The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
Summary
Hide ▲
Show ▼
hastalamuerte exposed the internal workings of The Gentlemen ransomware group, revealing a Qilin-related RaaS split that shows how affiliate-driven ecosystems can rapidly spawn new brands and expand extortion reach. The group’s structure and tactics point to a more professionalized ransomware market built around rented infrastructure and shared tooling. That instability matters because affiliate leaks can surface operational details, dispute dynamics, and defensive weak points across the criminal network.
Related Happenings
Vect 2.0 ransomware wiper-flaw activity
Malware Activity
First: 29.04.2026 18:23
Last: 29.04.2026 18:23
Sources 1
About this happening:
The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect 2.0 ransomware wiper-flaw activity
Malware ActivityAbout this happening: The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical Analysis
First: 29.04.2026 13:45
Last: 29.04.2026 13:45
Sources 1
About this happening:
**Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical AnalysisAbout this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityAbout this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
Campaign
First: 20.04.2026 23:02
Last: 20.04.2026 23:02
Sources 1
About this happening:
The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
CampaignAbout this happening: The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Timeline
-
19.03.2026 18:00 2 articles · 2mo ago
The Gentlemen RaaS split exposed by hastalamuerte
Initial DisclosureOn March 19, 2026, Group-IB disclosed that a ransomware affiliate known as hastalamuerte revealed operational details about The Gentlemen ransomware group, including internal disputes, affiliate relationships, and the group’s RaaS structure. The research says The Gentlemen emerged from a dispute within an existing RaaS ecosystem with Qilin, targets Windows, Linux and ESXi environments, and relies on exposed FortiGate VPN devices, brute forcing or vulnerabilities, lateral movement, credential harvesting, backup disruption, PowerShell, Windows Management Instrumentation, BYOVD, and aggressive log deletion.
Show sources
- Ransomware Affiliate Exposes Details of 'The Gentlemen' Operation — www.infosecurity-magazine.com — 19.03.2026 18:00
- Ransomware Affiliate Exposes Details of 'The Gentlemen' Operation — www.infosecurity-magazine.com — 19.03.2026 18:00