The Gentlemen Ransomware: 483 Victims, 90% Cut [2026] | #ransomware | #cybercrime


A ransomware crew that did not exist eighteen months ago has become one of the most active extortion brands on the planet — and it got there by handing affiliates a 90% cut. The Gentlemen ransomware group, first observed in mid-2025, scaled from a handful of postings to a leak site listing 483 victims across 66 countries by mid-June 2026, according to threat-intelligence tracking. Along the way it tied the highest payout rate in the ransomware-as-a-service (RaaS) economy, got hacked itself, and had its alleged operator unmasked by name.

The story matters beyond one gang. The Gentlemen’s 90/10 affiliate split — versus the 80/20 that has anchored the market for years — is reshaping how criminal labor flows between RaaS programs, and it lands in a year when ransomware already features in nearly half of all data breaches. This analysis breaks down the numbers, the May 2026 backend leak that exposed the operation’s books, the attribution that put a Russian name to the brand, and what an arms race over affiliate economics means for defenders heading into the second half of 2026.

Google · Preferred Sources

Don’t miss new tech stories on Google

Add Tech Insider once in the Google app and our stories appear in your news suggestions.

Add Now

What Is The Gentlemen Ransomware?

The Gentlemen is a ransomware-as-a-service operation: a core team builds and maintains the encryptor, leak site, and negotiation infrastructure, then rents that toolkit to outside “affiliates” who carry out intrusions and split the ransom. The brand surfaced in mid-2025 and, within roughly five months, had clawed into the top tier of the ecosystem. Kaspersky’s Securelist team — researchers Fatih Şensoy and Maher Yamout — documented the group’s variants and tooling, placing it among the ten most prolific RaaS actors of the first half of 2026.

Check Point Research, whose tally is cited in Krebs on Security’s attribution report, ranks The Gentlemen as the second most active ransomware gang of 2026 by victim count, with 332-plus total claims and more than 240 of them logged in 2026 alone. Independent threat-intel firm Halcyon, in its threat assessment of The Gentlemen ransomware, counted nearly 300 organizations across 66 countries and 20 industry verticals — second-highest volume in the January–March window, trailing only Qilin and sitting ahead of Cl0p, RansomHub, and LockBit.

What separates The Gentlemen from the dozens of forgettable RaaS launches each year is not novel malware — it is a business model. The group bought its way to scale, and the receipts are now public.

The 90% Affiliate Cut That Rewired RaaS Economics

For most of the modern ransomware era, the standard arrangement gave affiliates 70% to 80% of a paid ransom, with the operator keeping the rest to cover infrastructure, malware development, and negotiation support. The Gentlemen broke that convention with a 90/10 split — 90% to the affiliate, 10% to the core team. Per multiple analyses, only RansomHub had previously matched that generosity. Every source that examined the operation — from Krebs to Kaspersky to Halcyon to Hackread’s reporting on the leak — flags the 90% cut as the single biggest growth driver.

The logic is brutal and simple. Skilled intrusion operators are mobile; they follow money. A 10-percentage-point bump on a seven-figure ransom is life-changing, so experienced affiliates migrate from incumbent programs and bring their access, tooling, and target lists with them. Halcyon’s assessment notes that most infections observed in 2026 were carried out by affiliates rather than the core team — the clearest possible sign that the recruitment strategy worked. The Gentlemen did not need a better encryptor; it needed a better paycheck.

That wedge is already rippling through the market. When a new entrant dangles 90%, incumbents face a choice: match it and compress their own margins, or watch their best operators leave. It is the criminal-economy version of a labor bidding war, and The Gentlemen lit the fuse.

By the Numbers: 483 Victims Across 66 Countries

The headline figures tell a story of compounding velocity. The table below consolidates the most-cited metrics for The Gentlemen ransomware, each attributed to its source and snapshot date, because leak-site claims are self-reported and shift weekly.

MetricFigureSource / snapshot
First observedMid-2025Securelist, Halcyon, Krebs
Affiliate revenue split90% / 10% (vs. 80/20 standard)Krebs, Securelist, Halcyon
Victims claimed, Q4 202540Forum-tracking (GBHackers)
Victims claimed, Q1 2026166 (+315% QoQ)Forum-tracking (GBHackers)
Attacks, January 202648Halcyon
Attacks, February 202691Halcyon
Total claims by mid-June 2026483 victims / 66 countriesLeak-site tracking
2026 ranking by victim count#2 most activeCheck Point (via Krebs)
True scale (leaked C2 data)1,570+ victimsCheck Point Research
The Gentlemen ransomware: key metrics, 2025–2026. Leak-site counts are the group’s own claims and may exceed confirmed encryptions.

Two numbers deserve emphasis. First, the quarter-over-quarter jump from 40 victims in Q4 2025 to 166 in Q1 2026 — a 315% increase — is the kind of curve that pulls affiliates in on momentum alone. Second, when Check Point Research gained access to leaked backend infrastructure, it found more than 1,570 likely corporate victims, well above the public leak-site tally. In other words, the visible 483 understates the operation’s real reach.

Scaling Faster Than LockBit: The Growth Trajectory

Speed is the part that alarms analysts most. Halcyon’s assessment frames it bluntly: The Gentlemen reached in roughly five months a scale that took Akira twelve months and Qilin eighteen months to achieve, with a trajectory comparable to the early rise of LockBit 3.0 — long the benchmark for how fast a RaaS brand can grow. Monthly attack volume nearly doubled from 48 in January to 91 in February 2026, and the group cleared 200 victim claims across the first quarter.

GroupTime to ~300 victims / scale milestoneAffiliate cutNote
The Gentlemen~5 months90%Mid-2025 launch; #2 active in 2026
Akira~12 months~70–80% (typical)Halcyon comparison baseline
Qilin~18 months~80–85% (reported)Q1 2026 volume leader
LockBit 3.0Comparable early curve~80% (historical)Long-standing scaling benchmark
RansomHubRapid (2024–25)Up to 90%Only prior program to match 90/10
How The Gentlemen’s scaling and affiliate economics compare to other RaaS brands. Cuts for rivals are reported ranges, not fixed figures.

Context tightens the picture: forum tracking shows the top ten ransomware groups accounted for roughly The Gentlemen (launched September 2025) accounted for 380 of 483 victims by June 2026; the 71% figure for Q1 is not supported by data, as The Gentlemen hit 483 victims across 66 countries in under a year with 380 in 2026 alone. The Gentlemen did not expand the pie; it ate someone else’s slice — and it did so during a year when overall ransomware volume is climbing, not flat.

When the Ransomware Gang Got Hacked: The May 2026 Backend Leak

In a twist that handed defenders a rare window, the gang itself was compromised. In May 2026, Check Point Research documented an internal breach that exposed The Gentlemen’s backend infrastructure: affiliate activity records, operational tools, victim-management systems, internal chat logs, and backend databases. It was the criminal equivalent of a competitor obtaining your CRM, your Slack, and your accounting ledger all at once.

The leaked chats read like an intrusion playbook. Affiliates discussed attack methods, credential abuse, EDR-killer tools, and access to enterprise systems, including conversations about Fortinet appliances, Cisco-related access, and NTLM relay techniques. The backend confirmed the headline economics — the 90% affiliate share, described by researchers as an unusually generous split — and revealed the 1,570-plus victim records that dwarf the public leak site. The breach also tied the operation to SystemBC, a long-running malware used for persistence and remote access.

Tellingly, exposure did not slow the brand. Within days, on May 16, 2026, The Gentlemen became an official BreachForums partner, displaying the forum’s banner on its dark-web site — a defiant signal that, in the RaaS economy, reputation and recruitment matter more than operational secrecy. The dynamic echoes the brazen, parallel-extortion posture seen in the ShinyHunters Oracle breach wave that defined the first half of 2026.

Inside the Attack Chain: BYOVD, EDR Killers, and Hybrid Encryption

Technically, The Gentlemen is competent rather than exotic — which is precisely what makes it dangerous at scale. Per Securelist, the group runs multiple encryptor variants: a Go-based locker that emerged in mid-2025 and is the most widely deployed, a Windows-only C-based variant still in development, and a cross-platform ESXi/Linux locker. The malware encrypts Windows, Linux, NAS, and ESXi environments, letting affiliates hit everything from file servers to virtualization hosts in a single intrusion.

Initial Access and Lateral Movement

Entry typically comes through internet-facing infrastructure — VPNs, firewalls, and remote-access gateways — plus stolen or weak credentials and, in some cases, purchased access from initial-access brokers. Once inside, affiliates use reconnaissance tools such as SharpADWS, NetScan, and Advanced IP Scanner, then move laterally via NETLOGON share distribution, a deploy_gpo.ps1 script, and PsExec. Krebs reports the crews can achieve network-wide encryption within hours of gaining a foothold.

Disabling Defenses

To blind endpoint protection, operators lean on the bring-your-own-vulnerable-driver (BYOVD) technique, loading signed-but-flawed kernel drivers to terminate security processes — one reported toolkit disables hundreds of endpoint-detection processes outright. The Go variant pairs Curve25519 key exchange with XChaCha20 encryption; the C variant uses AES-256-GCM with RSA. The defensive takeaway is that signature-based antivirus alone will not stop this chain. The indicators below, drawn from Securelist’s analysis, are a starting point for detection engineering.

# The Gentlemen — selected behavioral indicators (source: Kaspersky GReAT / Securelist)
# Hunt for these patterns; do not treat as a complete IOC set.

BYOVD drivers (loaded to kill EDR):
  ProcessMonitorDriver.sys, wamsdk.sys, gamedriverx64.sys,
  biontdrv.sys, inpoutx64.sys, wsftprm.sys, Havoc.sys

Defender-tampering registry key:
  HKLMSOFTWAREPoliciesMicrosoftWindows Defender
    "DisableAntiSpyware" = dword:00000001

Recon / lateral-movement tooling:
  SharpADWS  |  NetScan  |  Advanced IP Scanner  |  PsExec
  deploy_gpo.ps1 (GPO-based payload distribution via NETLOGON)

Persistence / C2:
  SystemBC proxy malware

Who Runs The Gentlemen? The Krebs Attribution

The May leak did more than embarrass the gang — it cracked open its anonymity. Drawing on the exposed infrastructure and corroborating data from Check Point Software, Intel 471, PRODAFT, Constella Intelligence, and Epieos, Krebs on Security identified the alleged primary operator as Alexander Andreevich Yapaev, a 36-year-old from Izhevsk, Russia, who used online aliases including “Hastalamuerte” and “SantaMuerte.” Investigators correlated forum-registration patterns, a reused phone number, and email handles to link the persona to the brand.

Halcyon estimates a core team of roughly 20 members with prior experience in the ransomware ecosystem — not amateurs, but veterans who understood that affiliate economics, not malware sophistication, would determine who won market share. Attribution rarely ends an operation by itself, but naming an operator raises the personal stakes considerably: it opens the door to indictments, sanctions, and the kind of pressure that has historically pushed Russian-speaking crews to rebrand rather than retire.

Who Gets Hit: Sectors and Geography

The Gentlemen’s victimology is unusual in one respect that should worry compliance teams outside the United States. Where most ransomware ecosystems skew heavily toward US targets, Halcyon found only about 7% of The Gentlemen’s victims were US-based — an anomaly that suggests the affiliates are deliberately spreading risk across jurisdictions, or simply following exposed, vulnerable infrastructure wherever it sits.

Top targeted sectorsTop targeted countries
IT servicesThailand (≈27 victims)
ConstructionUnited States
ManufacturingFrance
Financial servicesBrazil
Healthcare (growing)China, Indonesia, Taiwan
The Gentlemen ransomware targeting profile, 2025–2026 (sources: Halcyon, Securelist).

Manufacturing, IT services, and construction dominate the victim list, with healthcare a fast-growing third — a sign the group does not observe the informal “no hospitals” limits that some operators claim. Geographically, Thailand leads with roughly 27 victims, followed by the US, France, and Brazil, with additional clusters in China, Indonesia, and Taiwan. For multinationals, the lesson is that perimeter exposure anywhere is exposure everywhere.

Market Impact: What a 90/10 Split Does to the Ransomware Economy

The Gentlemen’s real legacy may be economic rather than technical. By proving that a 90% affiliate cut can buy top-three market share in under six months, the group has handed every aspiring RaaS operator a template — and pressured incumbents to respond. Forum tracking already shows the pressure: when a rival launched in May 2026, it advertised an 80–85% sliding-scale cut that grew more affiliate-friendly after the first job, an explicit attempt to compete on “aggressive affiliate economics.”

That dynamic has three consequences for defenders. First, more generous splits draw more skilled operators into ransomware overall, raising the baseline quality of intrusions. Second, thinner operator margins push core teams toward higher victim volume to stay profitable — meaning more attacks, not fewer. Third, it accelerates affiliate churn between brands, which fragments attribution and complicates law-enforcement targeting. The arms race is no longer just about exploits; it is about payroll.

The Bigger Picture: Ransomware Across 2026

The Gentlemen did not emerge in a vacuum. Check Point Research reported that ransomware attacks surged 48% in May 2026 even as overall cyberattack volume eased, with education and other under-resourced sectors bearing the brunt. The structural picture is corroborated by Verizon’s 2026 Data Breach Investigations Report, whose headline findings include system intrusions rising to roughly 61% of breaches, ransomware now featuring in about 48% of breaches, a majority of victims (around 69%) declining to pay, and a sharp rise in incidents involving third parties.

Those two data points — surging volume and falling payment rates — explain the affiliate-economics gold rush. If a smaller share of victims pay, operators need either bigger ransoms or far more victims to hit the same revenue. The Gentlemen chose volume, and the 90% cut is how it recruited the labor to generate it. The model is a rational, if grim, response to a market where defenders are slowly winning the “should we pay?” argument.

Industry Data and Expert Analysis

Because The Gentlemen is a live, evolving operation, the most reliable read comes from primary threat-intelligence reporting rather than secondhand summaries. The following sources anchor the figures in this analysis:

Where individual figures differ between sources — for example, “nearly 300” versus “332-plus” versus “483” victims — the gap reflects different snapshot dates and counting methods (confirmed encryptions versus leak-site listings), not contradiction. The trajectory is consistent across all of them: up and to the right.

What Comes Next: 5 Predictions for The Gentlemen and RaaS

Forecasting cybercrime is inexact, but the incentives point in clear directions. Five predictions for the second half of 2026:

  1. An affiliate “wage war” intensifies. Expect more programs to advertise 85–90% splits and sign-on perks, compressing operator margins and pushing core teams toward higher attack volume to compensate.
  2. Law-enforcement pressure escalates. With an alleged operator now named, indictments, sanctions, or infrastructure takedowns become plausible — and, as with LockBit, may trigger a rebrand rather than a shutdown.
  3. The leak fuels detection wins. The exposed tooling, drivers, and TTPs will feed EDR signatures and threat-hunting rules, raising the cost of using the current Gentlemen toolkit.
  4. Targeting tilts further from the US. The 7%-US-victim pattern likely persists or deepens as affiliates route around the jurisdiction with the most aggressive FBI and Treasury response.
  5. BYOVD becomes a board-level issue. Repeated EDR-killer abuse accelerates adoption of Microsoft’s vulnerable-driver blocklist, kernel-level tamper protection, and driver allow-listing across enterprises.

How to Defend Against The Gentlemen Ransomware

Because The Gentlemen leans on exposed infrastructure and BYOVD rather than zero-days, the defensive playbook is well understood — the challenge is execution. Priorities, mapped to the group’s documented attack chain:

  • Close the front door. Patch and harden internet-facing VPNs, firewalls, and remote-access gateways; enforce phishing-resistant MFA everywhere; retire orphaned accounts and exposed RDP.
  • Block vulnerable drivers. Deploy Microsoft’s vulnerable-driver blocklist and enable EDR tamper protection so BYOVD attempts fail. A well-tuned SIEM such as the one in our free Wazuh SIEM tutorial can surface driver-load and Defender-tampering events.
  • Throttle brute force and credential abuse. Rate-limit and lock down exposed services; our Fail2ban setup guide covers SSH and service hardening.
  • Detect lateral movement. Alert on PsExec, anomalous GPO changes, NETLOGON script drops, and SystemBC beaconing — the chokepoints between foothold and full encryption.
  • Assume encryption will be attempted. Keep immutable, offline backups; segment networks; and rehearse recovery so paying is never the only option. Layered endpoint defense — see our Bitdefender vs Norton vs McAfee comparison — remains a baseline.

Frequently Asked Questions

What is The Gentlemen ransomware?

The Gentlemen is a ransomware-as-a-service (RaaS) operation first observed in mid-2025. A core team supplies the encryptor and infrastructure while outside affiliates conduct intrusions, splitting the ransom. By 2026 it ranked among the most active ransomware brands worldwide.

Why is the 90% affiliate cut significant?

Most RaaS programs pay affiliates 70–80% of a ransom. The Gentlemen offers 90% — tying RansomHub for the highest rate on record. That premium draws experienced operators away from rival programs, which is the primary reason the group scaled so quickly.

How many victims has The Gentlemen claimed?

Counts vary by source and date: Halcyon logged nearly 300 organizations, Krebs cited 332-plus claims, and leak-site tracking showed 483 victims across 66 countries by mid-June 2026. Check Point’s access to leaked backend data revealed more than 1,570 likely victims.

Who is behind The Gentlemen ransomware?

Krebs on Security, using leaked data and corroboration from Check Point, Intel 471, PRODAFT, Constella, and Epieos, identified the alleged operator as Alexander Andreevich Yapaev, a 36-year-old from Izhevsk, Russia, who used aliases including “Hastalamuerte.” Halcyon estimates a core team of roughly 20.

What systems does The Gentlemen ransomware target?

The group encrypts Windows, Linux, NAS, and ESXi environments using multiple variants — a widely deployed Go-based locker (Curve25519 + XChaCha20) and a developing C-based Windows variant (AES-256-GCM + RSA). It uses BYOVD techniques to disable endpoint protection.

How did The Gentlemen ransomware get hacked?

In May 2026, Check Point Research documented an internal breach that exposed the group’s backend databases, affiliate chats, and victim-management systems. The leak confirmed the 90% revenue share and revealed far more victims than the public leak site showed. The group nonetheless became a BreachForums partner days later.

Which industries and countries does it hit most?

IT services, construction, manufacturing, financial services, and healthcare top the sector list. Thailand leads by victim count, followed by the US, France, and Brazil. Notably, only about 7% of victims are US-based — unusual for a major ransomware operation.

Related Coverage

Analysis and figures current as of June 30, 2026. Victim counts for active ransomware operations are self-reported on leak sites and change frequently; figures are attributed to their sources and snapshot dates throughout.

Marcus Chen

Senior Tech Reporter

Marcus Chen is a Senior Tech Reporter at Tech Insider covering cloud computing, enterprise software, and the business of technology. Before joining TI, he spent five years at ZDNet covering digital transformation across European enterprises and three years at The Register reporting on cloud infrastructure. Marcus is known for his deep dives into cloud cost optimization and multi-cloud strategy. He holds a degree in Computer Science from Imperial College London and speaks regularly at KubeCon and CloudNative events.

View all articles



Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW