The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth
Threat Actor Meta
Summary
Hide ▲
Show ▼
The Gentlemen ransomware group has become a high-volume RaaS operation, using a 90/10 affiliate split to attract operators and expand its reach. The group now ranks as the second most active ransomware gang by victim count, with 332 published victims since mid-2025 and more than 240 in 2026. Its operators focus on Internet-facing VPNs and firewalls and can encrypt whole networks within hours. Identity work also links the administrator to the Zeta88/Hastalamuerte handles, reinforcing the picture of a centralized ransomware business built for scale.
Related Happenings
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor Meta
H score15
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor MetaAbout this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
H score15
First: 19.03.2026 18:00
Last: 19.03.2026 18:00
Sources 1
About this happening:
**hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor MetaAbout this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella
Threat Actor Meta
H score35
First: 05.02.2026 00:14
Last: 05.02.2026 00:14
Sources 1
About this happening:
**DragonForce** has shifted into a **cartel-style ransomware-as-a-service model**, letting affiliates launch their own brands while sharing a common umbrella. That change expands...
DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella
Threat Actor MetaAbout this happening: **DragonForce** has shifted into a **cartel-style ransomware-as-a-service model**, letting affiliates launch their own brands while sharing a common umbrella. That change expands...
Vect RaaS affiliate recruitment and early ecosystem buildout
Threat Actor Meta
H score16
First: 03.02.2026 16:00
Last: 03.02.2026 16:00
Sources 1
About this happening:
**Vect** has moved into **affiliate recruitment**, marking an early-stage **ransomware-as-a-service** buildout that could expand its reach and victim volume. The group has already...
Vect RaaS affiliate recruitment and early ecosystem buildout
Threat Actor MetaAbout this happening: **Vect** has moved into **affiliate recruitment**, marking an early-stage **ransomware-as-a-service** buildout that could expand its reach and victim volume. The group has already...
Gentlemen ransomware operation using compromised credentials and exposed services
Malware Activity
H score44
First: 29.12.2025 16:26
Last: 29.12.2025 16:26
Sources 1
How related:
Experts at the security firm Check Point Software have been closely covering exploits of The Gentlemen, a so-called “ransomware-as-a-service” (RaaS) offering that pays affiliates handsomely to help spread the group’s malware.
About this happening:
**Gentlemen ransomware** is actively extorting victims by using **compromised credentials** and **Internet-exposed services** to enter networks. It encrypts files, drops **README-...
Gentlemen ransomware operation using compromised credentials and exposed services
Malware ActivityHow related: Experts at the security firm Check Point Software have been closely covering exploits of The Gentlemen, a so-called “ransomware-as-a-service” (RaaS) offering that pays affiliates handsomely to help spread the group’s malware.
About this happening: **Gentlemen ransomware** is actively extorting victims by using **compromised credentials** and **Internet-exposed services** to enter networks. It encrypts files, drops **README-...
Timeline
-
10.06.2026 17:03 2 articles · 1h ago
The Gentlemen ransomware group scales with a 90/10 affiliate split
Campaign Scope UpdateThe Gentlemen ransomware group has become the second most active ransomware gang by victim count, with at least 332 published victims since its mid-2025 inception and more than 240 in 2026 alone. Check Point says the group uses a 90/10 RaaS affiliate split, targets Internet-facing VPNs and firewalls, can encrypt entire networks within hours, and that backend access tied the administrator to the Zeta88 and Hastalamuerte handles.
Show sources
- Who Runs the Ransomware Group ‘The Gentlemen?’ — krebsonsecurity.com — 10.06.2026 17:03
- Who Runs the Ransomware Group ‘The Gentlemen?’ — krebsonsecurity.com — 10.06.2026 17:03