From Conti to The Gentlemen: tooling evolved, gaps didn't.
Read the blog
Vectra AI、2026年ガートナーのNDRのマジック・クアドラントにおいてリーダーの1社に
レポートを読む
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
  1. Blogs
    >
  2. Ransomware

From Conti to The Gentlemen: tooling evolved, gaps didn't.

June 2, 2026
6/2/2026
Lucie Cardiet
Cyberthreat Research Manager
From Conti to The Gentlemen: tooling evolved, gaps didn't.

TL;DR.

Four operator-side leaks across four years (Conti 2022, Black Basta chats February 2025, LockBit panel May 2025, The Gentlemen May 2026) show ransomware groups changing how they staff, market, and tool themselves. They show almost no change in how they actually get in, move, and steal. Detection isn't broken. It's incomplete.

--

In May 2026, the Ransom-ISAC research team pulled 3,366 messages out of a Rocket.Chat onion site used by a Russian-speaking crew called The Gentlemen, ranked the second most active ransomware group of 2026 behind Qilin. Buried in the dump was a Matrix log from bestflowers247.online, the homeserver Black Basta had used since 2023. The handle that showed up in both: Tinker, the negotiator. Intel 471 published a standalone profile of Tinker as Black Basta's "phishing fixer and negotiator" earlier in 2025. Ransom-ISAC assesses with moderate-to-high confidence that the same operator carried the same role through Conti before that.

One handle. Three brands. Four years. Same job.

That detail is small, and it is the whole story. Operators rebrand, they do not retire. And the things they have been doing to get into networks have barely changed.

I have spent the last few weeks reading every primary leak I could get my hands on: the Conti Jabber dump, the LockBit affiliate panel SQL leak, the Black Basta Matrix chats, and both parts of the Ransom-ISAC analysis of The Gentlemen. Below is what changed, what didn't, and the five gaps that kept showing up across every dump.

The four leaks at a glance

Four ransomware leaks, 2022 to 2026 Timeline showing Conti (Feb 2022), Black Basta (Feb 2025), LockBit (May 2025), and The Gentlemen (May 2026), with the scale of each leak. Four ransomware leaks, four years 2022 2023 2024 2025 2026 Feb 2022 Conti Feb 2025 Black Basta May 2025 LockBit May 2026 The Gentlemen 200,000+ Jabber messages 196,000+ Matrix messages Full SQL dump 75 affiliates, 103 victims 3,366 messages + MEGA & NAS dump Three years between dumps

Conti (Feb 2022)

On 25 February 2022, Conti's leadership posted a darknet statement pledging "full support" to the Russian government in the war against Ukraine. Two days later, an unidentified user opened the Twitter account @ContiLeaks and began publishing years of internal Jabber chats. Most analysts assess the source to be a Ukrainian researcher with prior access to Conti's infrastructure. The dump was rehosted by the vx-underground malware collective and ran to roughly 60,000 direct messages covering June 2020 to February 2022.

Black Basta (Feb 2025)

On 11 February 2025, an account called @ExploitWhispers dropped a 47 MB JSON file on Telegram containing 196,045 Matrix messages, mostly in Russian, covering 18 September 2023 to 28 September 2024. The leaker's stated motivation: Black Basta had "crossed a line" by targeting Russian banks.

LockBit (May 2025)

On 7 May 2025, an anonymous actor signing as "xoxo from Prague" replaced LockBit's onion site with the message "Don't do crime CRIME IS BAD" and a link to paneldb_dump.zip, a full SQL export of the affiliate admin panel. The dump covers 18 December 2024 to 29 April 2025, the entire post-Operation Cronos relaunch period after the UK National Crime Agency's takedown the previous year.

The Gentlemen (May 2026)

On 2 May, the hosting provider 4VPS.SU disclosed a breach of its infrastructure: a proxy server had been swapped and the GRUB loader damaged. Two days later, The Gentlemen posted their own acknowledgement on the T1erOne forum, dismissing the leak with a Russian proverb, "the dogs bark, but the caravan moves on". On 5 May, a user calling themselves n345 offered the dataset on PwnForums for $10,000 USD in Bitcoin. Three days later, the same user released it for free on CryptBB. The dump itself: 3,366 messages from a self-hosted Rocket.Chat onion site across 22 rooms, dated November 2025 to late April 2026. A follow-on package known as JA456 surfaced shortly after under a separate username on Cracked, this time exposing operator-side artifacts: a MEGA account's GDPR session history, a Synology NAS /etc/shadow, and screenshots of a factory reset taken while exfiltration was still running at 395 KB/s upload.

What evolved

1. Corporate structure shrank and decentralised

Conti operated like a mid-sized firm: roughly 100 people on payroll, an HR function, a recruitment pipeline, and salaries paid on the 15th and 30th of every month, with office hours of 10:00 to 18:00 Moscow time. Some estimates run higher, to 350 members across all sub-teams.

Black Basta, three years later, still operated from two offices in Moscow, with a weekly kitchen budget of around $2,000 USD and a driver who ferried the leader between sites. Smaller, tighter, still co-located.

The Gentlemen look different. Nine distinct operator handles in the Rocket.Chat dump, with chat-activity timestamps clustering across MSK (zeta88, Kunder, Protagor), UTC+5 to +9 (quant), UTC+7 to +8 (mAst3r), and UTC+8 to +10 (qbit). No office. No payroll cadence. A core crew distributed across timezones, coordinating through a self-hosted Rocket.Chat instance and planning to migrate to "a Rust-based chat soon".

The professional ransomware firm has fragmented into franchised crews.

2. The same people, three brands, no resets

The Tinker lineage is the cleanest evidence of operator continuity across the rebrands. Intel 471 traced the same operator from Black Basta back to a Conti-era role centred on phishing pretexts, call-centre coordination, and negotiations. Ransom-ISAC ties Tinker forward into The Gentlemen with the same operational function: data analysis, victim engagement, credential operations. The shared bestflowers247.online Matrix homeserver, present in both Black Basta and Gentlemen archives, anchors the infrastructure side of that lineage.

Rebrand is the continuity plan, not the contingency plan.

3. AI moved from aspiration to operational

In the Conti chats, AI does not appear. The 2022 operator workflow is human-driven, with ZoomInfo subscriptions purchased to price ransoms against company revenue, and external code reviewers hired to keep IP fingerprints from overlapping across sub-teams.

By the 2024 Black Basta chats, ChatGPT is in daily use. Four distinct documented uses across the corpus:

  1. Operator NN accidentally logged into an active user session on a victim's network and used ChatGPT to generate a fake "professional network check" message to deceive the user.
  2. mecor (Pikabot developer) used ChatGPT to debug a Go-based ARM/Linux proxy server build error.
  3. YY (lead coder) was instructed to rewrite C# malware in Python using ChatGPT for AV/EDR evasion, with the workaround that if ChatGPT refused, YY would submit the code in chunks.
  4. Tinker (negotiator) used GPT API services to automate victim contact collection, LinkedIn verification, spam, and cold calls.

By the 2026 Gentlemen chats, AI sits inside the negotiation flow. Zeta88 to a colleague: "Гпт. клауде, мы играем в переговорщика. он тебе строчит" ("GPT, Claude, we play negotiator. It writes for you"). The group also discusses uncensored "abliterated" Qwen models hosted on Hugging Face and renting GPUs on vast.ai for AI-assisted triage of stolen data.

What is not in any of the four leaks: AI-generated malware. Operators use AI for language, OSINT, and code translation. They are not asking it to invent novel techniques. And not all of them are sold. Wick, one of the Gentlemen operators: "Nothing works, the AI is giving me bullshit advice."

4. EDR is being defeated, not avoided

In 2021, Conti incorporated a French shell company to legitimately purchase Carbon Black EDR for around 14,800 EUR plus conversion fees, so the Ryuk team could test malware against a real licensed appliance. That was procurement.

By 2026, The Gentlemen are running lockers live under "EDR from a well-known vendor," via documented techniques announced in their internal chats: hardware breakpoint removal from DR registers, NTDLL unhooking with clean syscall stubs, and ETW patching. A CrowdStrike killer, per operator mAst3r, "costs about $5,000."

Custom C2 frameworks replaced Cobalt Strike. Black Basta's lead coder YY spent two years building Breaker, a custom C2 with TCP/DNS/PING comms and RC4 encryption. The Gentlemen run their own G-BOT control panel, a previously undocumented framework with per-beacon SOCKS5 tunneling and builder uploads to temp.sh and 0x0.st.

5. The hypervisor became the new blindspot

Conti's lockers targeted Windows endpoints, ESXi as an afterthought. By the 2026 leak, The Gentlemen are documented attacking Hyper-V Volume Manager directly, encrypting at the hypervisor level so that "guest-level EDR and backup agents" cannot see what is happening to the VMs they protect.

Nothing looks wrong on the guest, because nothing the guest can observe is happening.

What did not evolve

The five things below appear in every single one of the four leaks, in 2022 and again in 2026, with the same role in the kill chain.

1. Authentication succeeds at the edge

VulnCheck counted 62 unique CVEs discussed by Black Basta operators across the leaked chats, 53 of which were already known to have been exploited in the wild, and 44 of which were in CISA's Known Exploited Vulnerabilities catalogue. The most-mentioned CVE in the entire corpus was CVE-2024-3400, a Palo Alto Networks PAN-OS zero-day. The rest of the heavily discussed list was a tour of enterprise edge: Citrix NetScaler, Atlassian Confluence, Microsoft, F5, Cisco, Fortinet. Operators began discussing CVEs within days of the original advisory publication.

The Gentlemen kept going on the same plane. Their primary initial access vector across the corpus was Fortinet, with 81 mentions of FortiGate in the Rocket.Chat logs and CVE-2024-55591 (the FortiOS auth bypass) named explicitly. Branded VPN passwords used across multiple victims: gentlemen25, Gentlemen25, gentle26. Halcyon's separate analysis records the group brute-forcing roughly 1,000 Fortinet VPNs.

That is the #2 ransomware group of 2026 using a reused, brand-named password against the same vendor category that has been front-page in every annual exposure report since 2021. The audit log waved them through.

Conti's chats have the same shape. Stern broadcast a request for a CVE-2020-5135 (SonicWall stack buffer overflow, CVSS 9.4) scanner, and the operator named Ghost delivered it. They purchased SonicWall hardware new and refurbished to research the same product family.

The vendor changes. The category does not. Edge identity is the front door, and authentication keeps succeeding.

Source: Vulncheck

2. Browser-stored credentials are still the password vault

The Gentlemen toolkit: DumpBrowserSecrets, Chrome App-Bound Encryption Decryption, XenAllPasswordPro, Phemedrone Stealer V2.3.2, LummaC2. The Black Basta logs show LummaC2 dropping payloads to %temp% and exfiltrating collected credentials in qwertyuio.txt via AnyDesk file manager.

The credentials are not being phished. They are being read out of the browser an hour after the user logged in. The audit log waved them through.

3. NTDS.dit in a VSS backup is still a domain takeover

JA456 (Gentlemen Part 2) contains a Windows Server domain controller VSS backup metadata blob with the NTDS writer (b2014c9e) present and backupSucceeded=yes, meaning ntds.dit and transaction logs were captured intact. Ransom-ISAC notes: "All domain hashes were in Zeta's possession at time of exfiltration."

That is a 2018 problem still solving for an attacker in 2026.

4. Linux, ESXi, and Hyper-V remain under-monitored

The Gentlemen Linux/NAS locker invocation is in the corpus verbatim: /opt/updateamd --password W8wNZteb --ultrafast --keep, dropping extension .i8p14s and the note README-GENTLEMEN.txt. The Synology NAS dump in Part 2 shows the operator setting up rclone, MEGAcmd, and a sc-rclone service account directly on the NAS, then onboarding crew accounts between 3 January and 21 March 2026.

The NAS was a staging server for 127 TB of stolen data, operated as casually as a home office file share. Movement across hosts that the SOC does not log is movement that does not exist.

5. rclone to MEGA is still the exfil pipeline

Conti's lockers staged through Bazar and IcedID into custom infrastructure in 2020. By 2026, The Gentlemen exfil path is one line, evidenced in JA456: rclone → NAS (193.228.128.2:2222, user d0wnloAd1) → MEGA. Six years, same pattern. Legitimate-looking traffic to a legitimate cloud provider. Nothing looks wrong.

Detection isn't broken. It's incomplete.

The temptation when reading 600,000 leaked operator messages is to feel either depressed or vindicated. Both reactions miss the point.

The leaks gave defenders something more useful: primary-source confirmation of which gaps to close. The operators are not magic. They are eight to twenty people with a Rocket.Chat instance, a rented Fortinet exploit, and a MEGA account. They succeed because the same five gaps that worked in 2022 still work in 2026.

Five moves the leaks already justified:

  1. Audit your edge appliances against the leaked CVE lists. CVE-2024-3400 (PAN-OS) topped Black Basta's chats. CVE-2024-55591 (FortiGate auth bypass) is named in The Gentlemen chats as their primary access path. CVE-2025-32433 (Erlang/OTP SSH RCE) and CVE-2025-33073 (NTLM relay) appear in the same toolkit. Patch state on Palo Alto, Fortinet, Citrix, F5, and Cisco edge is an executive-level metric.
  2. Treat browser credential stores as authentication infrastructure. Phemedrone, LummaC2, and Chrome App-Bound Encryption Decryption tools assume the user is already logged in. The detection point is post-authentication behaviour on the endpoint, not the sign-in.
  3. Hunt for rclone, MEGAcmd, WinSCP, and Velociraptor on hosts that should not have them. All four show up in the Gentlemen corpus as exfil and lateral-movement tooling. Velociraptor in particular is a legitimate DFIR tool, repurposed for C2 against multiple victims.
  4. Get hypervisor-level visibility. Hyper-V Volume Manager attacks bypass guest EDR by design. ESXi is in the same category. If your detection ends at the VM boundary, your detection ends.
  5. Treat NTDS.dit access as a sev-1 trigger, not a forensic finding. The Conti playbook, the Black Basta playbook, and the Gentlemen JA456 archive all confirm domain controller backup theft as a standard objective. The detection has to fire when the file is touched, not when the password reset happens three weeks later.
Five gaps. Five fixes. Checklist of the five recurring attack gaps confirmed across the Conti, Black Basta, LockBit and The Gentlemen leaks, with a short explanation of why each gap evades standard detection and a recommended action to close it. Five gaps. Five fixes. The gap Why it's a gap How to close it Edge identity VPN, OWA, edge appliances Initial access path #1 Patch lag plus password reuse on Fortinet, Palo Alto, Citrix, F5, and Cisco edge devices lets attackers in with valid credentials. The audit log records a normal sign-in. Audit patch state against the leaked CVE list: CVE-2024-3400, CVE-2024-55591, CVE-2023-4966, CVE-2025-32433, CVE-2025-33073. Treat edge patch state as an executive metric. Browser-stored creds Phemedrone, LummaC2, ABE Post-auth credential theft Stealers read passwords out of Chrome an hour after the user signed in. Nothing fails on the authentication side. The audit log records a normal session. Detect post-authentication credential access on the endpoint, not just the sign-in. Hunt Phemedrone, LummaC2, and Chrome App-Bound Encryption decryption tools. DC backups NTDS.dit, VSS snapshots Every domain hash, gone NTDS.dit lifted from a VSS backup hands over every domain hash. Detection often fires only weeks later, when the password reset runs. Treat NTDS.dit and VSS backup access as a sev-1 trigger on the day it happens, not a forensic finding three weeks later. Hypervisor blindspot Hyper-V, ESXi, Linux NAS EDR cannot see it Hyper-V Volume Manager and ESXi attacks encrypt below the guest OS. Guest EDR and backup agents cannot see what is happening to the VMs they protect. Add hypervisor-level visibility on Hyper-V and ESXi. If detection ends at the VM boundary, detection ends. Cloud exfil pipeline rclone, MEGAcmd, WinSCP Looks like cloud sync rclone, MEGAcmd, WinSCP, and Velociraptor traffic looks like legitimate cloud sync. Same pattern in 2020, 2024, and 2026. Hunt rclone, MEGAcmd, WinSCP, Velociraptor on hosts that should not have them. Velociraptor in particular is a legitimate DFIR tool, repurposed as C2.

The work for any CISO reading this in 2026 is to close the gaps the operators themselves have already documented twice. The Mind Your Attack Gaps ebook walks through the framework end to end, with Scattered Spider, Volt Typhoon, and the hybrid-cloud breach pattern as the worked examples.

FAQs