A ransomware affiliate using the name “Hastalamuerte” has reportedly leaked operational details tied to The Gentlemen ransomware-as-a-service group, offering a rare look at how the crew gains access, evades defenses and structures attacks. According to Infosecurity Magazine, the exposed material references FortiGate exploitation, bring-your-own-vulnerable-driver (BYOVD) techniques and “split tactics” linked to Qilin-style operations.
The reported FortiGate angle matters because edge devices remain a common entry point for ransomware crews. Compromising a firewall or remote access appliance can give attackers a foothold before they move laterally inside a victim network. The leak did not publicly tie the activity to a specific Fortinet CVE, but FortiGate flaws and stolen credentials have repeatedly featured in real-world intrusion chains. Organizations running internet-facing firewalls and VPN infrastructure should review patch status, exposed management interfaces and authentication logs.
The mention of BYOVD suggests The Gentlemen or its affiliates are using signed but vulnerable drivers to disable or bypass endpoint protections before deploying ransomware. That technique has become a favored way to tamper with EDR and antivirus tools without using obviously malicious kernel code. In practice, it gives attackers a better chance of reaching encryption and extortion stages undetected.
The reference to Qilin “split tactics” points to another trend: ransomware brands increasingly operate as loose affiliate networks, with intrusion, data theft and encryption sometimes handled by different actors or separate infrastructure. That makes attribution harder and disruption less durable, since operators can rebrand or shift tooling quickly when exposed.
There is no public victim list attached to this leak so far. Still, the disclosure is useful intelligence for defenders because affiliate leaks often reveal the real mechanics behind ransomware campaigns more clearly than victim posts or leak-site claims. Security teams should treat the report as a reminder to harden perimeter devices, monitor for unusual driver loads and look for signs of endpoint tampering before encryption begins.
