In the shadowy world of cybercrime, a new player has been making waves with a surprisingly simple promise: Keep 90 per cent of the money. The group calls itself ‘The Gentlemen’, but there is little gentlemanly about its business. In less than a year, the ransomware operation has become one of the world’s fastest-growing cybercriminal enterprises, rapidly climbing the ranks of ransomware gangs and leaving hundreds of victims in its wake.
A report by Check Point says the group’s secret weapon is not a revolutionary piece of malware or a groundbreaking hacking technique. Instead, it is a business model that resembles Silicon Valley more than traditional organised crime.
The pitch is straightforward: If an affiliate hacker successfully extorts a company, they get to keep 90 per cent of the ransom. The operators behind ‘The Gentlemen’ take only 10 per cent.
That may sound like a minor accounting detail. In the ransomware economy, however, it is a game-changing incentive.
The Uber Model of Cybercrime
To understand ‘The Gentlemen’, it helps to understand how modern ransomware works. Gone are the days when a single hacker wrote malware and attacked victims alone. Today’s major ransomware operations function like franchises.
A core team develops the ransomware, maintains the infrastructure, hosts leak websites and negotiates payments. Independent hackers, known as affiliates, do the dirty work, breaking into corporate networks, stealing data and deploying the ransomware.
This model is called Ransomware-as-a-Service (RaaS), an infamous version of Software-as-a-Service or SaaS.
Think of it as a criminal version of a food-delivery platform. The company owns the app, while drivers make the deliveries. In the ransomware world, the operators provide the tools, while affiliates carry out the attacks.
Traditionally, affiliates receive around 70 per cent to 80 per cent of any ransom collected. ‘The Gentlemen’ pushed that number to 90 per cent, instantly making itself one of the most attractive employers in the cybercrime underground. Researchers believe this aggressive revenue-sharing model helped lure experienced hackers away from rival ransomware groups.
A New Gang With Familiar Faces
‘The Gentlemen’ emerged around mid-2025 before formally launching its RaaS programme later that year. Researchers believe the operation was created by experienced cybercriminals who had previously worked with other ransomware ecosystems.
Like many modern ransomware groups, ‘The Gentlemen’ did not emerge from nowhere. The cybercrime world is surprisingly fluid. Developers, negotiators and affiliates often move between different gangs, carrying their expertise and contacts with them.
This means that even a “new” ransomware brand can possess years of collective experience from day one.
By 2026, ‘The Gentlemen’ had already become one of the most active ransomware operations globally, claiming hundreds of victims across multiple continents and industries. Victims have reportedly included organizations in healthcare, education, transportation, manufacturing and financial services.
How The Attack Unfolds
The Gentlemen’s attacks typically begin long before any files are encrypted.
First stage is infiltration, in which affiliates gain access to a company’s network through stolen passwords, vulnerable internet-facing systems, compromised VPN accounts or security flaws in network appliances. Investigations suggest the group has heavily relied on credentials harvested by so-called “infostealer” malware, which quietly steals usernames and passwords from infected computers.
Once inside, the attackers do not immediately announce their presence. Instead, they spend days or even weeks exploring the network. They identify critical systems, locate backups, escalate privileges and search for valuable information.
Then comes the second stage: Data theft.
Before encrypting anything, attackers copy sensitive corporate information. This gives them leverage even if the victim can restore systems from backups.
Finally, the ransomware is deployed. Files are encrypted, systems become inaccessible and the victim receives a ransom demand.
The Double-Extortion Playbook
‘The Gentlemen’ follows a tactic now common among major ransomware groups: Double extortion.
In the early days of ransomware, criminals simply locked files and demanded payment for a decryption key.
Companies eventually became better at backups, making recovery possible without paying criminals.
Ransomware gangs responded by adding a second threat. Now they steal sensitive data before encryption. If the victim refuses to pay, the stolen information may be published online or sold to other criminals.
For many companies, the threat of exposing confidential customer records, financial documents or trade secrets can be more damaging than the encryption itself.
Built For Scale
One reason security experts are paying close attention to The Gentlemen is its apparent focus on efficiency.
The ransomware has been observed targeting multiple operating systems, including Windows and Linux environments. Researchers have also documented sophisticated techniques for moving laterally across corporate networks and spreading rapidly once an initial foothold is gained. Some analyses even describe worm-like propagation capabilities that can accelerate infections within an organization.
The group reportedly uses tools such as SystemBC, a malware framework often employed to maintain stealthy access and route malicious traffic through compromised systems.
The result is a ransomware operation designed not merely to breach organisations, but to compromise as much of a network as possible before defenders can react.
When Criminals Run Like Startups
Perhaps the most fascinating aspect of ‘The Gentlemen’ is what it reveals about the evolution of cybercrime.
Researchers who gained access to leaked internal information discovered a surprisingly organised operation complete with affiliate management, recruitment campaigns, technical support and revenue-sharing arrangements. Some reports even suggest extensive use of artificial intelligence tools during malware development and operational activities.
The image of a lone hacker working from a dark basement is increasingly outdated.
Modern ransomware groups operate more like multinational businesses. They recruit talent, offer incentives, provide customer support to affiliates and compete aggressively for market share.
One Of The Most Alarming Developments
The rise of ‘The Gentlemen’ highlights a troubling trend in cybersecurity. The greatest threat is no longer necessarily the malware itself, it is the professionalisation of cybercrime.
As ransomware groups adopt business tactics borrowed from legitimate companies, they become easier to scale, easier to recruit for and harder to disrupt.
Click Here For The Original Source.
