Who Runs the Ransomware Group ‘The Gentlemen?’
The Gentlemen is a ransomware-as-a-service (RaaS) group that has rapidly become the second most active ransomware gang by victim count since mid-2025. It uses an aggressive affiliate recruitment strategy offering a 90/10 revenue split to attract skilled hackers. The group targets internet-facing devices such as VPNs and firewalls to gain initial access and quickly encrypts entire networks. The administrator, known by the aliases Hastalamuerte and Zeta88, has been linked through cyber intelligence to a real individual in Russia. The group operates primarily from Russia and benefits from a permissive local environment that tolerates cybercriminal activity targeting foreign victims. The threat is ongoing and active but no specific software vulnerabilities or patches are identified.
AI Analysis
Technical Summary
The Gentlemen ransomware group operates as a ransomware-as-a-service platform, paying affiliates 90% of ransom proceeds to incentivize rapid growth and skilled operators. Since mid-2025, it has claimed over 330 victims, focusing on exploiting internet-facing devices like VPNs and firewalls for initial access, then quickly encrypting networks. Cyber intelligence links the group's administrator, known as Hastalamuerte or Zeta88, to a Russian individual from Izhevsk, with multiple forum registrations and online identities tied to this person. The group’s backend infrastructure breach confirmed the administrator’s role in assembling ransomware and managing payments. The group benefits from a local environment where Russian authorities generally tolerate cybercriminals who avoid attacking domestic targets. No specific software vulnerabilities or patches are described in the available information.
Potential Impact
The Gentlemen ransomware group has caused significant impact by victimizing at least 332 organizations since mid-2025, encrypting entire networks and demanding ransom payments. The aggressive affiliate revenue model has accelerated the group's growth and operational scale. The ransomware attacks disrupt business operations and potentially lead to financial losses due to ransom payments and recovery costs. No direct technical vulnerability or exploit details are provided, so impact is limited to the operational consequences of ransomware attacks.
Mitigation Recommendations
No specific patches or technical mitigations are described for this threat. Organizations should focus on securing internet-facing devices such as VPNs and firewalls, as these are the primary initial attack vectors used by The Gentlemen group. Standard best practices for securing remote access infrastructure, including strong authentication, timely patching, and network segmentation, are advisable. There is no official fix or vendor advisory related to this ransomware group. Patch status is not yet confirmed — check vendor advisories and threat intelligence updates for current remediation guidance.
Who Runs the Ransomware Group ‘The Gentlemen?’
Description
The Gentlemen is a ransomware-as-a-service (RaaS) group that has rapidly become the second most active ransomware gang by victim count since mid-2025. It uses an aggressive affiliate recruitment strategy offering a 90/10 revenue split to attract skilled hackers. The group targets internet-facing devices such as VPNs and firewalls to gain initial access and quickly encrypts entire networks. The administrator, known by the aliases Hastalamuerte and Zeta88, has been linked through cyber intelligence to a real individual in Russia. The group operates primarily from Russia and benefits from a permissive local environment that tolerates cybercriminal activity targeting foreign victims. The threat is ongoing and active but no specific software vulnerabilities or patches are identified.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Gentlemen ransomware group operates as a ransomware-as-a-service platform, paying affiliates 90% of ransom proceeds to incentivize rapid growth and skilled operators. Since mid-2025, it has claimed over 330 victims, focusing on exploiting internet-facing devices like VPNs and firewalls for initial access, then quickly encrypting networks. Cyber intelligence links the group's administrator, known as Hastalamuerte or Zeta88, to a Russian individual from Izhevsk, with multiple forum registrations and online identities tied to this person. The group’s backend infrastructure breach confirmed the administrator’s role in assembling ransomware and managing payments. The group benefits from a local environment where Russian authorities generally tolerate cybercriminals who avoid attacking domestic targets. No specific software vulnerabilities or patches are described in the available information.
Potential Impact
The Gentlemen ransomware group has caused significant impact by victimizing at least 332 organizations since mid-2025, encrypting entire networks and demanding ransom payments. The aggressive affiliate revenue model has accelerated the group's growth and operational scale. The ransomware attacks disrupt business operations and potentially lead to financial losses due to ransom payments and recovery costs. No direct technical vulnerability or exploit details are provided, so impact is limited to the operational consequences of ransomware attacks.
Mitigation Recommendations
No specific patches or technical mitigations are described for this threat. Organizations should focus on securing internet-facing devices such as VPNs and firewalls, as these are the primary initial attack vectors used by The Gentlemen group. Standard best practices for securing remote access infrastructure, including strong authentication, timely patching, and network segmentation, are advisable. There is no official fix or vendor advisory related to this ransomware group. Patch status is not yet confirmed — check vendor advisories and threat intelligence updates for current remediation guidance.
Technical Details
- Article Source
- {"url":"https://krebsonsecurity.com/2026/06/who-runs-the-ransomware-group-the-gentlemen/","fetched":true,"fetchedAt":"2026-06-10T14:22:36.049Z","wordCount":1148}
Threat ID: 6a29732cc9170919df296ec7
Added to database: 6/10/2026, 2:22:36 PM
Last enriched: 6/10/2026, 2:22:41 PM
Last updated: 6/10/2026, 4:12:23 PM
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.