April 23, 2026 Ransomware

The Gentlemen Ransomware: How This Fast-Rising Group Is Targeting Australian Businesses in 2026

A ransomware-as-a-service operation called The Gentlemen has exploded from 35 victims to more than 320 in just six months — and Australian organisations are firmly in the crosshairs. New research from Check Point published this week reveals the group now deploys a vast botnet of proxy malware to stay hidden inside victim networks, and their preferred entry door is your VPN appliance.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

Who Are The Gentlemen?

The Gentlemen first appeared in mid-2025 as a relatively obscure ransomware-as-a-service (RaaS) platform. By the fourth quarter of 2025, the group had claimed 35 victims. In the first quarter of 2026 alone, that number ballooned to 182 — making The Gentlemen the second most prolific active ransomware group globally, behind only LockBit's enduring affiliate network.

As of this week, the group has publicly listed over 320 victims on its dark web leak site. Researchers from Check Point, Group-IB, and SOCRadar have each published independent analyses in April 2026, and the picture they paint is troubling: The Gentlemen is not a flash-in-the-pan operation. It is a well-resourced, technically sophisticated RaaS programme attracting a growing pool of experienced affiliates.

The group operates a double-extortion model. After breaching a network, affiliates exfiltrate sensitive data first, then deploy the encryptor to lock systems. Victims who don't pay face having their data published on the leak site — a tactic that has proven devastatingly effective against organisations that hold sensitive client information.

Australia Is a Priority Target

According to Check Point's research published on 20 April 2026, Australia ranks among the top five countries targeted by The Gentlemen's SystemBC proxy botnet deployments, alongside the United States, United Kingdom, Germany, and Romania. This is consistent with Australia's broader standing as one of the most frequently ransomware-targeted nations per capita in the Asia-Pacific region.

The most notable confirmed Australian victim to date is Einstein Technology Pty Ltd, a Sydney-based IT services provider. The group claimed the breach on 12 March 2026, listing the company on its public leak site. Australian IT firms are attractive targets because they often serve as managed service providers (MSPs) — attacking one IT company can yield access to dozens of downstream client networks simultaneously.

Australia's combination of high-value businesses, strong currency, relatively flat organisational security hierarchies in SMBs, and significant reliance on remote-access technology makes it exactly the kind of target The Gentlemen's affiliates are incentivised to pursue.

How They Get In: VPN Appliances Are the Front Door

Understanding The Gentlemen's attack chain starts with their preferred initial access vector: internet-facing edge devices, particularly VPN gateways and firewalls. The group has been documented heavily exploiting CVE-2024-55591, a critical authentication bypass vulnerability in Fortinet's FortiOS and FortiProxy products (CVSS score: 9.8). This flaw allows an unauthenticated attacker to gain super-admin privileges on a FortiGate device without any valid credentials.

The scale of exploitation is staggering. Check Point's research found that The Gentlemen's operators maintain an operational database of approximately 14,700 already-exploited FortiGate devices globally — essentially a pre-positioned roster of compromised network perimeters available to their affiliates on demand. Separately, they hold 969 validated brute-forced FortiGate VPN credentials ready for deployment against additional targets.

The message for any Australian organisation running unpatched Fortinet equipment is stark: your network perimeter may already be in someone else's database. Patching CVE-2024-55591 is a critical and urgent priority — Fortinet released a fix in January 2025, yet thousands of devices globally remain unpatched more than a year later.

Why Credential Hygiene Is Critical

Beyond unpatched vulnerabilities, the group relies heavily on brute-forced credentials — trying millions of common username and password combinations against exposed VPN login portals until they find a match. This technique works because a significant proportion of VPN accounts are protected by weak, reused, or default passwords.

This is where strong password management becomes a non-negotiable control. A password manager like NordPass generates and stores cryptographically strong, unique passwords for every account — making brute-force attacks against your credentials statistically futile. Pairing that with multi-factor authentication (MFA) on all VPN portals closes the door on credential-based intrusions entirely.

Inside the Network: SystemBC and the Hidden Botnet

Once inside a network, The Gentlemen's affiliates deploy SystemBC — a sophisticated proxy malware that was originally sold on criminal forums in 2019 but has been continuously refined. The week of 20 April 2026, Check Point published a detailed analysis revealing that The Gentlemen have built a SystemBC-powered botnet of more than 1,570 confirmed corporate victims, discovered by gaining access to one of the group's command-and-control (C2) servers.

SystemBC establishes encrypted SOCKS5 proxy tunnels from within the victim's environment back to the attackers' infrastructure, using a custom RC4-encrypted protocol to evade network monitoring tools. Crucially, it can download and execute additional payloads — either written to disk or injected directly into running processes in memory, making detection significantly harder.

The typical post-compromise sequence observed by researchers proceeds as follows:

The entire process from initial access to full network encryption can occur within hours — there is rarely time to detect and respond once SystemBC has been established.

Who Gets Hit: Healthcare and Technology in the Firing Line

Sector analysis of The Gentlemen's known victims shows a clear preference for healthcare and technology companies. Both sectors hold high volumes of sensitive data that increase ransom leverage, and both are frequently reliant on complex, interconnected networks that amplify the damage of a successful encryption attack.

For Australian healthcare organisations, this threat comes on top of the broader ransomware wave that has hit the sector in 2026, including confirmed attacks by INC Ransom and CL0P. The Australian Cyber Security Centre (ACSC) has urged healthcare providers to treat ransomware readiness as a tier-one priority. The Gentlemen add another active, capable threat actor to that already-crowded threat landscape.

For technology companies and MSPs, the risk has a multiplier effect. A breach of a managed service provider can cascade through every client environment that MSP administers. Australian IT firms need to apply the same rigorous security posture to their own internal systems that they recommend to their clients.

What Australian Organisations and Individuals Should Do Now

1. Patch Fortinet Devices Immediately

If your organisation uses FortiGate, FortiProxy, or any FortiOS-based device as a VPN gateway or firewall, apply the patch for CVE-2024-55591 without delay. Also run Fortinet's compromise assessment tool to determine whether your device was already accessed before patching. Given that The Gentlemen maintain a database of 14,700 exploited devices, patching after the fact may require a full incident response engagement.

2. Enforce Strong Credentials and MFA on All Remote Access

Brute-forced VPN credentials are one of this group's primary weapons. Every VPN account should be protected by a long, unique, randomly generated password and multi-factor authentication. Using a dedicated password manager like NordPass removes the human tendency to reuse passwords and makes each account's credential set unique and unguessable.

3. Use a Trusted VPN for Remote Work and Personal Privacy

For remote workers and individuals, a consumer-grade VPN provides an essential layer of protection when connecting to corporate systems from home or public networks. A quality VPN encrypts your traffic end-to-end, hides your IP address from potential reconnaissance, and prevents credential interception on unsecured networks. NordVPN offers best-in-class AES-256 encryption, a verified no-logs policy, and servers across Australia — making it an ideal choice for Australians working remotely. Surfshark is a strong alternative with unlimited device connections, useful for households or small teams wanting broad coverage without a high price tag.

4. Segment Your Network

Once The Gentlemen are on a Domain Controller with Domain Admin privileges, lateral movement is rapid and largely unstoppable. Network segmentation — particularly isolating VPN termination points, Domain Controllers, and backup systems from day-to-day operational networks — limits an attacker's ability to pivot and dramatically reduces the blast radius of a successful intrusion.

5. Protect Your Web-Facing Assets

For businesses that operate websites or web applications, hardening your web perimeter is essential. Ransomware groups increasingly include web-facing credential theft and SQL injection as secondary attack vectors to harvest additional data. Sucuri provides a managed Web Application Firewall (WAF), continuous malware scanning, and DDoS protection — blocking automated attack tools before they reach your application layer.

6. Prepare an Incident Response Plan

Given how quickly The Gentlemen move from initial access to full network encryption, the only organisations that successfully contain an attack are those that have rehearsed their response. Document your IR plan, test your backups (verify they are offline or immutable), and know exactly who to call in the first 30 minutes of a suspected breach. The Australian Cyber Security Hotline (1300 CYBER1) provides immediate guidance to organisations under active attack.

The Bigger Picture: RaaS Is Getting Faster and Harder to Stop

The Gentlemen's rapid ascent illustrates a broader shift in the ransomware ecosystem. Modern RaaS platforms commoditise the technical complexity of attacks — affiliates do not need to write their own malware or build their own botnet infrastructure. They simply rent access, find a vulnerable target, and execute a well-documented playbook. The operators take a cut of every ransom paid.

This model lowers the barrier to entry for attackers while raising it for defenders. Australian organisations of all sizes — not just large enterprises — are viable targets because the cost of an attack to an affiliate is negligible. The economics of ransomware have shifted decisively in favour of attackers, and the only reliable counter is a proactive, layered defence.

Australia's mandatory data breach notification laws under the Privacy Act mean that organisations hit by double-extortion attacks face potential regulatory consequences on top of ransom demands and remediation costs. The reputational and financial calculus increasingly favours investing in prevention over paying for recovery.

Key Takeaways

Stay Protected

Check out our recommended security tools to protect your digital life today.