Back

The Gentlemen Ransomware Group Exploits Fortinet Flaws and AI Tools

Severity: High (Score: 69.5)

Sources: Cybersecuritynews, Gbhackers

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: ransomware, gentlemen, group, fortinet, exploits, custom, uses

Severity indicators: ransomware, ransomware group

Summary

The Gentlemen ransomware group has emerged as a significant threat in 2026, exploiting vulnerabilities in Fortinet systems, particularly CVE-2024-55591, an authentication bypass flaw. They have been observed using brute-force attacks on approximately 1,000 Fortinet VPN instances, often leveraging weak credentials. The group utilizes a custom command-and-control framework called G-BOT, replacing traditional tools like Cobalt Strike. AI tools, including ChatGPT, are employed for social engineering and automating victim communications. The group has a shared infrastructure with other ransomware brands, indicating a trend of rebranding among cybercriminals. Their operations have been linked to a threat actor known as 'Tinker,' who has appeared in previous ransomware campaigns. The current status of their activities suggests ongoing exploitation and a high level of sophistication in their operations. Key Points: • The Gentlemen ransomware group exploits Fortinet vulnerabilities, notably CVE-2024-55591. • They utilize brute-force attacks on around 1,000 Fortinet VPN instances with weak credentials. • AI tools are integrated into their operations for phishing and victim communication.

Detailed Analysis

**Impact** The Gentlemen ransomware group has targeted organizations using Fortinet edge devices, with at least 1,000 Fortinet VPN instances subjected to brute-force attacks. The group’s activity affects multiple sectors globally, leveraging stolen credentials and exfiltrating data via cloud services like MEGA. The operational consequences include encrypted virtual machines at the hypervisor level, bypassing guest monitoring and causing significant disruption to business continuity and data integrity. **Technical Details** Initial access is gained through exploitation of CVE-2024-55591, a FortiOS authentication bypass vulnerability, combined with brute-force attacks using weak or reused credentials such as “gentlemen25.” The group employs a custom C2 framework called G-BOT supporting SOCKS5 tunneling and uses public file-sharing platforms for payload delivery. Post-exploitation tools include LummaC2, Phemedrone Stealer, and DumpBrowserSecrets for credential harvesting, with data exfiltration conducted via rclone to Synology NAS staging servers and MEGA cloud storage. Defensive evasion techniques include NTDLL unhooking, direct syscalls, ETW patching, and debug register manipulation. The group also targets Hyper-V environments to encrypt VM storage at the host level. **Recommended Response** Apply patches addressing CVE-2024-55591 on all Fortinet FortiGate and FortiOS devices immediately. Enforce strong, unique credentials and implement multi-factor authentication on VPN and edge devices. Monitor for brute-force attempts and unusual outbound connections to public file-sharing services and cloud storage platforms. Deploy detections for custom C2 traffic patterns, including SOCKS5 tunneling, and monitor for signs of hypervisor-level encryption activity.

Source articles (2)

  • Gentlemen Ransomware Exploits Fortinet Flaws, AI, and Custom C2 Tools — Gbhackers · 2026-06-03
    A newly analyzed leak tied to The Gentlemen ransomware group reveals how modern ransomware operations are evolving in structure and tooling while relying on the same proven intrusion techniques seen o…
  • The Gentlemen Ransomware Group Uses Fortinet Exploits, AI, and Custom C2 Frameworks — Cybersecuritynews · 2026-06-03
    A Russian-speaking ransomware crew known as The Gentlemen has quickly risen to become one of the most active threats in 2026, ranking second only to Qilin in ransomware activity. Their toolkit combine…

Timeline

  • 2025-01-14 — CVE-2024-55591 published: Fortinet disclosed an authentication bypass vulnerability in FortiOS, enabling potential exploitation.
  • 2025-01-14 — CVE-2024-55591 added to CISA KEV: CISA included CVE-2024-55591 in its Known Exploited Vulnerabilities catalog due to active exploitation.
  • 2025-01-19 — First public PoC for CVE-2024-55591: A proof of concept for the Fortinet vulnerability was publicly released, increasing risk of exploitation.
  • Recent — Brute-force attacks on Fortinet VPNs observed: The Gentlemen group targeted around 1,000 Fortinet VPN instances using weak credentials like 'gentlemen25'.

CVEs

  • CVE-2024-55591

Related entities

  • Phishing (Attack Type)
  • Ransomware (Attack Type)
  • CWE-287 - Improper Authentication (Cwe)
  • 0x0.st (Domain)
  • bestflowers247.online (Domain)
  • 193.228.128.2 (Ipv4)
  • Breaker C2 (Malware)
  • Cobalt Strike (Malware)
  • DumpBrowserSecrets (Malware)
  • LummaC2 (Malware)
  • Phemedrone Stealer (Malware)
  • T1003.005 - Cached Domain Credentials (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1105 - Ingress Tool Transfer (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • T1555.003 - Credentials From Web Browsers (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • T1567.002 - Exfiltration to Cloud Storage (Mitre Attack)
  • T1572 - Protocol Tunneling (Mitre Attack)
  • Fortigate (Platform)
  • FortiOS (Platform)
  • Hyper-V (Platform)
  • MEGA Cloud Storage (Platform)
  • Synology NAS (Platform)
  • ChatGPT (Platform)
  • Fortinet (Company)
  • Black Basta (Ransomware Group)
  • Conti (Ransomware Group)
  • Qilin (Ransomware Group)
  • The Gentlemen (Ransomware Group)
  • Claude (Tool)
  • G-bot (Tool)
  • Hugging Face (Tool)
  • RClone (Tool)
  • Temp.sh (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed