Krebs on Security has published an investigation into the administrator behind The Gentlemen ransomware group, which has climbed to second most active ransomware gang by victim count. The group recruits affiliates at a 90 percent revenue share — well above the 70-80 percent standard at most RaaS operations. That above-market rate has attracted experienced operators from competing organizations at an accelerating pace.
What makes The Gentlemen ransomware group operationally significant
Check Point Software researchers have tracked The Gentlemen ransomware group closely. The 90 percent affiliate payout is a deliberate growth strategy: it costs more per incident but draws the highest-capability operators away from competing groups. The result is a technically sophisticated affiliate pool and a victim count that has risen faster than most new RaaS entrants manage.
Krebs’s investigation examines evidence pointing to a real-world identity for the group’s administrator. Named attribution matters operationally. When law enforcement has an identity, extradition and asset-seizure tools become available — the same investigative pattern that preceded the LockBit and ALPHV/BlackCat takedowns. Attribution is the beginning of a law-enforcement sequence, not the end.
Why The Gentlemen’s affiliate pool raises the risk ceiling
For enterprise threat-intelligence and incident response teams, the 90 percent payout is the signal that matters. It pulls top-tier operators away from competing groups, so The Gentlemen’s affiliate pool skews more capable than average, and victims may face more aggressive double-extortion and faster exfiltration than lower-tier groups produce. See also our coverage of ransomware activity patterns by day and month for context on peak attack windows.
How to adjust defenses for The Gentlemen’s high-payout affiliate model
Prioritize the detection and incident-response changes now; treat attribution as a slower signal that can shorten the group’s runway over time.
Refresh threat-actor profiles and detection signatures for The Gentlemen’s TTPs. Check Point’s research is the current primary source for indicators, so update profiles now rather than reconstructing them mid-incident.
Re-baseline incident-response plans for a higher-capability affiliate pool. A 90 percent payout buys experienced operators, so assume faster exfiltration and more aggressive double-extortion than lower-tier groups produce.
Track the attribution-to-takedown sequence. Krebs’s identification of the administrator follows the pattern that preceded the LockBit and ALPHV/BlackCat takedowns, so a named operator can change the group’s lifespan and belongs in longer-term risk planning.
The Gentlemen climbed to the second most active gang by paying more per incident; teams that adjust for that affiliate quality now will not be the ones modeling it after the breach.
Join our LinkedIn group Information Security Community!
