CVE-2024-55591 patch has existed since 2024. Nearly 15,000 compromised FortiGate devices in 2026 suggest that perimeter patching is treated as an event, not a process. At Tech86, we treat perimeter patching as a continuous process: our managed WAF includes vulnerability monitoring on firewalls and edge devices, with automatic alerts when critical CVEs affect a client's perimeter.
Gentlemen demonstrated that a group born from a commission dispute can rival established operations when the financial incentive is high and the entry vector is a patch that already exists. The defense is not complex — it is disciplined. Apply patches, enforce MFA on VPNs, segment the network, and maintain immutable backups. What is missing is not knowledge — it is execution.