The Gentlemen ransomware gang's affiliate-driven rise to most-active RaaS operator
Threat Actor Meta
Summary
Hide ▲
Show ▼
The Gentlemen ransomware gang became the most-active ransomware-as-a-service operator over a three-month period, overtaking Qilin with 300 incidents. Its rise is linked to aggressive affiliate recruitment and a pre-packaged intrusion kit that lowers operator skill requirements. The shift increases competitive pressure across the ransomware market and may pull affiliates away from rival crews.
Related Happenings
Qilin consolidates into dominant RaaS position as ransomware market reconcentrates
Threat Actor Meta
H score39
First: 03.07.2026 16:00
Last: 03.07.2026 16:00
Sources 1
About this happening:
Qilin is consolidating into a dominant RaaS position as the ransomware ecosystem shifts back from fragmentation to concentration, increasing affiliate scale and victim vol...
Qilin consolidates into dominant RaaS position as ransomware market reconcentrates
Threat Actor MetaAbout this happening: Qilin is consolidating into a dominant RaaS position as the ransomware ecosystem shifts back from fragmentation to concentration, increasing affiliate scale and victim vol...
DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure
Threat Actor Meta
H score26
First: 18.06.2026 16:30
Last: 18.06.2026 16:30
Sources 1
About this happening:
Hackledorb has pivoted DragonForce from a conventional ransomware-as-a-service (RaaS) model into a formalized cartel structure, signaling a more organized and dura...
DragonForce / Hackledorb pivots from RaaS to a formalized cartel structure
Threat Actor MetaAbout this happening: Hackledorb has pivoted DragonForce from a conventional ransomware-as-a-service (RaaS) model into a formalized cartel structure, signaling a more organized and dura...
The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth
Threat Actor Meta
H score26
First: 10.06.2026 17:03
Last: 10.06.2026 17:03
Sources 1
About this happening:
The Gentlemen ransomware group has become a high-volume RaaS operation, using a 90/10 affiliate split to attract operators and expand its reach. The group now ranks as...
The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth
Threat Actor MetaAbout this happening: The Gentlemen ransomware group has become a high-volume RaaS operation, using a 90/10 affiliate split to attract operators and expand its reach. The group now ranks as...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
H score25
First: 19.03.2026 18:00
Last: 19.03.2026 18:00
Sources 1
How related:
The Gentlemen ransomware gang was responsible for the most attacks during the three-month period, accounting for 300 incidents.
About this happening:
hastalamuerte exposed the internal workings of The Gentlemen ransomware group, revealing a Qilin-related RaaS split that shows how affiliate-driven ecosystems can rapi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor MetaHow related: The Gentlemen ransomware gang was responsible for the most attacks during the three-month period, accounting for 300 incidents.
About this happening: hastalamuerte exposed the internal workings of The Gentlemen ransomware group, revealing a Qilin-related RaaS split that shows how affiliate-driven ecosystems can rapi...
Latest development: 17.07.2026 12:00
ReliaQuest reported that The Gentlemen ransomware gang became the most active ransomware group over a three-month period, with 300 incidents and 1,368 victim claims tracked across 11 ransomware groups. The analysis said The Gentlemen overtook Qilin, which had 289 incidents, and linked the rise to aggressive affiliate recruitment, a pre-packaged intrusion kit, and AI-accelerated development.
DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella
Threat Actor Meta
H score38
First: 05.02.2026 00:14
Last: 05.02.2026 00:14
Sources 1
About this happening:
DragonForce has shifted into a cartel-style ransomware-as-a-service model, letting affiliates launch their own brands while sharing a common umbrella. That change expands...
DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella
Threat Actor MetaAbout this happening: DragonForce has shifted into a cartel-style ransomware-as-a-service model, letting affiliates launch their own brands while sharing a common umbrella. That change expands...
Timeline
-
16.07.2026 12:00 2 articles · 1d ago
The Gentlemen becomes the most-active ransomware group
Campaign Scope UpdateReliaQuest reported that The Gentlemen ransomware became the most-active group over a three-month period, with 300 incidents, overtaking Qilin at 289. The analysis tracked 1,368 victim claims from 11 ransomware groups across 99 countries and linked The Gentlemen’s rise to aggressive affiliate recruitment, a pre-packaged intrusion kit, and AI-accelerated development that shortens ramp-up for new operators.
Show sources
- The Gentlemen Overtakes Qilin as Most Prolific Ransomware Threat — www.infosecurity-magazine.com — 17.07.2026 12:00
- The Gentlemen Overtakes Qilin as Most Prolific Ransomware Threat — www.infosecurity-magazine.com — 17.07.2026 12:00