Gentlemen Ransomware Leverages Infostealer‑Harvested Credentials, AI Tools, and a 90% Affiliate Ransom Split to Hit 483 Victims in 66 Countries
What Happened — The “Gentlemen” ransomware operation, active since September 2025, used credentials harvested by commodity infostealer malware and AI‑assisted tooling to compromise 483 victims across 66 nations. An internal‑chat leak shows a core team building the ransomware while external affiliates perform the intrusions and keep 90 % of each ransom payment.
Why It Matters for Compliance & Audit Readiness
- The attack chain is rooted in stolen credentials and weak access controls – the exact scenario SOC 2 Trust Services Criteria CC6.1 (Logical Access) is designed to prevent and document.
- Continuous monitoring of credential‑use, MFA enforcement, and evidence of security‑awareness training become critical audit artifacts when an adversary exploits infostealer‑derived logins.
- Verisq’s SOC 2 Access Controls capability provides automated collection of access‑control logs, MFA compliance checks, and training completion records to substantiate your readiness posture.
Who Is Affected — Manufacturing (primary target), technology, business services, and healthcare organizations worldwide; notably a lower‑than‑average share of U.S. victims.
Recommended Actions
- Map the incident to SOC 2 CC6.1 (Logical Access) and CC6.2 (User Management) controls; verify MFA is enforced for all privileged and remote access.
- Deploy continuous credential‑use monitoring and integrate infostealer‑indicator feeds into your SIEM/EDR.
- Refresh security‑awareness curricula to cover phishing and credential‑theft scenarios, and document training completion as audit evidence.
Source: Security Affairs
Technical Notes — Initial access leveraged the FortiOS authentication‑bypass flaw (CVE‑2024‑55591), legacy Active Directory weaknesses (ZeroLogon, PetitPotam), and valid credentials stolen from Outlook Web Access. AI tools were used to triage and prioritize targets. Source: same article