**The Gentlemen**, a Russian cybercriminal gang, has been highly active in the ransomware landscape, reportedly compromising hundreds of organizations in the first five months of 2026 alone. According to **Check Point Research**, they ranked as the second most productive ransomware group this year, closely following **Qilin**. ### Gentlemen Get a Taste of Their Own Medicine On or around May 4th, **The Gentlemen** experienced a breach of their internal backend database. The attackers are now selling over 16GB of internal communications, tools, and data for $10,000 in Bitcoin. This incident provides a rare glimpse into the inner workings of a ransomware operation. ### Insights from the Leak While the breach may not cripple **The Gentlemen's** operations, the leaked data, including a 44MB sample analyzed by **Check Point Research**, offers valuable intelligence. This analysis sheds light on their operational structure, tactics, techniques, and procedures (TTPs). ### How The Gentlemen Operate The group is led by an individual known as "zeta88," who oversees malware development, infrastructure management, target selection, and negotiation. Zeta88 is supported by operational specialists "qbit" and "quant," who focus on vulnerability scanning, reconnaissance, persistence, and gaining access through logs and credentials, respectively. The organization also includes a team of red teamers, access brokers, and an advertising specialist. While not explicitly mentioned, the group likely relies on affiliates to expand their reach. The payment model incentivizes collaboration, with zeta88 receiving 10% of each ransom and the remaining 90% distributed among the other involved hackers. **Check Point's** Eli Smadja highlights the group's organizational structure as a key factor in their success, emphasizing the clear division of responsibilities and the administrator's hands-on experience as a former affiliate. ### Toolset and Techniques **The Gentlemen** leverage known vulnerabilities and exploitation techniques, combined with a suite of approximately 30 tools. Their arsenal includes scanners, VPNs, remote access tools, and techniques for evading endpoint detection and response (EDR) and antivirus programs, such as the bring-your-own-vulnerable-driver tactic. While effective, **Check Point** describes their toolset as "fairly mature" rather than cutting-edge. ### Dabbling in AI Members of **The Gentlemen** have explored the potential of large language models (LLMs) for malicious purposes, including assisting with code development. However, they have encountered limitations with current AI technology, recognizing the need for human oversight and critical thinking. ### Keeping Tabs on the Competition **The Gentlemen** actively monitor and discuss other ransomware groups, learning from their successes and failures. They even explored ways to capitalize on the **Black Basta** leak from last year, demonstrating their awareness of the evolving threat landscape.