The Gentlemen went from a rising name in mid-2025 to one of the most prolific ransomware-as-a-service operations of early 2026, with a mature playbook and hundreds of victims. The interesting thing isn’t the branding — it’s the monotony of the method. Initial access is overwhelmingly through internet-facing VPN appliances, firewalls and exposed management interfaces, with Fortinet FortiGate and Cisco platforms named as favourite targets.
There is a pattern across every active group this year, and it isn’t exotic malware. It’s edge devices that are unpatched, exposed, or protected only by a password that already leaked. The affiliate model means the people doing the breaking-in don’t need to be sophisticated; they need a working credential or an unpatched CVE and a checklist.
Defence is unglamorous and effective: don’t expose management interfaces to the internet, patch edge appliances on a real schedule, enforce MFA on every remote-access and admin path, and watch for logins from impossible locations. The groups are industrialised. The entry points are still the same five mistakes.
