A Fast-Rising Ransomware Gang Is Scanning for Your Unpatched Firewall Right Now

Two things happened in the last week that, taken together, should move "ask IT about our patches" from the bottom of your to-do list to the top. First, a ransomware group operating under the name The Gentlemen was publicly identified by security researchers as the second-most-active ransomware operation in the world by victim count — and its entire business model depends on finding businesses with outdated firewalls and virtual private network (VPN) appliances. Second, Microsoft released what is being called the largest security update in the company's history, fixing more than 200 vulnerabilities across Windows and related software. The two stories are not a coincidence. They describe the same problem from opposite ends.

Who Are The Gentlemen?

The name sounds almost collegiate. The operation is not. The Gentlemen is a fast-scaling ransomware-as-a-service group first observed in mid-2025, using a Go-based encryptor, double extortion, affiliate operations, and aggressive self-propagation to compromise organisations globally — with roughly 330 public victims across more than 70 countries by mid-2026. Security researchers at Check Point Software gained unusual visibility into the group's infrastructure, and what they found explains the growth rate.

The group operates as a criminal franchise: a core developer provides the locker malware, admin panel, and infrastructure, while affiliates conduct network intrusions and split ransom proceeds 90/10 in favor of the affiliate. That 90-percent cut — versus the 80/20 industry standard — has been instrumental in attracting experienced operators from competing programs. Experienced operators means faster attacks, less noise, and higher success rates. The Gentlemen have scaled faster than nearly any modern ransomware operation on record, going from 48 attacks in January 2026 to 91 in February 2026 — nearly doubling month over month.

How They Get In: Your Firewall or VPN

Here is the part that matters most for a small-business owner. This group does not rely on tricking your employees with a phishing email (though that threat is real and separate). The Gentlemen's attacks are largely opportunistic rather than targeted. They look for organizations with exposed, vulnerable internet-facing infrastructure — VPNs, remote access gateways, firewall management portals — and use those as their entry points.

The Gentlemen ransomware gains initial access by targeting internet-facing Fortinet FortiGate VPN appliances and Cisco edge devices. One operator maintains a live dashboard tracking thousands of FortiGate panels with direct login links. The group exploits known vulnerabilities including CVE-2024-55591 in FortiOS and CVE-2025-32433 in Erlang SSH on unpatched devices. In plain English: they run automated scans across the entire internet looking for devices running old software, and they walk straight in through doors that a patch would have closed months ago.

Speed matters once they are inside. According to Check Point, the group targets internet-facing devices as their entry point, and once inside moves quickly to encrypt entire networks within hours. There is typically no warning period. You go from normal operations to locked files in the same business day.

Who Gets Hit

Their affiliates primarily targeted small to medium-sized organisations, with relatively limited activity against large enterprises. That is not incidental — it is deliberate. Large organizations have dedicated teams monitoring for exactly this kind of activity. Small businesses generally do not. The group's targeting by sector shows a clear emphasis on manufacturing, construction, healthcare, and financial services, with IT consulting and services as the most frequently targeted individual sector. If your business touches any of those industries — as a vendor, a supplier, or a service provider — you are in scope.

The group operates on a double extortion strategy: they exfiltrate sensitive data from the victim's environment first and then encrypt the systems with ransomware. That means paying the ransom does not guarantee your data stays private. They have already copied it.

Why This Week Is the Right Time to Act

Microsoft's June 2026 Patch Tuesday fixes 206 security flaws in Microsoft software — the biggest Patch Tuesday release ever — including 32 critical vulnerabilities and three publicly disclosed zero-days. A zero-day, in plain language, is a flaw that was publicly known before Microsoft had a fix ready — meaning attackers had a head start.

One of the zero-days, CVE-2026-42897, is an Exchange Server spoofing vulnerability that attackers trigger by sending a specially crafted email, which then executes arbitrary JavaScript inside the victim's Outlook Web Access session. The victim does not need to download anything or click a suspicious link; the malicious message does the work when the mailbox renders it. That is a meaningful bar to clear — or rather, fail to clear.

A separate zero-day, CVE-2026-45586, is an elevation-of-privilege vulnerability rated important with a CVSS (Common Vulnerability Scoring System) score of 7.8. Successful exploitation could allow a local authenticated attacker to gain SYSTEM privileges, making it useful as part of a broader compromise chain. Privilege escalation bugs are the kind of vulnerability that turns a minor intrusion into a full network takeover.

It is also not just Microsoft. Check Point released security updates for a Remote Access VPN and Mobile Access flaw exploited in Qilin ransomware attacks. Cisco released security updates for numerous products, including an SD-WAN zero-day exploited in attacks. Fortinet released security updates for numerous flaws in FortiOS, FortiSandbox, and FortiProxy. The firewall and VPN vendors that The Gentlemen specifically target all issued patches this cycle. Those patches exist. The question is whether they are applied.

The Honest Severity Read

This is not catastrophic-headline territory for every small business. If your VPN and firewall are managed by a competent IT provider who applies vendor patches promptly, your exposure to The Gentlemen specifically is low. The threat is real and the group is prolific, but it is also preventable. Patching is not glamorous work. It is, however, the single highest-return security activity that exists — and it is the one most commonly deferred.

The businesses that get hurt are typically those where patching is assumed to be happening but never verified. "We have an IT guy" is not the same as "we have a patching schedule with documented completion." The gap between those two statements is where The Gentlemen operate.

What to Ask Your IT Provider This Week

• Have the Microsoft June 2026 patches been applied to all our Windows machines and servers? Ask for a confirmation date, not a "we're on it."
• What firewall and VPN brand do we use, and is the firmware current? If the answer involves Fortinet or Cisco, ask specifically about the patches released this month.
• How are internet-facing management portals — firewall admin consoles, VPN login pages — protected? They should not be reachable from the public internet unless absolutely necessary.
• Do we have a patching policy that documents when updates are applied and who verifies them? If the answer is no, that is a gap worth addressing now.
• Are our backups stored somewhere that ransomware could not reach and encrypt? Offsite or cloud backups that are not directly connected to your main network are the difference between a bad week and a business-ending event.

You do not need to understand the technical details of CVE-2026-42897 to protect your business. You need to ask the right questions and expect documented answers. The Gentlemen are running automated scans right now looking for the businesses where those conversations never happened.