DeafNews
// 3 ZERO-DAY · 3 CVE · 2 EXPLOIT IN THE LAST 24H
Ransomware

The Gentlemen: LLMs Accelerate the Ransomware Attack Cycle

Published: Updated: By DeafSuite team 6 min read Ransomware
Share
WhatsApp Facebook X (Twitter) LinkedIn Reddit Telegram Email
CERT-AGID reveals that The Gentlemen ransomware group uses LLMs to build platforms in three days and customize extortion. Technical claims stem from a single, uncorroborated source.

Note — source limitations: All technical claims regarding The Gentlemen's use of LLMs originate from a single CERT-AGID analysis, not independently confirmed by security vendors or researchers at time of publication. The analysis contains an anachronistic reference to "May 2026" for an alleged internal chat leak; the nature of this date is unverifiable.

The Gentlemen ransomware group has integrated language models and AI automation into offensive operations, according to CERT-AGID. The negotiation platform was allegedly developed in three days using LLM-based coding assistants. The analysis describes four AI-optimized phases of the attack cycle. The stakes, per the source, are the erosion of the time advantage that traditional defenses assume for effectiveness.

Key Takeaways
  • CERT-AGID attributes roughly 500 global victims to The Gentlemen in under a year
  • Four AI-optimized phases per the source: rapid tool development in 3 days, extortion personalization, tactical learning from rival group leaks, worm-like payload distribution
  • The RaaS model offers affiliates 90% of the ransom, but FortiGuard Labs reports "mixed feedback" on the actual functioning of the business model
  • The primary access vector remains credential purchase via infostealers, with fallback to known Cisco and Fortinet appliance vulnerabilities
  • Fortinet, via FortiGuard Labs, does not confirm any LLM use by the group

Three Days for the Platform: How LLMs Compress Development

The most significant finding in the CERT-AGID analysis is the temporal compression of tool development. According to the source, "the negotiation platform was entirely developed in just three days by the operator" thanks to the adoption of "LLM-based coding assistants." Ransomware negotiation requires stable interfaces, payment systems, secure chat mechanisms, and service persistence.

Delivering all of this in 72 hours, if confirmed, means the group can tear down and rebuild infrastructure faster than defenders can map and block it. CERT-AGID suggests LLMs reduce the time to write, debug, and deploy infrastructure code. The result would be more frequent rotation of negotiation endpoints, which in turn reduces the effectiveness of defensive takedown and OSINT.

Extortion Personalization and Learning from the Enemy

The second optimization vector concerns victim communication. Per CERT-AGID, "data extracted by the AI feeds prompts to structure and personalize blackmail emails and phone contact attempts, autonomously identifying victim weak points." The source describes a system combining exfiltrated data with generative models to produce calibrated messages, without providing concrete examples of generated output.

The third element is accelerated learning from others' intelligence. CERT-AGID writes that the group "used confidential data and internal manuals stolen from other cybercriminal organizations (such as Black Basta) for fine-tuning or to feed context to their own LLM models." According to the source, The Gentlemen does not merely replicate techniques but absorbs and reworks them through models trained on rival groups' internal documentation.

The Worm-Like Payload and the Contested RaaS Model

The fourth optimized phase is distribution. CERT-AGID describes five ransomware variants — Windows, Linux, ESXi — with a Go-written version that "includes the --spread parameter that converts the payload into a self-replicating worm, capable of automating encryption across the entire corporate network." The mechanism is not technically detailed in the source: no specific propagation vectors, exploited protocols, or conditions for self-replication emerge.

The RaaS model, per CERT-AGID, offers "affiliates 90% of the ransom." However, FortiGuard Labs — which does not mention any LLM use — adds "mixed feedback regarding the reality of their business model" and speaks of "questions about whether the group runs a traditional RaaS mode... speculation that the group operates a small, highly coordinated team conducting the attacks directly."

The actual organizational structure remains unverified, with two sources in tension: CERT-AGID presents a structured RaaS model, while FortiGuard Labs raises significant doubts. This divergence is relevant to the credibility of the LLM claims: if the group is a small closed team rather than a RaaS, the scalability attributed to AI automation would be less central to the operational model.

"The adoption of artificial intelligence is no longer merely theoretical, but acts as a true force multiplier for the gang's activities" — CERT-AGID

What to Do Now

CERT-AGID mentions the IoC feed as a mitigation tool, managed for accredited entities. From the available analysis, specific actions emerge that defenders can derive from documented facts:

  • Monitor negotiation endpoint rotation: If the platform is rebuilt in 3 days, traditional takedown and blacklisting cycles lose effectiveness. Verify whether your threat intelligence systems track the frequency of the group's domain and contact address changes.
  • Analyze for the --spread parameter: The Go variant with worm-like behavior is a specific indicator to hunt in logs and sandboxes. Verify whether your EDR detects executions with this flag or patterns of automatic network propagation.
  • Verify the RaaS vs. closed-team model: The group's true nature is an open intelligence question. If operations are run by a tight team, the risk profile shifts: less TTP variability, but greater coherence and adaptation speed.
  • Check infostealer exposure: The documented primary access vector is credential purchase via infostealers. Review your credential compromise detection procedures and coverage of initial access marketplaces.

Editorial Analysis: The Point of No Return for Defenses

If CERT-AGID's claims are confirmed, the problem is not that "bad actors use AI." It is that the defensive temporal paradigm — detect, analyze, patch, update IoCs, communicate — assumes a reaction window that automation may have already closed.

The compression from days to hours is not linear acceleration: it is a paradigm shift. When criminal infrastructure development becomes faster than defensive response, the structural advantage shifts. Traditional defenses rely on friction: time to detect, time to analyze, time to act. If LLMs eliminate that time, the friction disappears.

The RaaS vs. closed-team tension is the most dangerous blind spot. If The Gentlemen is a RaaS, AI automation scales horizontally to dozens or hundreds of affiliates. If it is a closed team, it scales vertically in speed and coherence. Both scenarios erode the defensive advantage, but in different ways requiring different countermeasures. Waiting for independent confirmation is methodologically correct, but strategically costly: if the claims are true, the response delay is already part of the damage.

Sources

  • CERT-AGID, "Use of LLMs and automation in The Gentlemen ransomware group operations", cert-agid.gov.it — sole source on technical LLM claims, not independently corroborated
  • CERT-AGID, "Download IoC feed accreditation form", cert-agid.gov.it — procedural context on IoC feed for accredited entities
  • FortiGuard Labs, "The Gentlemen Ransomware", fortiguard.com — group profile without LLM mention, with uncertainty on RaaS model

Information verified against cited sources and current as of publication.

Sources

Sources and references
  1. cert-agid.gov.it
  2. fortiguard.com