ITD System Ransomware Claim by thegentlemen (May 2026)

Claim Summary

On May 18, 2026, the ransomware group known as “thegentlemen” posted an unverified claim on their dark web leak site alleging they have compromised Internet Technologies Designs (ITD System), a French IT solutions integrator. The group claims to have exfiltrated data from the company’s domain, itd-system.com, though the volume and nature of the stolen data remain undisclosed. The victim, ITD System, is a technology firm founded in 1994, specializing in customized software, VoIP telephony, CRM integration, and secure infrastructure services for small and medium enterprises (SMEs). The group’s post includes a reference to the company’s ZoomInfo profile, suggesting they may have scraped or accessed business intelligence data. This claim has not been independently verified by Yazoul Security.

Threat Actor Profile

The group “thegentlemen” is a relatively obscure ransomware operation with a limited public track record. Their total number of known victims is unknown, and no public research or attribution reports are currently available. However, based on their disclosed toolset, they appear to employ a sophisticated post-exploitation and data exfiltration methodology. Their known tools include:

• DumpBrowserSecrets: For extracting stored credentials from web browsers.
• Hydra: A network login cracker, likely used for brute-force attacks.
• KslDump: A memory dump tool for credential harvesting.
• EDRStartupHinder: A tool designed to disable or evade endpoint detection and response (EDR) systems.
• GFreeze: Likely a ransomware encryption binary.
• GLinker: Possibly a lateral movement or persistence tool.
• ADFind: For Active Directory reconnaissance.
• BloodHound: For mapping Active Directory attack paths.

This toolset indicates a methodical approach: initial access via credential theft or brute force, followed by network reconnaissance, privilege escalation, and finally data exfiltration and encryption. The group’s use of EDR evasion tools suggests they target organizations with mature security postures. However, without a verified victim history, their operational success rate and credibility remain unproven.

Alleged Data Exposure

The group claims to have accessed data from ITD System, but the specifics are vague. The leak site post includes the victim’s domain (itd-system.com) and a ZoomInfo profile link, which is publicly available business intelligence. This could indicate the group is exaggerating their access by conflating public data with stolen internal data. No samples, file lists, or evidence of data exfiltration have been provided. The data volume is listed as “Undisclosed,” which is atypical for groups seeking to pressure victims into payment. This lack of detail raises questions about the veracity of the claim.

Potential Impact

If the claim is valid, ITD System faces significant risks:

• Operational Disruption: Ransomware encryption could cripple their managed IT services, VoIP systems, and CRM platforms, affecting SME clients who rely on their infrastructure.
• Data Breach: Exfiltration of client data, internal configurations, or intellectual property could lead to regulatory penalties under GDPR, given the company’s French operations.
• Reputational Damage: As an IT integrator, trust is paramount. A confirmed breach could erode client confidence and lead to contract losses.
• Supply Chain Risk: ITD System’s clients (SMEs) may face secondary attacks if credentials or network access details were stolen.

What to Watch For

• Official Confirmation: Monitor ITD System’s website and social media for a public statement. Silence may indicate ongoing negotiations or incident response.
• Leak Site Updates: Thegentlemen may release data samples or a full dump to pressure the victim. Yazoul Security will track any updates.
• Indicators of Compromise (IOCs): If the group’s tools (e.g., GFreeze, GLinker) are deployed, network defenders should look for unusual EDR alerts, credential dumping activity, or BloodHound queries. No YARA rules are currently available for thegentlemen, but detection guidance for their toolset can be found in our threat library at /intel/ransomware-tools/.
• Client Notifications: SMEs using ITD System services should verify their own systems for signs of compromise.

Disclaimer

This report is based on an unverified claim posted by the ransomware group “thegentlemen” on their dark web leak site. Yazoul Security has not independently confirmed the breach, data exfiltration, or any other details provided by the threat actor. Ransomware groups frequently exaggerate or fabricate claims to coerce victims into payment. All information should be treated as preliminary and subject to change upon official confirmation from ITD System or a trusted third-party investigation. No PII, download links, or access credentials are included in this report.