Dayum. The folks at PRODAFT have now dropped one helluva detailed writeup on The Gentlemen. tl;dr:

-The administrator supplies affiliates with initial access directly, primarily Fortinet SSL-VPN credentials obtained through brute-force attacks or sourced from the group's own leak database.

-The administrator is using AI to develop and maintain the ransomware and associated tooling, as well as to assist with post-exploitation activity.

-The group's RaaS offering provides affiliates with five locker variants (Windows, Linux, ESXi, a legacy Windows XP+ build, and LVM), along with usage instructions.

https://catalyst.prodaft.com/public/report/inside-the-phantom-mantis-operation/overview#paragraph-1077|172

It will be interesting to see how The Gentlemen respond to having their dear overlord identified in real life. Already there is some butthurt on the group's threads across a couple of RU hacker forums.

One thing I didn't mention in the story is the potential consequences of top RU hackers being outed. At a minimum, those tend to include having one's accounts on the major forums deleted. Sure, the person can just create a new identity and resurface, but from then on they suddenly have several more concerns to deal with on a regular basis, such as interference and shakedowns from tax authorities and local police, extortion or even kidnapping for their considerable ill-gotten crypto wealth.

What's remarkable is that this guy isn't the only major ransomware head honcho who was too careless with their personal information. Stay tuned.

@briankrebs

I would contribute to their crowdfunder if they could take Palantir down. 😎