{
  "name": "An Overview of The Gentlemen's TTPs",
  "slug": "an-overview-of-the-gentlemens-ttps",
  "description": "This intelligence report provides a comprehensive analysis of The Gentlemen, a ransomware group known for its sophisticated tactics, techniques, and procedures (TTPs). The group exploits vulnerabilities in FortiOS/FortiProxy, maintains a database of compromised devices, and employs advanced defense evasion techniques. Their initial access methods include exploiting public-facing applications and brute-force attacks. The Gentlemen utilize various execution, persistence, and privilege escalation techniques, while also focusing on credential access and lateral movement. The group's impact includes data encryption and inhibiting system recovery. The report highlights the group's ongoing efforts to improve their ransomware capabilities by reverse-engineering other malware samples.",
  "published": "2026-03-20T08:24:49.787000+00:00",
  "created_at": "2026-03-20T08:46:50.425000+00:00",
  "modified_at": "2026-03-20T07:46:51+00:00",
  "created_at_opencti": "2026-03-20T08:46:50.425000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "babuk",
    "babyk",
    "credential-theft",
    "cve-2023-27532",
    "cve-2024-37085",
    "cve-2024-55591",
    "cve-2025-32463",
    "data-exfiltration",
    "defense-evasion",
    "exploit",
    "fortios",
    "lateral-movement",
    "lockbit 5.0",
    "medusa",
    "qilin",
    "raas",
    "ransomware",
    "the gentlemen",
    "vasa locker"
  ],
  "tags": [
    "2026-03-20",
    "CVE-2023-27532",
    "CVE-2024-37085",
    "CVE-2024-55591",
    "CVE-2025-32463",
    "babuk",
    "babyk",
    "credential-theft",
    "data exfiltration",
    "defense evasion",
    "exploit",
    "fortios",
    "lateral movement",
    "lockbit 5.0",
    "medusa",
    "qilin",
    "raas",
    "ransomware",
    "the gentlemen",
    "vasa locker"
  ],
  "related_entities": {
    "vulnerabilities": [
      {
        "id": "0f1249a9-e3de-4205-91ed-c2ee8e475fbb",
        "name": "CVE-2025-32463"
      },
      {
        "id": "62660ce9-fba8-43c4-9ded-5905c2a2b64a",
        "name": "CVE-2023-27532"
      },
      {
        "id": "4d34801a-eb98-4022-b8f3-aeac5bacc285",
        "name": "CVE-2024-55591"
      },
      {
        "id": "0ede4fba-d806-44d2-aa67-8cc61f9e4792",
        "name": "CVE-2024-37085"
      }
    ],
    "indicators": [
      {
        "id": "fe16527a-cca6-471f-86b3-469cb6e55233",
        "name": "2834114ff7e487c4ca3f50ca39f7d652dea1be98f885c388f01b6ff35309307b"
      },
      {
        "id": "7697f26b-e486-420c-b9bd-97863e7a2905",
        "name": "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2"
      },
      {
        "id": "96940790-a6e5-44e9-832d-47861e96eb91",
        "name": "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235"
      },
      {
        "id": "155d98cf-2855-4cee-8b38-df63298ce9da",
        "name": "194.87.31.69"
      }
    ],
    "intrusion_sets": [
      {
        "id": "c920a404-92c6-423b-9714-146e22302900",
        "name": "The Gentlemen",
        "slug": "the-gentlemen"
      }
    ],
    "attack_patterns": [
      {
        "id": "52279b3d-8158-4964-8c20-9094308fcd03",
        "name": "T1110.001"
      },
      {
        "id": "c16977d5-6367-4c7d-91a8-fd1c57bec164",
        "name": "T1484.001"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      },
      {
        "id": "566a4023-1f45-4988-a451-e1564d7dfef4",
        "name": "T1136.002"
      },
      {
        "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b",
        "name": "T1059.006"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664",
        "name": "T1068"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "41ad5d62-aa6a-47d6-a9a9-fb2209601099",
        "name": "T1098"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      }
    ],
    "malware": [
      {
        "id": "3c4fce06-9463-40fd-b6de-f03e30ceee53",
        "name": "Babuk - S0638",
        "slug": "babuk-s0638"
      },
      {
        "id": "c3a3b48c-6292-4f52-8163-b7a8c3a196af",
        "name": "LockBit 5.0",
        "slug": "lockbit-50"
      },
      {
        "id": "11c326b4-9d4e-4210-89da-05336d554bed",
        "name": "Medusa",
        "slug": "medusa"
      },
      {
        "id": "10ade440-687e-45c6-992a-3b0ab99cb572",
        "name": "The Gentlemen",
        "slug": "the-gentlemen"
      },
      {
        "id": "df9c1329-2d8a-4477-865e-8b01c4d7c0e6",
        "name": "Qilin",
        "slug": "qilin"
      },
      {
        "id": "d8b25c9f-94de-48f0-b544-786ab2ae2fe7",
        "name": "Babyk",
        "slug": "babyk"
      },
      {
        "id": "legacy:malware:4a7d4c57851884f4",
        "name": "Vasa Locker",
        "slug": "vasa-locker"
      }
    ],
    "observables": [
      {
        "id": "80a1a19c-4ddf-43e1-974d-1f5c60cd8d7e",
        "name": "194.87.31.69"
      },
      {
        "id": "",
        "name": "2834114ff7e487c4ca3f50ca39f7d652dea1be98f885c388f01b6ff35309307b"
      },
      {
        "id": "",
        "name": "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2"
      },
      {
        "id": "",
        "name": "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235"
      }
    ]
  },
  "external_refs": [
    {
      "id": "0bec0758-b022-454f-a865-b1b1360968af",
      "standard_id": "external-reference--c9e7005a-ba84-57b6-aa52-cfe7ecd52c1f",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.group-ib.com/blog/hastalamuerte-gentlemen-raas-ttps/",
      "hash": null,
      "external_id": null,
      "created": "2026-03-20T08:46:45.303Z",
      "modified": "2026-03-20T08:46:45.303Z",
      "createdById": null
    },
    {
      "id": "939db196-d3b7-4ea1-a474-70833ee61309",
      "standard_id": "external-reference--d2b95893-0b9c-576e-88ca-8b61c54e8f52",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/69bd045137b178c16714dcf6",
      "hash": null,
      "external_id": "69bd045137b178c16714dcf6",
      "created": "2026-03-20T08:46:45.264Z",
      "modified": "2026-03-20T08:46:45.264Z",
      "createdById": null
    }
  ]
}