The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
Summary
Hide ▲
Show ▼
hastalamuerte exposed the internal workings of The Gentlemen ransomware group, revealing a Qilin-related RaaS split that shows how affiliate-driven ecosystems can rapidly spawn new brands and expand extortion reach. The group’s structure and tactics point to a more professionalized ransomware market built around rented infrastructure and shared tooling. That instability matters because affiliate leaks can surface operational details, dispute dynamics, and defensive weak points across the criminal network.
Related Happenings
Qilin consolidates into dominant RaaS position as ransomware market reconcentrates
Threat Actor Meta
H score39
First: 03.07.2026 16:00
Last: 03.07.2026 16:00
Sources 1
About this happening:
**Qilin** is consolidating into a dominant **RaaS** position as the ransomware ecosystem shifts back from fragmentation to concentration, increasing affiliate scale and victim vol...
Qilin consolidates into dominant RaaS position as ransomware market reconcentrates
Threat Actor MetaAbout this happening: **Qilin** is consolidating into a dominant **RaaS** position as the ransomware ecosystem shifts back from fragmentation to concentration, increasing affiliate scale and victim vol...
INC ransomware group’s RaaS expansion and victim growth in 2026
Threat Actor Meta
H score45
First: 18.06.2026 17:12
Last: 18.06.2026 17:12
Sources 1
About this happening:
**INC** has grown from a **RaaS** startup into one of **2026**’s most prolific ransomware groups, with **830+ victims since August 2023**. The expansion followed affiliate migrati...
INC ransomware group’s RaaS expansion and victim growth in 2026
Threat Actor MetaAbout this happening: **INC** has grown from a **RaaS** startup into one of **2026**’s most prolific ransomware groups, with **830+ victims since August 2023**. The expansion followed affiliate migrati...
The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth
Threat Actor Meta
H score26
First: 10.06.2026 17:03
Last: 10.06.2026 17:03
Sources 1
About this happening:
**The Gentlemen** ransomware group has become a high-volume **RaaS** operation, using a **90/10 affiliate split** to attract operators and expand its reach. The group now ranks as...
The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware group has become a high-volume **RaaS** operation, using a **90/10 affiliate split** to attract operators and expand its reach. The group now ranks as...
Vect 2.0 ransomware wiper-flaw activity
Malware Activity
H score31
First: 29.04.2026 18:23
Last: 29.04.2026 18:23
Sources 1
About this happening:
The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect 2.0 ransomware wiper-flaw activity
Malware ActivityAbout this happening: The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical Analysis
H score4
First: 29.04.2026 13:45
Last: 29.04.2026 13:45
Sources 1
About this happening:
**Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical AnalysisAbout this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Timeline
-
19.03.2026 18:00 2 articles · 3mo ago
The Gentlemen RaaS split exposed by hastalamuerte
Initial DisclosureOn March 19, 2026, Group-IB disclosed that a ransomware affiliate known as hastalamuerte revealed operational details about The Gentlemen ransomware group, including internal disputes, affiliate relationships, and the group’s RaaS structure. The research says The Gentlemen emerged from a dispute within an existing RaaS ecosystem with Qilin, targets Windows, Linux and ESXi environments, and relies on exposed FortiGate VPN devices, brute forcing or vulnerabilities, lateral movement, credential harvesting, backup disruption, PowerShell, Windows Management Instrumentation, BYOVD, and aggressive log deletion.
Show sources
- Ransomware Affiliate Exposes Details of 'The Gentlemen' Operation — www.infosecurity-magazine.com — 19.03.2026 18:00
- Ransomware Affiliate Exposes Details of 'The Gentlemen' Operation — www.infosecurity-magazine.com — 19.03.2026 18:00