Find notable cyber news and cases, enriched with sources, timelines, and signals.

The Gentlemen RaaS split exposed by hastalamuerte

Threat Actor Meta
First reported
Last updated
Happening score
H score 25
1 unique sources, 1 articles

Summary

Hide ▲

hastalamuerte exposed the internal workings of The Gentlemen ransomware group, revealing a Qilin-related RaaS split that shows how affiliate-driven ecosystems can rapidly spawn new brands and expand extortion reach. The group’s structure and tactics point to a more professionalized ransomware market built around rented infrastructure and shared tooling. That instability matters because affiliate leaks can surface operational details, dispute dynamics, and defensive weak points across the criminal network.

Related Happenings

Qilin consolidates into dominant RaaS position as ransomware market reconcentrates

Threat Actor Meta
H score39 First: 03.07.2026 16:00 Last: 03.07.2026 16:00 Sources 1

About this happening: **Qilin** is consolidating into a dominant **RaaS** position as the ransomware ecosystem shifts back from fragmentation to concentration, increasing affiliate scale and victim vol...

INC ransomware group’s RaaS expansion and victim growth in 2026

Threat Actor Meta
H score45 First: 18.06.2026 17:12 Last: 18.06.2026 17:12 Sources 1

About this happening: **INC** has grown from a **RaaS** startup into one of **2026**’s most prolific ransomware groups, with **830+ victims since August 2023**. The expansion followed affiliate migrati...

The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth

Threat Actor Meta
H score26 First: 10.06.2026 17:03 Last: 10.06.2026 17:03 Sources 1

About this happening: **The Gentlemen** ransomware group has become a high-volume **RaaS** operation, using a **90/10 affiliate split** to attract operators and expand its reach. The group now ranks as...

Vect 2.0 ransomware wiper-flaw activity

Malware Activity
H score31 First: 29.04.2026 18:23 Last: 29.04.2026 18:23 Sources 1

About this happening: The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...

Vect ransomware flawed ChaCha20 implementation destroys large files

Technical Analysis
H score4 First: 29.04.2026 13:45 Last: 29.04.2026 13:45 Sources 1

About this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...

Timeline

  1. 19.03.2026 18:00 2 articles · 3mo ago

    The Gentlemen RaaS split exposed by hastalamuerte

    Initial Disclosure

    On March 19, 2026, Group-IB disclosed that a ransomware affiliate known as hastalamuerte revealed operational details about The Gentlemen ransomware group, including internal disputes, affiliate relationships, and the group’s RaaS structure. The research says The Gentlemen emerged from a dispute within an existing RaaS ecosystem with Qilin, targets Windows, Linux and ESXi environments, and relies on exposed FortiGate VPN devices, brute forcing or vulnerabilities, lateral movement, credential harvesting, backup disruption, PowerShell, Windows Management Instrumentation, BYOVD, and aggressive log deletion.

    Show sources