The Gentlemen Ransomware Group Emerges as Structured RaaS Operator; Exploiting FortiOS, SonicWall, and Cisco ASA at Scale with Data-Centric Extortion Model

Kaspersky and Check Point research identifies 'The Gentlemen' as a fast-growing, Russian-speaking ransomware operation that surged in early 2026 with a deliberately business-like approach: structured intrusion workflows, selective targeting of large enterprises via FortiOS/FortiProxy, SonicWall VPN, and Cisco ASA appliances, and a focus on exfiltration-and-leverage over encryption. The group is deliberately bypassing US targets — likely to reduce law enforcement exposure — and concentrating on APAC and Latin American networks where pre-positioned access from FortiGate device stockpiles is concentrated. Their model reflects the dominant 2026 ransomware trend of data-breach monetization over disruption, specifically designed to profit in an environment of low ransom payment rates and improved victim backup practices.

The group is deliberately bypassing US targets — likely to reduce law enforcement exposure — and concentrating on APAC and Latin American networks where pre-positioned access from FortiGate device stockpiles is concentrated.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.