You might think you know the biggest names in ransomware, but the most prolific group you haven’t heard of is rapidly compromising networks through VPNs and firewalls. The Gentlemen ransomware group has emerged as the second most active ransomware gang by victim count, claiming more than 240 victims in 2026 alone. This ransomware-as-a-service operation specializes in perimeter security breaches, targeting Internet-facing devices like VPNs and firewalls to gain initial access. Once inside, they move quickly to encrypt entire networks, making cyber extortion their primary business model. Understanding how this group operates is the first step toward protecting your own systems from becoming their next target.
The Gentlemen’s Rise: How a New RaaS Disrupted the Ransomware Landscape
Now that you understand how quickly ransomware groups can move, consider the staggering pace at which The Gentlemen have expanded. From mid-2025 to 2026, this ransomware group accumulated over 330 victims, making it the second most active ransomware gang. The Gentlemen ransomware group has claimed at least 332 published victims since its inception. In 2026 alone, they accounted for more than 240 of those attacks. Such numbers highlight a swift ascent in the cybercrime world and underscore why this group demands your attention.
From Mid-2025 to 2026
The group’s rapid growth is fueled by its structure. The Gentlemen operates as a ransomware-as-a-service (RaaS) offering. This affiliate model allows the group to scale up quickly without needing a large internal team. Affiliates, or partners, use the ransomware code to launch attacks and then share the ransom payments with the core group. This setup turns a single operation into a distributed network, a common tactic among top cybercrime syndicates. Check Point Software has been covering exploits of The Gentlemen, noting how the RaaS model enables swift victim accumulation. For you, understanding this model is key: it means a small group can cause widespread damage by leveraging many attackers.
Second Most Active Gang
By victim count, The Gentlemen have risen to the second spot among ransomware groups. This threat actor escalation shows how quickly a new player can disrupt the landscape. As a result, your security focus should adapt to the most active threats. The Gentlemen’s rise is a clear signal that the ransomware threat is not static—new groups can emerge and dominate quickly. Staying informed about their methods, particularly their RaaS approach, is a practical step toward safer browsing and stronger defenses.
The Admin Behind the Mask: Zeta88 and the Backend Breach
Awareness of the RaaS business model helps you understand how these groups operate financially. But digging one layer deeper—into the people running the show—can give you an even better sense of how the threat evolves. A breach of the Gentlemen ransomware group’s backend infrastructure exposed the administrator’s role and nickname, pulling back the curtain on a key figure in the operation.
Who is Hastalamuerte/Zeta88?
The administrator of the Gentlemen ransomware group uses the nickname Zeta88 on Russian-language cybercrime forums. Before picking up that handle, the same person operated under the moniker Hastalamuerte. Name changes like this are not unusual among threat actors; they help shake off scrutiny or start fresh after a leak or public exposure. In this case, researchers tracking forum activity connected the dots, linking Hastalamuerte and Zeta88 to the same individual.
What the Backend Breach Exposed
The backend leak did more than reveal a username swap. It exposed the internal structure of the group in unexpected detail. According to the compromised data, Hastalamuerte—now known as Zeta88—is the one who assembles the locker and the RaaS panel, manages payment processing, and receives a flat 10 percent of all ransoms collected. That makes the administrator the central operator, not a distant figurehead. This kind of backend leak is rare, and it offers a direct look at a criminal enterprise that usually operates in the dark. For you as someone keeping an eye on ransomware trends, understanding who holds the reins—and how groups like this are structured—adds another practical piece to your overall awareness.
Targeting the Perimeter: Why VPNs and Firewalls Are Prime Entry Points
Knowing how the Gentlemen ransomware group operates helps you see where your own defenses might need reinforcement. This group doesn’t waste time trying to sneak through complex internal networks. Instead, they go straight for the front door—specifically, the internet-facing devices that connect your network to the outside world.
Their primary targets are VPNs and firewalls. These devices act as your network’s gatekeepers, but if they have a VPN vulnerability or a firewall exploitation point, they become an open invitation for attackers. The group scans for these weak spots, often finding unpatched software, default credentials, or misconfigured access controls. Once they get in, they don’t linger. They act fast.
The Speed of Compromise
What makes this approach especially dangerous is the network encryption speed the group achieves. Within hours of gaining initial access, they deploy their ransomware across your entire system. You might not notice anything unusual until your files suddenly become inaccessible, and by then, it’s too late. That rapid timeline is why perimeter defense matters more than ever. A single overlooked update or an exposed remote access port can be all they need.
Common Vulnerabilities Exploited
To protect yourself, focus on the devices that face the internet directly. Keep your VPN software and firewall firmware updated as soon as patches become available. Disable any unnecessary remote access features, and use strong, unique passwords or multi-factor authentication for every login. These steps won’t guarantee total safety, but they close the most common entry points the Gentlemen ransomware group relies on. Your perimeter is only as strong as its weakest link—so make sure that link isn’t left unguarded.
The 90/10 Split: Disrupting the RaaS Market
That perimeter you just tightened is your first line of defense. But to understand why groups like the Gentlemen ransomware group are so aggressive, you need to look at the business model fueling them. The group has flipped the standard cybercrime marketplace on its head with a simple financial incentive: they promise affiliates 90 percent of any ransom paid by victims.
To put that in perspective, the industry standard affiliate revenue split is 80/20, compared to the group’s 90/10 split. That extra 10 percent might not sound like much, but in a world where a single ransom payment can reach six or seven figures, it represents a massive difference in take-home pay for the people actually deploying the malware.
How the Split Attracts Affiliates
This aggressive affiliate program is a deliberate strategy. By offering a better deal than almost any competitor, the Gentlemen ransomware group makes itself the obvious choice for cybercriminals looking to maximize their return on effort. For an affiliate, choosing a group with a 90/10 split over an 80/20 split is a no-brainer—it’s like getting a 12.5 percent raise on every successful job. This flood of new affiliates means more attacks, faster, and with a wider variety of targets.
Impact on RaaS Competition
The ripple effect on the broader RaaS competition is significant. Other groups are now under pressure to match or beat this offer, which squeezes their own profit margins. This kind of price war in the cybercrime marketplace forces everyone to either innovate their attack methods or offer even more lucrative terms to keep their affiliates loyal. For you, the end user, this means the threat landscape is becoming more crowded and more competitive—and that rarely leads to safer browsing conditions. Understanding this economic pressure helps explain why these attacks aren’t slowing down.
Recruiting on Russian Forums: The Affiliate Network
That economic pressure is precisely why the Gentlemen ransomware group has turned to a tried-and-true model: the affiliate network. The group’s administrator, using the nickname Zeta88, is active on multiple Russian-language cybercrime forums. These platforms function as a central hub for dark web recruitment, where threat actors vet potential partners and build their operations.
From Hastalamuerte to Zeta88
Before Zeta88 entered the scene, this same individual was known by the moniker Hastalamuerte. That earlier handle suggests a long-standing presence on these forums, which lends credibility during affiliate vetting. For the Gentlemen ransomware group, not just anyone can join. Prospective affiliates must demonstrate their technical skills and a level of trustworthiness among Russian-language threat actors. This process helps ensure that the group’s tools and operations remain secure from rivals and law enforcement.
Building the RaaS Network
The recruiting process on these cybercrime forums is surprisingly structured. Administrators like Zeta88 post clear listings that outline profit splits, technical requirements, and operational rules. Interested parties then communicate through private messages to prove their capability. This approach allows the Gentlemen ransomware group to scale its attacks without building a large internal team. By outsourcing the infection and encryption work to affiliates, the group can focus on refining its ransomware and managing the broader affiliate network.
For you, this means the threat is not just from a single group but from a network of recruited partners using the same tools. The affiliate model lowers the barrier to entry for less experienced criminals, increasing the number of potential attackers you face. Understanding this dark web recruitment pipeline helps you recognize why browsing safely requires constant vigilance—especially as groups like this continue to expand their reach through these forums.
Frequently Asked Questions
How did the Gentlemen ransomware group grow so quickly to become a major threat?
The group expanded rapidly by aggressively recruiting affiliates on Russian-language cybercrime forums. They offered a highly competitive 90/10 affiliate split, which lured experienced attackers away from rival ransomware-as-a-service operations. This strategy allowed the Gentlemen ransomware group to scale its attacks in a short time.
How does the Gentlemen ransomware group’s affiliate model differ from other ransomware-as-a-service operations?
Most ransomware groups offer affiliates a 70/30 or 80/20 split in favor of the affiliate, but the Gentlemen ransomware group pushed that to 90/10. This disrupts the market by giving affiliates an unusually large share, making the group more attractive to top-tier attackers. The model also reduces the group’s own cut, which suggests they prioritize volume and rapid growth over immediate profit per attack.
What did the backend breach reveal about the Gentlemen ransomware group’s operations?
The breach exposed the group’s internal dashboard, affiliate communications, and the administrator’s operational habits. This gave security researchers a rare look into how the Gentlemen ransomware group manages its affiliates, tracks payments, and handles disputes. It also revealed the administrator’s preference for using specific nicknames and forums, though their real identity remains unconfirmed.
