The Gentlemen went from a rising name in mid-2025 to one of the most prolific ransomware-as-a-service operations of early 2026, with a mature playbook and hundreds of victims. The interesting thing isn’t the branding — it’s the monotony of the method. Initial access is overwhelmingly through internet-facing VPN appliances, firewalls and exposed management interfaces, with Fortinet FortiGate and Cisco platforms named as favourite targets.

There is a pattern across every active group this year, and it isn’t exotic malware. It’s edge devices that are unpatched, exposed, or protected only by a password that already leaked. The affiliate model means the people doing the breaking-in don’t need to be sophisticated; they need a working credential or an unpatched CVE and a checklist.

Defence is unglamorous and effective: don’t expose management interfaces to the internet, patch edge appliances on a real schedule, enforce MFA on every remote-access and admin path, and watch for logins from impossible locations. The groups are industrialised. The entry points are still the same five mistakes.

What it means for your businessToday’s busiest ransomware crews get in through unpatched, exposed or credential-leaked edge devices — not clever malware. Lock down management interfaces, patch the perimeter, and put MFA on every admin and remote path.
Source & referenceGBHackers — Gentlemen RaaS exploits Fortinet and Cisco edge devices ↑