Your VPN Is Their Front Door: How The Gentlemen Ransomware Targets UK Businesses

by Rebecca Sutton

Your VPN appliance is the target

A ransomware group called The Gentlemen has attacked at least 478 organisations since March 2025, including a UK software business whose breach was then used to attack one of its clients. Understanding how this group gets in is useful, because it relies on the same weaknesses that appear in penetration tests across UK small and mid-sized businesses week after week.

The entry point is almost always an internet-facing device — most commonly a VPN appliance or firewall — with an unpatched vulnerability. Once that door opens, the attackers are unhurried. Halcyon’s threat assessment puts the average dwell time at two to six weeks between initial access and the moment ransomware detonates. That gap is time the business could have used to detect and eject the attackers, if the right monitoring was in place.

The specific vulnerability to act on today

CVE-2024-55591 is an authentication bypass affecting Fortinet’s FortiOS and FortiProxy products — the firewall and VPN software used by a large proportion of UK businesses. It has been actively exploited by The Gentlemen since at least January 2026. A patch has existed since late 2024.

If your organisation runs Fortinet equipment and has not applied the CVE-2024-55591 patch, that is the single most important action from this article. Log into your FortiGate or FortiProxy management console, check the firmware version against Fortinet’s advisory, and schedule an emergency change if you are running an affected version. If immediate patching is not possible, restrict management interface access to internal IP addresses only and disable any external admin access until the patch is applied.

Two further vulnerabilities — CVE-2025-32433 and CVE-2025-33073 — are also in active use by this group, though Fortinet’s CVE-2024-55591 appears most prevalent in documented attacks.

What happens after they get in

Understanding the post-access phase helps you decide what to monitor. After gaining a foothold through an edge device, The Gentlemen’s operators spend weeks doing what any methodical attacker does: mapping the network, harvesting credentials, and gradually escalating privileges. The tools they use are largely legitimate — PsExec for remote execution, AnyDesk for remote desktop, NetExec for network discovery. These blend into normal IT activity, which is why they are difficult to catch without a baseline of what normal looks like on your network.

Custom tools come later. Researchers identified utilities called TaskHound, PrivHound, and CertiHound — names that suggest their purpose: task enumeration, privilege escalation, and Active Directory certificate exploitation respectively. EDR evasion tools with names like EDRStartupHinder and gfreeze are used to neutralise endpoint protection before the final encryption stage.

Ransomware is deployed across the network simultaneously using Active Directory Group Policy, which pushes the payload to every domain-joined machine at once. When the --spread flag is active, the malware also behaves as a worm, attempting to reach machines not yet covered by the Group Policy deployment — including those that may not be domain-joined.

Three things to check in your own environment

1. Patch your edge devices — all of them

VPN appliances, firewalls, and remote access gateways are the primary targets not just for The Gentlemen but for most ransomware groups. These devices sit on the internet perimeter, authenticate users from outside, and are frequently left on older firmware because “it’s working and we don’t want to break it.” That reasoning is understandable but produces exactly the exposure this group exploits.

Establish a patching cadence for perimeter devices — monthly at minimum, with emergency patches within 48 hours for critical authentication vulnerabilities. If your managed service provider handles this, ask them to confirm CVE-2024-55591 is patched across your estate and request evidence.

2. Segment your network

The worm capability in this ransomware is only catastrophic if every machine on the network can reach every other machine. Flat networks — where a workstation in the accounts department can communicate directly with a server running your line-of-business application — are still common in UK SMEs, and they make containment nearly impossible once ransomware is running.

Network segmentation does not need to be complex. Separating servers from workstations, putting sensitive systems on their own VLAN, and restricting which devices can initiate connections to VMware ESXi hosts are achievable changes that significantly limit the blast radius of a compromise. A penetration test will show you where the gaps are; a network architecture review will show you how to close them.

3. Know what “normal” looks like so you can spot what isn’t

The two-to-six-week dwell time documented by Halcyon represents a detection window. Monitoring for unusual authentication patterns — accounts logging in at odd hours, service accounts being used interactively, sudden spikes in Active Directory queries — can surface an intrusion before it becomes a ransomware incident. Security information and event management (SIEM) tools and managed detection and response (MDR) services exist specifically to provide this visibility. If your organisation has neither, that is worth addressing before the question of whether your antivirus is up to date.

The supply chain dimension

The incident involving the UK software consultancy is a reminder that your organisation’s security posture affects your clients’ exposure as well. Check Point Research documented the incident clearly: stolen credentials and client access information from the UK firm were used to breach one of its Turkish clients. Both organisations were named on the group’s data-leak site.

If you provide software, IT support, or any form of managed access to other organisations, the credentials and access paths you hold on their behalf are valuable targets. Applying the same security standards to client access as you would to your own most sensitive internal systems is not optional — it is a contractual and reputational obligation, and increasingly a regulatory one under UK GDPR.

Subscribe to our newsletter

Honest updates, straight to your inbox. Unsubscribe any time.

You may also like