The Gentlemen: The RaaS Group That Built a Database of 14,700 FortiGate Devices — and Why Saudi Financial Institutions Are in the Crosshairs

A ransomware group born from a $48,000 payment dispute on a cybercrime forum has become the second most active ransomware operation globally in Q1 2026 — with a pre-built database of 14,700 compromised FortiGate devices and 969 validated VPN credentials ready to deploy. If your organization runs FortiOS in its network perimeter, this is not a theoretical threat.

From Forum Dispute to Ransomware Empire: Who Are The Gentlemen?

The Gentlemen emerged in August 2025 as a direct consequence of fractured trust in the cybercriminal ecosystem. Its operator, known as "hastalamuerte," opened a public arbitration thread on the RAMP cybercrime forum accusing the Qilin ransomware operators of withholding $48,000 in affiliate commissions. Rather than accept the loss, hastalamuerte recruited a core team of roughly 20 members and built a competing Ransomware-as-a-Service (RaaS) operation from the ground up.

The group's growth trajectory is alarming by any measure: 35 confirmed victims in Q4 2025, escalating to 182 victims in Q1 2026 alone — a 420% increase in a single quarter. As of mid-April 2026, ransomware tracking platforms attribute at least 284 organizations to the group. Financial services firms account for 9 confirmed victims, including Rogers Capital, whose breach was disclosed in January 2026. The affiliate model offers a 90% revenue share to attackers, aggressively undercutting established RaaS competitors and drawing experienced operators into the fold.

The Technical Edge: CVE-2024-55591 and the FortiGate Exploit Database

The Gentlemen's primary initial access vector is CVE-2024-55591, a critical authentication bypass vulnerability (CVSS 9.8) in FortiOS versions 7.0.0–7.0.16 and FortiProxy versions 7.0.0–7.2.12. The flaw allows an unauthenticated remote attacker to gain super-admin privileges by sending crafted requests to the Node.js WebSocket module — effectively taking full administrative control of the target's perimeter firewall with zero credentials required.

What separates The Gentlemen from opportunistic attackers is their operational infrastructure. Group-IB research published in early 2026 revealed that the group maintains a curated, continuously updated database of approximately 14,700 already-exploited FortiGate devices worldwide, alongside 969 validated brute-forced FortiGate VPN credentials pre-staged for deployment. This is not spray-and-pray exploitation — it is structured, intelligence-driven targeting. Active reconnaissance is also underway against SonicWall VPN appliances, Cisco ASA devices, and Oracle E-Business Suite, indicating the group is expanding its initial access portfolio.

Post-Exploitation Capabilities: BYOVD, Double Extortion, and Borrowed Code

Once inside, The Gentlemen's operators employ a multi-stage post-exploitation playbook. They use Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques to load signed but vulnerable kernel drivers that terminate Endpoint Detection and Response (EDR) and antivirus processes at the kernel level — neutralizing most endpoint defenses before encryption begins. This is the same family of technique used by Qilin and Warlock, but The Gentlemen have reportedly integrated code elements reverse-engineered from Babuk, LockBit 5.0, Medusa, and Qilin ransomware samples to enhance their encryption routines and obfuscation capabilities.

The group operates a pure double-extortion model: data is exfiltrated before systems are encrypted, and victims face simultaneous pressure from operational disruption and threatened publication of sensitive records on a dedicated dark web leak site. Custom Python backdoors are deployed to maintain persistent access even after initial detection, enabling re-entry if the ransom is not paid and recovery begins. The combination of EDR bypass, data theft, and persistent access makes incident response significantly more complex and expensive than a standard ransomware engagement.

The Saudi Financial Sector Exposure

FortiGate firewalls and FortiProxy are among the most widely deployed perimeter security appliances in Saudi Arabia's financial sector. Many SAMA-regulated institutions — banks, insurance companies, and finance companies — rely on FortiOS-based infrastructure for branch connectivity, remote access VPN, and network segmentation. This makes CVE-2024-55591 a direct and immediate concern under SAMA Cyber Security Framework (CSCC) Domain 4 (Cybersecurity Operations) and Domain 3 (Cybersecurity Risk Management), which mandate timely vulnerability remediation and continuous monitoring of internet-facing assets.

The NCA Essential Cybersecurity Controls (ECC-1:2018) further require that organisations maintain an asset register of internet-exposed services and implement timely patching processes — obligations that become legally consequential given SDAIA's increasingly active enforcement posture under the Personal Data Protection Law (PDPL). A successful breach via an unpatched FortiGate appliance that results in customer data exposure would simultaneously trigger SAMA incident reporting requirements, NCA notification obligations, and potential PDPL enforcement action. The Gentlemen's targeting of financial services firms globally is not incidental; regulated institutions with high-value data and ransomware payment capacity are a deliberate business decision for this group.

Practical Recommendations for CISO and Security Teams

1. Patch FortiOS immediately. If your FortiOS version falls within 7.0.0–7.0.16 or FortiProxy 7.0.0–7.2.12, treat this as a P1 emergency. The patch for CVE-2024-55591 has been available since January 2026. Any unpatched internet-facing FortiGate should be assumed potentially compromised and investigated before patching.
2. Audit admin access logs now. CVE-2024-55591 exploitation leaves traces in FortiOS admin audit logs. Look for unexpected super-admin session creation, especially from external IP addresses or at unusual hours. Correlate with NetFlow data for anomalous lateral movement following the login event.
3. Verify your EDR is kernel-protected against BYOVD. Standard EDR configurations are insufficient. Ensure your endpoint protection supports kernel-level tamper protection and that vulnerable driver blocklists (e.g., Microsoft's HVCI-compatible driver blocklist) are enforced on all Windows servers and workstations.
4. Test your data exfiltration detection controls. The Gentlemen exfiltrate data before encrypting. Your Data Loss Prevention (DLP) and SIEM rules must detect large-volume outbound transfers, especially to cloud storage platforms and anonymising proxies. Run a tabletop exercise specifically for this scenario.
5. Validate your incident response retainer covers RaaS double-extortion. Standard IR retainers often exclude negotiation support or dark web monitoring. Ensure your retainer explicitly covers ransomware negotiation, data leak site monitoring, and regulatory notification assistance — all of which are required under SAMA's Cybersecurity Incident Reporting Guidelines.
6. Implement network segmentation to contain FortiGate compromise blast radius. If a perimeter appliance is fully owned, the attacker should not have unrestricted east-west movement. Review your internal segmentation and ensure that management networks, backup infrastructure, and core banking systems are isolated from the internet-facing zone.

Conclusion

The Gentlemen's ascent from a forum grievance to a top-tier ransomware operation in under a year is a case study in how quickly the threat landscape can shift. Their methodical approach — pre-built exploit databases, BYOVD EDR bypass, engineered ransomware samples, and aggressive affiliate recruitment — represents a level of operational maturity that should not be underestimated. For Saudi financial institutions whose FortiGate infrastructure may already be in that 14,700-device database, the window for proactive response is narrow.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment — including a FortiOS exposure audit and gap analysis against SAMA CSCC Domain 3 and Domain 4 requirements.