ctipilot.ch

The Gentlemen

actor · actor:thegentlemen single-source

The Gentlemen — RaaS surged Q1 2026 (192 attacks, 588% QoQ); 32% of victims European; FortiGate CVE-2024-55591 initial-access funnel

Coverage timeline
21
first 2026-05-04 → last 2026-06-29
Entries
21
13 distinct days
Sources cited
51
41 hosts
Sections touched
7
active-threats, research, weekly-annual-reports
Co-occurring entities
8
see Related entities below
2026-05-0421 appearances2026-06-29

Story timeline

  1. 2026-06-29The Gentlemen
    weekly-long-runningThe Gentlemen
  2. 2026-06-29ESET "Killing me gently" — a de-facto mid-year RaaS-tooling report
    weekly-annual-reportsESET "Killing me gently" — a de-facto mid-year RaaS-tooling report
  3. 2026-06-27"The Gentlemen" ransomware claims 478 victims and adds worm propagation — Switzerland the second-most-targeted European country
    active-threats"The Gentlemen" ransomware claims 478 victims and adds worm propagation — Switzerland the second-most-targeted European country
  4. 2026-06-22The Gentlemen — EDR-killer framework documented, OT-adjacent victim claimed, operator named
    weekly-multi-dayThe Gentlemen — EDR-killer framework documented, OT-adjacent victim claimed, operator named
  5. 2026-06-22Energy, water & OT — perimeter and process failures, with an OT-adjacent halt
    weekly-sector-patternsEnergy, water & OT — perimeter and process failures, with an OT-adjacent halt
  6. 2026-06-22Check Point State of Ransomware Q1 2026 — ecosystem consolidation, with Switzerland and Germany named
    weekly-annual-reportsCheck Point State of Ransomware Q1 2026 — ecosystem consolidation, with Switzerland and Germany named
  7. 2026-06-20The Gentlemen (Storm-2697) claims OT-adjacent Mackay Sugar attack; operator attributed to a Russian national
    active-threatsThe Gentlemen (Storm-2697) claims OT-adjacent Mackay Sugar attack; operator attributed to a Russian national
  8. 2026-06-19ESET: the Gentlemen RaaS gang centrally builds and maintains its affiliates' EDR-killer framework
    researchESET: the Gentlemen RaaS gang centrally builds and maintains its affiliates' EDR-killer framework
  9. 2026-06-12The Gentlemen ransomware: 478 claimed leak-site victims, self-propagating Go encryptor, operator publicly named
    active-threatsThe Gentlemen ransomware: 478 claimed leak-site victims, self-propagating Go encryptor, operator publicly named
  10. 2026-05-29The Gentlemen ransomware — Microsoft publishes full technical dissection of the Storm-2697 Go-encryptor
    active-threatsThe Gentlemen ransomware — Microsoft publishes full technical dissection of the Storm-2697 Go-encryptor
  11. 2026-05-25The Gentlemen / Storm-2697 — internal "Rocket" backend leaked by a rival; KELA and Check Point dissect the operator inner circle
    weekly-long-runningThe Gentlemen / Storm-2697 — internal "Rocket" backend leaked by a rival; KELA and Check Point dissect the operator inner circle
  12. 2026-05-25Check Point Q1 2026 State of Ransomware — ecosystem reconsolidates; LockBit returns with a deliberate Europe pivot
    weekly-annual-reportsCheck Point Q1 2026 State of Ransomware — ecosystem reconsolidates; LockBit returns with a deliberate Europe pivot
  13. 2026-05-23Rapid7 Q1 2026 Threat Landscape Report: vulnerability exploitation now top initial-access vector at 38 %; KEV median time to listing collapses to 5 days
    researchRapid7 Q1 2026 Threat Landscape Report: vulnerability exploitation now top initial-access vector at 38 %; KEV median time to listing collapses to 5 days
  14. 2026-05-18The Gentlemen RaaS — Czech university and Swiss engineering firm listed; comms overhaul continues
    weekly-long-runningThe Gentlemen RaaS — Czech university and Swiss engineering firm listed; comms overhaul continues
  15. 2026-05-14The Gentlemen RaaS — backend "Rocket" database leaked (16.22 GB), Check Point analysis exposes operator handles, ZeroPulse C2 internals, 1,570+ victims, decryptor published on GitHub
    active-threatsThe Gentlemen RaaS — backend "Rocket" database leaked (16.22 GB), Check Point analysis exposes operator handles, ZeroPulse C2 internals, 1,570+ victims
  16. 2026-05-11"The Gentlemen" RaaS — operations continue post-leak, decryptor published, FortiOS / Erlang SSH initial access CVEs confirmed
    weekly-long-running"The Gentlemen" RaaS — operations continue post-leak, decryptor published, FortiOS / Erlang SSH initial access CVEs confirmed
  17. 2026-05-11Looking ahead — 2026-W20
    weekly-looking-aheadLooking ahead — 2026-W20
  18. 2026-05-11Check Point April 2026 ransomware analysis — Qilin leads at 15%, Germany at 5% of global victims
    weekly-annual-reportsCheck Point April 2026 ransomware analysis — Qilin leads at 15%, Germany at 5% of global victims
  19. 2026-05-04The Gentlemen RaaS — Europe-skewed operation surged approximately 448% QoQ; 32% of Q1 2026 victims in Europe; FortiGate CVE-2024-55591 initial-access funnel
    weekly-long-runningThe Gentlemen RaaS — Europe-skewed operation surged approximately 448% QoQ; 32% of Q1 2026 victims in Europe; FortiGate CVE-2024-55591 initial-access funnel
  20. 2026-05-04Looking ahead — 2026-W19
    weekly-looking-aheadLooking ahead — 2026-W19
  21. 2026-05-04Akira playbook quarterly context — Q1 2026 healthcare concentration; Qilin remains the dominant operator on German healthcare victims
    weekly-long-runningAkira playbook quarterly context — Q1 2026 healthcare concentration; Qilin remains the dominant operator on German healthcare victims

Where this entity is cited

  • weekly-long-running6
  • active-threats5
  • weekly-annual-reports4
  • weekly-looking-ahead2
  • research2
  • weekly-sector-patterns1
  • weekly-multi-day1

Source distribution

  • attack.mitre.org5 (10%)
  • blog.checkpoint.com3 (6%)
  • research.checkpoint.com3 (6%)
  • bleepingcomputer.com2 (4%)
  • helpnetsecurity.com2 (4%)
  • almalinux.org1 (2%)
  • bankinfosecurity.com1 (2%)
  • bishopfox.com1 (2%)
  • other33 (65%)

Related entities

All cited sources (51)

Entries about The Gentlemen (21)

2026-06-29 · view entry permalink →

The Gentlemen

high synthesis discovered 2026-06-29 00:21 UTC

The W25 multi-day item now has primary-evidence depth (the ESET deep-dive, § 7) and a sharp Swiss angle: Check Point data, reported by Swiss tech press, makes Switzerland the second-most-targeted European country for the operation, which now claims 478 victims and has added worm propagation. The operationally important link is that victim selection runs on FortiGate misconfiguration scanning — so a Swiss organisation's FortiBleed exposure (above) is also its Gentlemen-victim-selection exposure. Outstanding for defenders: the same FortiGate hardening that closes FortiBleed reduces Gentlemen targeting, and EDR-tamper-protection plus driver-blocklist enforcement is the GentleKiller counter.

ransomware organized-crime russia-nexus switzerland dach europe

2026-06-29 · view entry permalink →

ESET "Killing me gently" — a de-facto mid-year RaaS-tooling report

notable annual-report discovered 2026-06-29 00:21 UTC

Background. The Gentlemen emerged in late 2025 as a RaaS operation founded by "hastalamuerte" (a former Qilin affiliate per Group-IB, previously affiliated with Embargo, LockBit, Medusa and BlackLock per PRODAFT). ESET first hypothesised an in-house EDR-killer in February 2026; Group-IB and Check Point independently corroborated before the gang's own internal data leaked. By April 2026 the group accounted for ~10% of global ransomware activity, and Krebs (06-10) linked the alias to a named individual in Izhevsk, Russia.

ESET's 06-26 deep-dive into the leaked internal data is the most substantive published-in-window documentation of RaaS tooling structure, and reads as a mid-year complement to the W25 Check Point State of Ransomware Q1 2026. Three structural findings a detection engineer should register: (1) GentleKiller is a modular in-house framework with at least eight BYOVD variants, each impersonating a different vendor and abusing a different kernel driver — driver allow-listing alone is insufficient without process-injection-chain detection; (2) the group integrates rival gangs' EDR killers (HexKiller from Warlock, ThrottleBlood shared with MedusaLocker/DragonForce, HavocKiller), so tooling overlap no longer implies operational overlap; (3) victims are selected centrally on FortiGate misconfiguration rather than geography, tying the Gentlemen victim pipeline directly to FortiBleed-style reconnaissance (§ 8). New BYOVD PoCs are operationalised within days of public release. (daily 06-27)

ransomware organized-crime russia-nexus global europe switzerland

2026-06-27 · view entry permalink →

"The Gentlemen" ransomware claims 478 victims and adds worm propagation — Switzerland the second-most-targeted European country

high threat discovered 2026-06-27 05:17 UTC

UPDATE (originally covered in the 2026-W25 weekly): The fresh in-window signal on The Gentlemen ransomware operation is geographic: Swiss tech press, citing Check Point Research, reports Switzerland as the second-most-targeted European country (after Germany) for the group (inside-it.ch, 2026-06-26).

The group's established profile — detailed earlier this month — is 478 claimed victims and a --spread command-line argument enabling self-propagation across Windows networks via SMB share enumeration and credential reuse (The Hacker News, 2026-06-11). Combined with the previously reported GentleKiller BYOVD EDR-killer, the Swiss-targeting signal means a foothold in one Swiss organisation can spread laterally without further operator action; defenders should enforce SMB signing, restrict admin shares, apply the Microsoft vulnerable-driver blocklist, and alert on a --spread argument in ransomware process trees.

ransomware organized-crime switzerland dach europe

2026-06-22 · view entry permalink →

Check Point State of Ransomware Q1 2026 — ecosystem consolidation, with Switzerland and Germany named

notable annual-report discovered 2026-06-22 00:15 UTC

Surfaced this week for its CH/EU-specific findings, Check Point's Q1 2026 ransomware report (published 11 May, not covered in the dailies) documents a structural consolidation: the top 10 groups now hold 71.1% of all leak-site victims, the highest concentration since early 2024 and a reversal of two years of fragmentation — meaning defenders face fewer but more professionalised adversaries (Check Point Research; corroborated by Emsisoft). The Gentlemen grew +315% quarter-on-quarter (explaining this week's Mackay Sugar and GentleKiller coverage in § 2) and LockBit 5.0 resurged +106% on a Rust rewrite. The geography is the operative detail for this audience: Switzerland — Check Point notes Akira accounts for roughly 31% of Swiss ransomware victims, and Germany is the #2 country globally for ransomware victims (Emsisoft). The synthesis a Swiss SOC should take: Akira is the dominant ransomware threat to model against domestically, and the consolidation trend favours investing detection effort against a smaller set of high-capability operators (Qilin, Akira, The Gentlemen, LockBit 5.0).

ransomware organized-crime switzerland europe global

2026-06-22 · view entry permalink →

Energy, water & OT — perimeter and process failures, with an OT-adjacent halt

notable synthesis discovered 2026-06-22 00:14 UTC single-source

Critical-infrastructure exposure ran from cyber intrusion to physical mishandling. Handala's Cal Water breach (above) and the Rockwell ICS advisory batch (§ 3) bracket the cyber end; at the process end, a Kyushu Electric subsidiary lost an unencrypted portable SSD holding ~10.9M customer records — reportedly Japan's largest personal-data breach (BleepingComputer, 2026-06-14; daily 06-14). The Gentlemen's Mackay Sugar claim (§ 2) halted milling at two of three mills — an OT-adjacent production impact even without confirmed OT-network compromise.

data-breach ot-ics apac global

2026-06-22 · view entry permalink →

The Gentlemen — EDR-killer framework documented, OT-adjacent victim claimed, operator named

high synthesis discovered 2026-06-22 00:14 UTC

The Gentlemen RaaS operation moved from tooling disclosure to victim impact to attribution across three days. On 2026-06-18 ESET published a months-long investigation showing the gang centrally builds and maintains its affiliates' GentleKiller EDR-killer framework — a structural departure from the affiliate norm in which each affiliate sources its own evasion tooling (ESET, 2026-06-19; daily 06-19). On 2026-06-18 Mackay Sugar — Australia's second-largest sugar producer — confirmed an intrusion around 10 June that halted milling at two of three mills, an OT-adjacent impact the group later claimed (The Record, 2026-06-18; daily 06-20). Separately, KrebsOnSecurity published OSINT attribution identifying the group's administrator ("Hastalamuerte" / "Zeta88") as a 36-year-old from Izhevsk, Russia, who reportedly uses AI tooling to develop ransomware and assist post-exploitation (KrebsOnSecurity, 2026-06-10).

The defender signal is the centralised EDR-killer model: because the BYOVD evasion tooling is built once and pushed to all affiliates, detection content that catches GentleKiller's driver-load and EDR-tamper behaviour generalises across every affiliate intrusion rather than needing per-affiliate tuning. The Krebs attribution is an analytical claim, not an indictment — treat it as context, not actionable IOC.

ransomware organized-crime russia-nexus ot-ics global

2026-06-20 · view entry permalink →

The Gentlemen (Storm-2697) claims OT-adjacent Mackay Sugar attack; operator attributed to a Russian national

notable threat discovered 2026-06-20 05:12 UTC

UPDATE (originally covered 2026-06-19): Following ESET's 2026-06-19 documentation of the group's GentleKiller EDR-killer framework, The Gentlemen ransomware group has claimed an OT-adjacent attack on Mackay Sugar (Australia's second-largest sugar producer), which confirmed on 2026-06-18 that an external party accessed its IT environment around 10 June, halting milling at two of three mills (The Record, 2026-06-18).

Separately, KrebsOnSecurity reported OSINT attribution identifying the group's administrator — operating as "Hastalamuerte" / "Zeta88" — as Alexander Andreevich Yapaev, a 36-year-old from Izhevsk, Russia, cross-matched across ProtonMail addresses, Telegram IDs and Russian breach corpora (KrebsOnSecurity, 2026-06-10). Krebs reports the administrator uses AI tooling to develop ransomware and assist post-exploitation. The attribution is Krebs's analytical claim, not a confirmed indictment; for defenders the operational signal remains the group's 90%-affiliate RaaS model and its BYOVD EDR-kill tradecraft documented on 2026-06-19.

ransomware organized-crime russia-nexus global

2026-06-19 · view entry permalink →

ESET: the Gentlemen RaaS gang centrally builds and maintains its affiliates' EDR-killer framework

notable research discovered 2026-06-19 05:20 UTC

ESET's months-long investigation into the Gentlemen ransomware-as-a-service operation reveals a structural departure from the affiliate norm: rather than each affiliate sourcing its own evasion tooling, the operators build, maintain and distribute a modular EDR-killing framework — GentleKiller — centrally (ESET, 2026-06-18; Help Net Security, 2026-06-18). GentleKiller comprises at least eight variants, each abusing a different legitimately-signed driver via BYOVD (T1543.003), targeting 400+ named security processes mapped to 48 EDR/AV/XDR product families. The defining operational pattern is speed: ESET documents the gang operationalising newly disclosed BYOVD proof-of-concepts within days of public release, and in one case wielding a Huawei-audio-driver kill technique before its public disclosure — ESET telemetry shows the gang using it since at least 2026-01-23, weeks ahead of the technique's public write-up (by Huntress) on 2026-03-19. Common evasion across variants includes Enigma/Themida packing and invalid copies of digital certificates impersonating major AV vendors; a Rust-based credential stealer (OxideHarvest) handles browser-credential theft. The gang reached top-5 most-active RaaS in Q1 2026, offers affiliates a 90% cut, and shows globally distributed victimology including Western Europe — a profile overlapping Swiss critical-sector exposure. Why it matters to us: an operator-curated EDR-killer means affiliates of even modest skill get current BYOVD capability on day one of a PoC. Enable the Microsoft Vulnerable Driver Blocklist (HVCI) and enforce WDAC driver allowlisting; hunt for service creation loading unexpected kernel drivers and DeviceIoControl calls from non-security processes, plus process-termination loops targeting security software (Sysmon EID 6 / kernel-callback telemetry).

ransomware organized-crime global europe

2026-06-12 · view entry permalink →

The Gentlemen ransomware: 478 claimed leak-site victims, self-propagating Go encryptor, operator publicly named

high threat discovered 2026-06-12 05:00 UTC

The Gentlemen — tracked by Microsoft as Storm-2697 and by PRODAFT as Phantom Mantis / LARVA-368 — has claimed 478 victims on its leak site, with victims concentrated in Thailand, the UK, Brazil, Germany and India (The Hacker News, 2026-06-11). Microsoft's technical dissection details a Go encryptor obfuscated with Garble: per-file ephemeral Curve25519 key pairs with XChaCha20 (the ephemeral public key is appended to each encrypted file after an --eph-- marker), a --spread argument that "turns the malware from a single-host encryptor into a self-propagating worm" — simultaneously abusing network shares, scheduled tasks and remote process execution (T1021.002, T1053.005) — and a --full mode that spawns a SYSTEM-context child via a scheduled task named gentlemen_system (Microsoft Threat Intelligence, 2026-05-28). Defence evasion includes disabling Defender real-time monitoring (T1562.001), re-enabling SMBv1 and registry changes for anonymous share access; persistence runs via UpdateSystem/UpdateUser scheduled tasks and Run keys. On 10 June, KrebsOnSecurity published a deanonymisation tracing the operator handle "Hastalamuerte"/"Zeta88" to a named Russian national in Izhevsk, corroborated by Intel 471, Constella and Flashpoint (KrebsOnSecurity, 2026-06-10). Check Point Research documents the affiliate-favourable 90/10 revenue split and reports affiliates obtaining initial access via Fortinet SSL-VPN credentials (Check Point Research, 2026-05-13). Note: Krebs cites 332 published victims since mid-2025 versus the leak site's 478 claim

Why it matters to us: the initial-access pattern is concrete and huntable — review Fortinet SSL-VPN authentication logs for brute-force sequences followed by a first-time successful logon from a new ASN; alert on scheduled-task creation named gentlemen_system/UpdateSystem/UpdateUser (Windows Event ID 4698) and on shadow-copy deletion; treat SMBv1 re-enablement on any host as a high-confidence compromise signal.

ransomware organized-crime europe global

2026-05-29 · view entry permalink →

The Gentlemen ransomware — Microsoft publishes full technical dissection of the Storm-2697 Go-encryptor

notable threat discovered 2026-05-29 05:00 UTC

UPDATE (originally covered 2026-05-20; consolidated in weekly W21): Microsoft Threat Intelligence published a full dissection of The Gentlemen ransomware on 2026-05-28, giving Storm-2697 a much sharper technical profile than the victim-list reporting available in week 21. The encryptor is a single-binary Go executable (obfuscated through Garble to strip symbol tables), uses Curve25519 + XChaCha20 with per-file ephemeral keys (no bulk-decryption shortcut), and ships a self-propagation module that executes a series of lateral-movement techniques in parallel per host — PsExec, WMIC, scheduled tasks, services, PowerShell remoting — maximising the probability that at least one pivot path succeeds in any AD-joined environment.

Check Point Research's 2026-05-13 writeup adds the actor-side context that Microsoft's dissection does not — Check Point counts approximately 332 victim organisations on the operator's leak site, and documents that on Domain Admin compromise The Gentlemen deploys itself across the estate through a Group Policy Object linked at all relevant OUs. Huntress Labs' 2026-05-21 IR report corroborates the defense-evasion playbook: PowerShell disables Microsoft Defender real-time monitoring (Set-MpPreference -DisableRealtimeMonitoring), stops WinDefend, adds broad Add-MpPreference -ExclusionProcess and drive-level exclusions, disables Controlled Folder Access, and clears Security / System / Application event logs (EID 104, EID 1102). Huntress documented two April / May 2026 incidents whose entry vector was RDP with compromised credentials, lateral movement reached domain controllers via the NETLOGON share and SCCM's CcmExec.exe, and process names were masqueraded as svchost32.exe. The DFIR Report's 2026-05-11 alert confirmed a related chain in which EtherRAT (delivered via a malicious Sysinternals MSI) and TukTuk C2 preceded Gentleman deployment. Microsoft's Defender detection name is Ransom:Win64/Gentlemen.A; recommended Attack Surface Reduction posture per Microsoft's ASR rules reference is Block process creations originating from PsExec and WMI commands combined with EDR-in-block-mode enforcement.

Material new development vs. last coverage: full encryption + propagation mechanism, named-cluster identity (Storm-2697), the GPO-spread pathway documented by Check Point Research, and Check Point's count of approximately 332 victims. Detection focus: hunt for wevtutil cl Security|System|Application chained with sc stop WinDefend or msconfig; flag svchost32.exe spawned outside %SystemRoot%\System32; alert on CcmExec.exe launching non-SCCM payloads. Hardening: enforce SMB signing GPO, restrict GPO-creation rights to a hardened OU, enable Credential Guard, monitor Event ID 5136 for GPO modifications and 5140 for the hidden share SMB share.

“Storm-2697 affiliates that combines per-file ephemeral key encryption with an aggressive self-propagation module to deploy itself across an entire network using series of simultaneous lateral movement techniques per target” — Microsoft Threat Intelligence

“Both incidents employed Scheduled Tasks and PowerShell commands to disable Microsoft Defender, add antivirus exclusions, and clear Security/System/Application Event Logs” — Huntress Labs

ransomware actively-exploited identity organized-crime europe switzerland global

2026-05-25 · view entry permalink →

The Gentlemen / Storm-2697 — internal "Rocket" backend leaked by a rival; KELA and Check Point dissect the operator inner circle

high synthesis discovered 2026-05-25 05:00 UTC

The most consequential campaign development of the window is one no daily captured: on 2026-05-04 a rival actor leaked The Gentlemen's internal Rocket database backend on underground forums, and KELA (2026-05-20) and Check Point ("Thus Spoke The Gentlemen", 2026-05-13) published deep analyses of the resulting six-month (Nov 2025 – Apr 2026) chat archive (key: item:the-gentlemen-raas-czech-university-and-swiss-engineering-fi). The leak exposes the inner circle (admin/infrastructure alias zeta88, also operating as hastalamuerte, alongside Wick, mAst3r, Kunder and others) and — far more useful to defenders — the operation's initial-access playbook: Fortinet and Cisco edge appliances, NTLM relay, harvested OWA / M365 credential logs, and GPO-based deployment of the encryptor. A linked affiliate runs a SystemBC SOCKS5 botnet of 1,570+ victims. This is an intelligence gift: every named access path maps to an existing hunt — prioritise edge-appliance patch state, NTLM-relay hardening (SMB/LDAP signing, channel binding) and anomalous-GPO-creation monitoring. Per Check Point's Q1 data the group sits at #3 globally (§ 6) — though its victims concentrate in Thailand, Brazil and India (US ~13%), so the European and Swiss listings carried over from W21 run against its centre of gravity, which is precisely what makes a CH/EU hit worth surfacing rather than treating as background.

ransomware organized-crime identity europe switzerland global

2026-05-25 · view entry permalink →

Check Point Q1 2026 State of Ransomware — ecosystem reconsolidates; LockBit returns with a deliberate Europe pivot

notable annual-report discovered 2026-05-25 05:00 UTC

Horizon research surfaced a quarterly report the dailies did not cover: Check Point's Q1 2026 State of Ransomware (published 2026-05-11). The synthesis that matters for a CH/EU public-sector SOC is structural, not the leaderboard: after two years of fragmentation driven by law-enforcement pressure on LockBit, ALPHV/BlackCat and others, the ecosystem is reconsolidating — the top ten leak-site operations now account for roughly 71% of listed victims, with Qilin holding the top spot for a third straight quarter and The Gentlemen (§ 7) entering the top three. The single most defender-relevant finding is LockBit's comeback paired with a deliberate geographic shift toward European and Latin American targets — which moves the rebuilt operation directly into this audience's threat model rather than leaving it a US-centric concern. Read alongside the Gentlemen internal-leak intelligence in § 7, the picture is a smaller number of higher-capability operations with European intent; prioritise the edge-appliance and identity hardening those operators are documented to rely on.

ransomware organized-crime global europe

2026-05-23 · view entry permalink →

Rapid7 Q1 2026 Threat Landscape Report: vulnerability exploitation now top initial-access vector at 38 %; KEV median time to listing collapses to 5 days

notable annual-report discovered 2026-05-23 05:00 UTC

Rapid7 Labs published its Q1 2026 Threat Landscape Report on 2026-05-21 covering January–March 2026 IR data; the GlobeNewswire release accompanied the post the same day. The findings that change what a Swiss/EU public-sector SOC should prioritise:

  • Vulnerability exploitation accounted for 38 % of confirmed initial-access vectors, overtaking social engineering (24 %) in Rapid7's Q1 2026 dataset. The implication: edge / perimeter patch SLAs and exposure management now drive blast-radius more than awareness training does.
  • More than 50 % of actively exploited vulnerabilities in Q1 2026 were zero-click, network-facing flaws requiring no authentication or user interaction. The defensive prioritisation gradient sharpens: pre-auth network-facing CVEs > authenticated CVEs > anything user-interaction-dependent.
  • Median time from public disclosure to CISA KEV listing fell from 8.5 days to 5.0 days. Operators of EU/CH public-sector estates running on monthly patch windows lose ground every cycle; the report frames this as faster AI-assisted N-day weaponisation. PD-13 still applies — the KEV addition is the exploitation-confirmation signal, not a US-only compliance deadline — but the window between "vendor publishes" and "expect attempts" has narrowed materially.
  • Exploited vulnerabilities averaged 1.8 million mentions across forums, blogs and social media before operational targeting, making chatter spikes a leading indicator of imminent exploitation waves.
  • SQL injection became the most-exploited vulnerability class in Q1 2026, validating the Drupal CVE-2026-9082 story above as part of a broader shift.
  • RMM tool abuse accounted for 22.9 % of observed threat activity, ClickFix-style social engineering 18.8 % — both worth re-checking on EDR detection coverage in EU/CH environments where ClickFix browser drive-by is less culturally familiar than in U.S. consumer markets.

The report also covers a geopolitical layer (Iranian, Russian and Chinese campaigns synchronised with Middle East military escalation; tools mentioned include BPFDoor and ModeloRAT) and ransomware fragmentation (Qilin leads at 357 leak-site posts, The Gentlemen 206, Akira 174; pure-extortion without encryption continues to grow). Per PD-9 this is the dedicated treatment of the report; specific findings will be cited as context in future briefs rather than re-summarised.

vulnerabilities ransomware nation-state ai-abuse global

2026-05-18 · view entry permalink →

The Gentlemen RaaS — Czech university and Swiss engineering firm listed; comms overhaul continues

notable synthesis discovered 2026-05-18 05:00 UTC single-source

The Gentlemen RaaS listed two new European victims — the University of Finance and Administration (Czech Republic) and a Swiss engineering firm — on its leak site (daily 2026-05-20). The operator's previously-announced communications-infrastructure overhaul (rather than shutdown) means continued activity; the Swiss-victim listing is the direct CH-nexus signal this week. Watch for sample-data publication confirming the listings versus opportunistic re-listing.

ransomware organized-crime europe switzerland

2026-05-14 · view entry permalink →

The Gentlemen RaaS — backend "Rocket" database leaked (16.22 GB), Check Point analysis exposes operator handles, ZeroPulse C2 internals, 1,570+ victims, decryptor published on GitHub

high threat discovered 2026-05-14 05:00 UTC

UPDATE (originally covered 2026-05-10 in the Q1 2026 ransomware quarterly synthesis): Check Point Research published "Thus Spoke…The Gentlemen" on 2026-05-13, a detailed analysis of a 44.4 MB extract from the group's leaked "Rocket" backend database (16.22 GB total) that was posted to the cybercrime forum Breached on 2026-05-04 after the group's infrastructure was compromised by an unidentified actor (Check Point Research, 2026-05-13; BankInfoSecurity, 2026-05-11). The dataset contains 8,200 lines of internal chat-tool traffic across channels INFO / general / TOOLS / PODBOR, shadow files with password hashes, affiliate negotiation transcripts, and configuration artefacts for the ZeroPulse C2 framework.

Nine operator handles are identified — including administrator zeta88 (also hastalamuerte), who both manages the RaaS panel and participates directly in encryption events. Reconstructed attack chain: initial access almost exclusively via unpatched edge devices — FortiGate CVE-2024-55591 (the group's documented mainstay), Cisco appliances, CWMP/TR-069 interfaces — or purchased infostealer credentials; post-access tooling includes NetExec, RelayKing (NTLM relay), CertiHound (AD Certificate Services abuse), TaskHound, PrivHound; EDR-suppression utilities EDRStartupHinder, gfreeze and glinker manipulate ETW callbacks and NTDLL syscall tables; persistence is maintained via Cloudflare Zero Trust tunnels and self-provisioned WireGuard/OpenVPN chains.

Two operationally critical facts: (1) Check Point Research attributes a count of 1,570+ victim entries to a separately-exposed SystemBC C&C server, against 332 victims publicly listed on the group's data-leak site in the first five months of 2026 — significant under-reporting of true scope (Check Point's wider comparison cites 412 cumulative DLS listings); (2) the decryptor has been released as GitHub Bedrock-Safeguard/gentlemen-decryptor, enabling existing victims to recover without payment (decryptor disclosed in BankInfoSecurity's 2026-05-11 reporting). For Swiss / EU SOCs handling an active Gentlemen incident the workflow changes today: attempt decryption before any negotiation. Detection pivots from the leak: alert on EDRStartupHinder, gfreeze, glinker process names (custom binaries, not commodity); monitor for AD Certificate Services reconnaissance (certutil enumeration of CA servers and templates) consistent with CertiHound; correlate with FortiGate CVE-2024-55591 initial-access exploitation patterns that the group continues to weaponise.

ransomware organized-crime identity europe global

2026-05-11 · view entry permalink →

Looking ahead — 2026-W20

notable outlook discovered 2026-05-11 05:00 UTC

Items already in motion at the close of 2026-W20. Not predictions — each links to the in-motion reporting underneath.

  • Microsoft Exchange CVE-2026-42897 — Microsoft permanent patch and out-of-band advisory on DEVCORE Pwn2Own three-bug chain pending. Active OWA-XSS exploitation continues; the federal-civilian KEV deadline is 2026-05-29 (US-FCEB compliance date, not operational signal for CH/EU); the operationally critical milestone is Microsoft shipping a permanent patch and clarifying whether the DEVCORE chain is being weaponised against the same OWA initial-access vector. (Microsoft Security Blog; daily 2026-05-16)
  • PAN-OS CVE-2026-0300 wave-2 patches landing 2026-05-28. Eight build streams (12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21, 10.2.16-h7) finish the staged patch arc; verify deployment readiness in advance and audit for svc-health-check-NNNNNN rogue-admin accounts before patching wipes implant artefacts. (Palo Alto PSIRT CVE-2026-0300; daily 2026-05-14 UPDATE)
  • US House Homeland Security Committee CEO briefing deadline 2026-05-21 (Canvas / Instructure). Chairman Garbarino's letter requested an Instructure CEO briefing by 2026-05-21 addressing both intrusion circumstances, scope and nature of accessed data, IR adequacy, and CISA coordination. Outcome will inform the regulatory template for cantonal-Bildungsdirektion oversight of EdTech-SaaS vendors. (House Homeland Security Committee; daily 2026-05-13 UPDATE)
  • Verizon DBIR 2026 full PDF release — webinar 2026-05-19 11:00 ET. The page-level summary already in this weekly's § 6 will gain the full statistical breakdown after the webinar; the supply-chain doubling finding (15% → 30%) deserves a re-read against the full data to confirm methodology. (Verizon DBIR page)
  • TeamPCP / Mini Shai-Hulud wave 5 risk on PyPI / Cargo / Maven Central. The leaked framework source elevates the risk of secondary operators applying the same techniques against other registries. Detection-engineering teams should pre-stage hunts for IDE-hook entries (.claude/settings.json, .vscode/tasks.json) and Sigstore-provenance anomaly detection. (Datadog Security Labs)
  • CRA milestone 11 June 2026 — CAB notification provisions become applicable. Member-state notifying-authority designations must be in place by then. Swiss product manufacturers selling into EU markets should track which CABs are designated in their target member states. (EC CRA implementation factpage)
  • KRITIS-DachG German registration deadline 2026-07-17 (61 days). German public-administration operators of critical facilities must register with BBK / BSI; failures up to EUR 500,000 fine. Cross-border CH-DE operators should verify subsidiary obligations. (Luther Lawfirm)
  • Dirty Frag CVE-2026-43500 (RxRPC) — remaining distro patch propagation. AlmaLinux 8 not affected; RHEL 9 errata rolling; lagging configurations are systems with kernel-modules-partner installed (AFS-using estates). Track distro-vendor security-advisory updates through 2026-W21. (AlmaLinux blog)
  • "The Gentlemen" RaaS — comms overhaul means continued activity expected; affiliate response to decryptor publication. Administrator zeta88's announced communications-infrastructure overhaul rather than shutdown means operations continue; affiliate response to Bedrock Safeguard's decryptor and any binary-side patches the operator deploys are the open watch items. (Check Point Research)
  • MOVEit Automation CVE-2026-4670 — still no ITW confirmed at week-end. Patches available 2025.1.5 / 2025.0.9 / 2024.1.8; 1,400+ internet-exposed instances catalogued. The W19 horizon item remains open; watch for KEV addition or first-victim disclosure. (Help Net Security; daily 2026-05-06)
  • GTIG UNC6671 "BlackFile" DLS-shutdown signal — probable rebrand. GTIG's documentation of the DLS shutdown points to a probable operator rebrand; watch for a new leak-site / new operator-handle reusing the vishing → AiTM → rogue-MFA → programmatic SharePoint exfiltration TTP set. (daily 2026-05-16)
  • Windows BitLocker YellowKey and CTFMON GreenPlasma — Microsoft permanent patch and / or out-of-band advisory pending. Public PoC continues; the May 2026 Patch Tuesday did not address either; out-of-band release is the operationally expected path. Until a patch lands the BitLocker-PIN GPO enforcement and privileged-account-segregation discipline remain the only available controls. (daily 2026-05-15)
  • SEPPmail CVE-2026-44128 — independent third-party PoC or root-cause write-up. Two national CERTs (NCSC-CH + CIRCL) now corroborate; the open item is whether a research-lab write-up surfaces that would lift the verification status from SINGLE-SOURCE-NATIONAL-CERT to MULTI-SOURCE. (CIRCL vulnerability.circl.lu)
supply-chain global

2026-05-11 · view entry permalink →

"The Gentlemen" RaaS — operations continue post-leak, decryptor published, FortiOS / Erlang SSH initial access CVEs confirmed

notable synthesis discovered 2026-05-11 05:00 UTC

Following the 2026-05-04 Rocket backend DB leak (attributed to a breach of hosting provider 4VPS), administrator zeta88 / hastalamuerte announced a full communications-infrastructure overhaul — new NAS deployment and new locker upgrades — signalling no intent to cease operations. The operation maintained ~332 victims in H1 2026, ranking second in global RaaS activity per Check Point Research. Check Point documented initial access via CVE-2024-55591 (FortiOS management interface auth bypass, ITW since November 2024) and CVE-2025-32433 (Erlang SSH in Cisco context); post-access chain includes RelayKing-based NTLM relay (CVE-2025-33073), AD enumeration, EDR disablement, and GPO-deployed locker (Check Point Research; Check Point blog; daily 2026-05-14 UPDATE).

Bedrock Safeguard (Canadian security firm) published a working decryptor on 2026-05-14 exploiting Go's failure to zero XChaCha20 / X25519 ephemeral private-key material from goroutine stacks post-use; 35/35 files decrypted in testing. The operator claims to have patched the binary, so the decryptor capability is best-case retrospective; affiliates show no evidence of forking, and the core nine-person structure remains intact per leaked chats (Bedrock Safeguard decryptor). Defender takeaway: for any Gentlemen-impacted Go-binary host, attempt process-memory dump capture for ephemeral key recovery before reimaging; verify FortiOS patch state on CVE-2024-55591 across every Swiss / EU public-sector Fortinet deployment (the FortiOS bug is the documented initial-access primary, and the W19 long-running record already lists this CVE).

ransomware organized-crime global

2026-05-11 · view entry permalink →

Check Point April 2026 ransomware analysis — Qilin leads at 15%, Germany at 5% of global victims

notable annual-report discovered 2026-05-11 05:00 UTC single-source

Check Point's April 2026 monthly threat report (published early May 2026) confirms Qilin / Agenda leading all ransomware operators with 15% of 707 published attacks in April; Germany is the third-most-targeted country globally at 5.0% of victims (US 41.6%); Europe accounts for 27% of ransomware victims globally. Sector targeting in April 2026: Business Services (33.8%), healthcare, manufacturing. The Gentlemen — despite the May 4 backend breach — remained in the top-7 operators with 320+ victims (Check Point Research, 2026-05-08). The synthesis the dailies did not yet absorb: Germany's 5% share of global ransomware victims is materially elevated compared to the 2024–2025 baseline (~2–3%); the Qilin DLS lists 65 German victims total as of 2026-05-16 (Check Point blog, dataset reference). For Swiss defenders: CH-DE cross-border operations (Swiss subsidiaries in DE, German subsidiaries of Swiss parents) inherit the German exposure level; this is the empirical basis for a DACH-region threat-modelling premium on ransomware-readiness exercises.

ransomware organized-crime europe dach

2026-05-04 · view entry permalink →

Looking ahead — 2026-W19

notable outlook discovered 2026-05-04 05:00 UTC

Items already in motion at the close of 2026-W19. Not predictions — each links to the in-motion reporting underneath.

  • Canvas / Instructure extortion deadline — Tuesday 2026-05-12 (two days out). Second-intrusion claim against Instructure made 2026-05-08 despite the May 8 patches; seven Dutch universities disconnected; Dutch DPA and ICO engaged. If deadline passes with no payment and a fresh data dump lands, the second-intrusion claim will have been verified (daily 2026-05-10 UPDATE; Techzine EU).
  • PAN-OS CVE-2026-0300 first patch landing 2026-05-13 (Monday). No patch exists at week-end; staged release runs 2026-05-13 → 2026-05-28 across PAN-OS branches. Retrospective hunt for svc-health-check-NNNNNN admin accounts and /var/tmp/linuxupdate / /tmp/.c Python implants is the open work item for organisations who were CL-STA-1132 targets between 2026-04-09 and patch deployment (Palo Alto PSIRT; daily 2026-05-09).
  • CVE-2026-31431 "Copy Fail" patch propagation through Friday 2026-05-15. Distro patches continuing to land; Debian 12 patch was pending at week-end; combined-use pattern with Dirty Frag means a host patched for one but not the other still has an LPE primitive available. The Microsoft Security Blog detection-pivot writeup is the right hunt reference (daily 2026-05-09 UPDATE).
  • CVE-2026-43500 (Dirty Frag RxRPC) distribution patches pending. Distro patches were pending at week-end; CVE-2026-43284 (xfrm-ESP) mainline patch landed 2026-05-08; the second primitive's patch propagation is the open work. Interim mitigation modprobe -r esp4 esp6 rxrpc breaks IPsec VPNs and AFS so production rollout requires impact-test (Wiz Research; daily 2026-05-09).
  • CVE-2026-42208 LiteLLM Proxy deadline 2026-05-11 (Monday). Patch to ≥ 1.83.7; rotate every upstream LLM-provider API key the proxy ever held. The corollary action item — inventory of every AI-tooling SaaS vendor holding organisation-level upstream-provider keys, with rotation drills — should ship in the same change window (Bishop Fox; daily 2026-05-09).
  • MOVEit Automation CVE-2026-4670 — exploitation still not confirmed at week-end; watch for KEV addition or first-victim disclosure. No in-the-wild exploitation has been confirmed by Progress, CISA, or any threat-intelligence source as of 2026-05-10. The 2023 MOVEit Transfer Cl0p precedent primed expectations for rapid exploitation; the absence of ITW confirmation is itself a status worth tracking through 2026-W20. Unpatched MOVEit Automation deployments remain at risk; if KEV addition or victim disclosure lands in next week's reporting, it will be the highest-priority pivot (Help Net Security; daily 2026-05-06).
  • SEPPmail CVE-2026-44128 — independent third-party security-researcher analysis. Currently single-sourced to NCSC-CH + vendor release notes (national-CERT carve-out applies). Watch for a vendor-PSIRT-style third-party write-up that would corroborate the exploitation-path detail; the GINAv2 /gina/diag/exec mechanic is sufficiently specific that PoC publication is plausible (NCSC-CH 12551; daily 2026-05-09).
  • Ivanti EPMM May 2026 patch wave aftermath. With the KEV deadline (2026-05-10) expired and 508 EU instances confirmed exposed, the public-disclosure roster of EU compromised entities is likely to expand. Watch for additional EU member-state CSIRT advisories naming victims (Ivanti PSIRT; daily 2026-05-08 deep dive).
  • "The Gentlemen" RaaS — European concentration likely to continue into Q2. W1 horizon research surfaced the operator pattern; with ZeroFox-reported 32% Q1 2026 European targeting (up from 2% in Q4 2025) and GPO-injected scheduled-task encryptor propagation across compromised AD domains, continued European victim claims through 2026-Q2 are in motion. Watch for fresh CH/EU public-sector victim disclosures (Check Point Research DFIR Report; ZeroFox Q1 2026 Wrap-Up; § 7).
  • AI-tooling SaaS multi-tenant credential aggregation — sector pattern still surfacing. Braintrust (2026-05-04 AWS) and LiteLLM Proxy (KEV 2026-05-11) are the two confirmed examples of the same architectural class this week. Watch for additional AI-evaluation, AI-observability, AI-agent-gateway, or prompt-management vendor breaches; the operator class behind ShinyHunters / WorldLeaks is actively exploiting the third-party-SaaS pivot pattern (TechCrunch — Braintrust; daily 2026-05-10).
  • ABW NIS2 extension proposal — EU follow-on movement. ABW recommended legislative action to extend NIS2 essential-entity obligations to critical-function entities regardless of headcount (currently many small municipal CI operators sit below threshold). Whether this proposal gains EU-level momentum, or whether other member-state CSIRTs / EU institutions echo the same call after the Polish-water-OT tri-attribution, is the policy-horizon story to track (daily 2026-05-09 UPDATE).
  • ENISA CVE Root migration — 4 new CNA names pending disclosure. ENISA's 2026-05-06 announcement did not disclose the four new CNAs; ~90 European CNAs remain eligible for voluntary transfer. Disclosure of the 4 named CNAs and any additional transfers in 2026-W20 will inform EU public-sector PSIRT-coordination posture (ENISA; daily 2026-05-07).
lpe global

2026-05-04 · view entry permalink →

Akira playbook quarterly context — Q1 2026 healthcare concentration; Qilin remains the dominant operator on German healthcare victims

notable synthesis discovered 2026-05-04 05:00 UTC

W1 horizon research added Q1 2026 healthcare quarterly context to the Groupe 3R item in § 1. Across Q1 2026, Akira posted 84 victims in March alone (second-most-active month on record) and claimed 5 healthcare victims; Qilin led healthcare at 23 claims (with RENAFAN GmbH and Suchthilfe direkt Essen gGmbH as Qilin's confirmed German victims), and The Gentlemen at 10 healthcare claims (Comparitech Q1 2026 Healthcare, 2026-04-29 · CyberMaxx Q1 2026). Akira's documented attack chain for healthcare: initial access via unpatched VPN (Cisco ASA, SonicWall, Fortinet) or compromised RDP credentials; lateral movement via T1021.001 Remote Services: Remote Desktop Protocol and T1047 Windows Management Instrumentation; LSASS credential harvesting via comsvcs.dll / Mimikatz; AV termination via PowerTool weaponising the Zemana AntiMalware driver (BYOVD); data exfiltration; double extortion. The cross-finding for Swiss / DACH operators reading after Groupe 3R: at least two ransomware-as-a-service operators (Akira and Qilin) are hitting European healthcare in Q1–Q2 2026 via the edge-device / unpatched-VPN attack surface, and the operator that hits a given hospital is less salient defensively than the shared initial-access funnel they exploit.

ransomware organized-crime data-breach europe dach switzerland

+ 1 earlier entries — see the timeline above.