Gentlemen Ransomware Group’s Internal Chat Dump Exposes Tactics, Victims and Potential Supply‑Chain Weaknesses
What Happened – A leak of ~8,200 lines of internal chat logs, screenshots and wallet details from the ransomware‑as‑a‑service (RaaS) outfit “The Gentlemen” was posted publicly on a cyber‑crime forum and later mirrored on MediaFire. The dump reveals real‑time operational details, target selection (including Sony and Barclays) and reliance on compromised Fortinet edge devices and the open‑source ZeroPulse tool.
Why It Matters for TPRM –
- Shows how credential theft on networking gear can seed large‑scale ransomware campaigns.
- Highlights the risk that third‑party vendors (e.g., VPN providers, firewall manufacturers) may be indirect attack vectors for their customers.
- Provides actionable intelligence on tools and tactics that can be monitored in your own environment.
Who Is Affected – Financial services (Barclays), media/technology (Sony), any organization using Fortinet edge devices or VPN solutions that could be leveraged for lateral movement.
Recommended Actions –
- Review contracts and security controls for any Fortinet, VPN or remote‑access solutions used by your vendors.
- Validate that your third‑party risk program monitors ransomware‑related threat intel feeds.
- Harden credential storage, enforce MFA, and audit remote‑access logs for anomalous activity.
Technical Notes – The leak includes discussions of OpenConnect VPN abuse, “EDR Killer” utilities, fake CVE scripts, and the ZeroPulse GitHub repo for remote administration. No specific CVE is cited, but the reliance on compromised Fortinet credentials suggests a supply‑chain credential‑theft vector. Source: DataBreachToday