The second most active ransomware group in the world right now is breaking into companies through their VPNs and firewalls — the equipment those companies bought specifically to keep attackers out. The door isn’t being left unlocked. The lock itself is the way in.
The group, called The Gentlemen, has claimed over 330 victims since mid-2025, and it didn’t get there through technical brilliance. It runs ransomware-as-a-service: the core group builds the malicious software and handles extortion payments, while independent hackers — affiliates — do the breaking in. The industry-standard cut gives affiliates 80 percent of any ransom. The Gentlemen offer 90. That’s the whole innovation. Experienced operators left competing groups for the better commission, the way a top salesperson jumps firms.
That detail changes who your adversary is. It’s not one determined hacker who chose you. It’s a gig economy. Affiliates scan the entire internet for a specific kind of opening, and whoever has one gets hit. “We’re too small to be a target” stopped meaning anything — nobody is selecting targets. They’re harvesting them.
And the opening they harvest is the network edge: the VPN appliances that let employees connect from home and the firewalls that gatekeep traffic. These devices are reachable from anywhere on earth by design. When a flaw is found in one, every attacker on the planet can knock on it directly.
Here’s the tradeoff organizations keep getting wrong, and nobody in the room is being stupid. Edge devices live in a blind spot. Your laptops run monitoring software; a firewall is a sealed box where an intruder can operate unobserved. The network team runs it, the security team owns the risk, and neither owns the urgency. And the downtime is real — rebooting the VPN kicks off the entire remote workforce, so the security update waits for a maintenance window weeks out, negotiated with leaders who reasonably don’t want Tuesday disrupted.
Every decision in that chain is defensible. The problem is the defender’s calendar runs in weeks and the attacker’s clock runs in hours. Once a flaw in an edge device goes public, affiliates are scanning for it almost immediately — and once inside, this group encrypts entire networks before the next business day. The gap isn’t a bad decision. It’s the distance between two clocks, and no one is responsible for closing it.
A grounded approach isn’t a new product. Treat edge devices as what they are — the most exposed computers you own, not trusted security furniture. Keep an honest list of everything facing the internet; most companies find forgotten devices only during an incident. And negotiate the emergency exception before you need it: agree in a calm month that when a serious edge-device flaw drops, it gets patched within hours and the disruption is accepted.
The Gentlemen pay 90 percent because the business is that good, and it’s that good because the doors are that available. Next time a maintenance window slips two weeks, ask: who else is counting those days?
Leave a Reply