LIVE
Three teams ahead of Knicks in 2027 title oddsWhy can’t we win it? Inside the Japanese embassy for Sunday’s World Cup opener.World Cup nations slam UEFA chief for ‘disappointing’ 48-team criticismAmy Adams Rejected Andy Samberg's "Graphic" 'SNL' Sketch to Protect Young 'Enchanted' FansStanChart looks for 3 signs of BTC bottom, including Strategy’s Monday newsThousands protest as Trump, other world leaders set to meet for G7 summitDid a medieval flying monk spot Halley's comet, twice? It's complicatedFBI disrupts massive AI-powered phishing service using a million URLsPokémon Card Sales Are Surging on Crypto Platforms—Just Don't Call It GamblingAmerica at 250 is riven with doubt and pessimism — but with glimmers of hopeA dying star could create a new universe instead of a black holeScientists found a surprising problem with sugar-free dietsPeople taking GLP-1 weight loss drugs like Ozempic started moving lessShanaka, Mishara fifties set up series-levelling win for Sri LankaKnicks NBA Championship Merch Includes Official Locker Room T-Shirt, Signed Jalen Brunson BasketballsThree teams ahead of Knicks in 2027 title oddsWhy can’t we win it? Inside the Japanese embassy for Sunday’s World Cup opener.World Cup nations slam UEFA chief for ‘disappointing’ 48-team criticismAmy Adams Rejected Andy Samberg's "Graphic" 'SNL' Sketch to Protect Young 'Enchanted' FansStanChart looks for 3 signs of BTC bottom, including Strategy’s Monday newsThousands protest as Trump, other world leaders set to meet for G7 summitDid a medieval flying monk spot Halley's comet, twice? It's complicatedFBI disrupts massive AI-powered phishing service using a million URLsPokémon Card Sales Are Surging on Crypto Platforms—Just Don't Call It GamblingAmerica at 250 is riven with doubt and pessimism — but with glimmers of hopeA dying star could create a new universe instead of a black holeScientists found a surprising problem with sugar-free dietsPeople taking GLP-1 weight loss drugs like Ozempic started moving lessShanaka, Mishara fifties set up series-levelling win for Sri LankaKnicks NBA Championship Merch Includes Official Locker Room T-Shirt, Signed Jalen Brunson Basketballs
Cybersecurity

Who Runs the Ransomware Group 'The Gentlemen?'

6 min read krebsonsecurity.com
Photo by Kaptured by Kasia on Unsplash

The Gentlemen ransomware gang has rapidly ascended to become the second most active cybercriminal enterprise by victim count, claiming at least 332 confirmed targets since its establishment in mid-2025, with more than 240 victims recorded throughout 2026 alone. The group's administrator, operating under the nicknames Hastalamuerte and Zeta88, has constructed one of the most aggressive and lucrative ransomware-as-a-service platforms in the contemporary threat landscape, fundamentally reshaping how criminal enterprises recruit and compensate their operational partners. Check Point Software researchers identified this individual as the architect of The Gentlemen's entire infrastructure, responsible for assembling the encryption locker, managing the RaaS payment panel, overseeing affiliate payments, and retaining a ten percent commission on every ransom successfully extracted from victims. Intelligence firms have traced digital breadcrumbs connecting these pseudonymous identities to registrations across multiple cybercrime forums originating from the Russian city of Izhevsk, establishing a geographical anchor for this otherwise shadowy operation and demonstrating the operational security gaps that increasingly characterize even sophisticated criminal enterprises.

The emergence of The Gentlemen reflects a critical inflection point in ransomware economics and criminal specialization that demands immediate attention from enterprise security leaders and policy makers. The ransomware landscape has matured substantially over the past five years, evolving from opportunistic malware distribution into highly organized criminal enterprises mimicking legitimate technology companies complete with customer service, marketing strategies, and standardized revenue sharing models. Previous iterations of ransomware campaigns operated under more opaque and unstable arrangements, with victims and researchers struggling to identify consistent patterns or responsible parties. The establishment of the RaaS model transformed this equation, allowing cybercriminals to function as platform operators who provide infrastructure while contracting specialized attackers to handle reconnaissance, infiltration, and negotiation tasks. The Gentlemen's decision to offer a ninety-ten affiliate split rather than the industry-standard eighty-twenty arrangement signals a deliberate competitive strategy designed to poach experienced operators from established programs, a tactic that mirrors legitimate technology sector recruitment practices and suggests the criminal enterprise has developed genuine institutional awareness of labor market economics.

The specific operational and identificatory details uncovered by security researchers reveal both The Gentlemen's scope and critical vulnerabilities in its operational security. Check Point identified that The Gentlemen initially targets internet-facing infrastructure including virtual private networks and firewalls as their primary entry vectors, then rapidly deploys encryption across entire networks within hours of gaining internal access. The backend infrastructure breach that exposed the administrator's activities provided researchers with definitive proof that Hastalamuerte functions as the sole authority managing the technical platform, payment processing, and affiliate compensation system, effectively centralizing control in a single individual rather than distributing administrative responsibilities across a larger team. Intel 471's investigation established that Hastalamuerte registered accounts across approximately a dozen distinct cybercrime forums between 2019 and the present, spanning platforms including Exploit, Breachforums, Ramp_V2, BHF, Raidforums, and Nulled. Multiple forum registrations occurred from internet addresses located in Izhevsk, capital of Russia's Udmurt Republic, with the Breachforums registration dating to January 2025 and the Breached forum registration under the Zeta88 alias occurring in August 2022. Email forensics revealed that accounts across these platforms utilized [email protected], with the numeric suffix suggesting ideological associations with white supremacist movements, while open source intelligence queries connected this email address to an Apple account and an associated phone number.

For cybersecurity professionals and enterprise risk managers, The Gentlemen's explosive growth trajectory presents immediate practical implications requiring urgent operational response. The group's ninety-ten revenue model directly undermines the recruitment strategies and profitability claims of competing ransomware operations, creating genuine economic incentive for experienced attackers to defect from established programs and join The Gentlemen's affiliate network. This competitive dynamic means organizations cannot rely on the relative stability of existing threat actor groups but must instead anticipate accelerating recruitment of sophisticated operators into what researchers have identified as the second most active ransomware enterprise. The targeting methodology focusing on internet-facing devices represents a straightforward attack surface that organizations may have already hardened through standard defensive practices, yet The Gentlemen's demonstrated ability to encrypt entire networks within hours suggests the group possesses either automated deployment capabilities or exceptionally skilled technical teams capable of rapid lateral movement and network-wide encryption deployment. Enterprise security teams must recognize that competing against economically motivated criminal enterprises requires not merely technical defensive measures but sustained attention to threat actor recruitment patterns, affiliate retention strategies, and the economic incentives driving professional mobility within criminal labor markets.

The Gentlemen's rapid rise to become the second most prolific ransomware gang illuminates a broader pattern of industrialization, professionalization, and economic sophistication within organized cybercrime that extends well beyond any single threat actor group. The transition from individual opportunistic cybercriminals to organized enterprises with formal business structures, standardized pricing, affiliate networks, and customer service functions represents a fundamental maturation of the threat landscape that security practitioners underestimated for years. The fact that criminal enterprises now actively compete for talent through competitive compensation packages suggests that ransomware operations have achieved sufficient operational stability and revenue generation to function as genuine businesses rather than temporary criminal ventures. This professionalization creates both opportunities and challenges for defenders: organized enterprises typically require greater operational security to maintain business relationships and infrastructure, yet they also demonstrate the institutional resilience to survive law enforcement actions against individual operators or infrastructure components. The Gentlemen's administrator choosing to base operations in Izhevsk, a mid-sized Russian city outside Moscow's major cybercriminal hubs, suggests tactical thinking about law enforcement attention and operational concealment rather than random geographic selection.

Security organizations and policy makers must prioritize tracking several specific developments within The Gentlemen's operational footprint and broader ransomware landscape through 2026 and beyond. Check Point Software's continued monitoring of The Gentlemen's victim claims through their dark web tracking capabilities provides the most reliable indicator of whether the group's growth trajectory continues accelerating or stabilizes as competing groups adapt to the affiliate compensation challenge. Organizations should monitor statements from the FBI's Cyber Division and international law enforcement task forces including Europol's Joint Investigation Teams regarding potential attribution efforts or investigative progress toward identifying Hastalamuerte's real-world identity, as previous cases involving extradition and prosecution may provide operational models. Intel 471 and similar cyber intelligence firms will likely continue pursuing connections between the [email protected] email address, the associated Apple account, and the GitHub account registered under SantaMuerte, potentially yielding additional identificatory information. The degree to which other established ransomware programs respond to The Gentlemen's affiliate compensation advantage through their own recruitment and compensation adjustments will substantially shape the overall distribution of attack activity across threat actor groups. Enterprise defenders should anticipate that The Gentlemen's growth pattern may catalyze consolidation or closure of smaller competing ransomware operations, paradoxically concentrating attack activity under fewer administratively efficient groups.

Found this helpful? Share it:
Read original at krebsonsecurity.com

Related Articles

Oracle park, home of the san francisco giants.
Cybersecurity

CISA flags two-year-old Oracle flaw as actively exploited in attacks

 black android smartphone on gray textile
Cybersecurity

Google fixes one actively exploited Android zero-day, 124 flaws

 man siting facing laptop
Cybersecurity

Hackers Used Meta's AI Support Bot to Seize Instagram Accounts

 green and black computer motherboard
Stocks

Why Super Micro Computer Stock Skyrocketed This Week

 brown brain decor in selective-focus photography
Science

Why you need to future proof your brain in middle age and how to start

 Asian woman presenting business growth charts during a startup pitch indoors.
Technology

How to apply to Startup Battlefield 2026, what you need ahead of the June 8 deadline

More Stories

people inside a basketball gym
Sports

Three teams ahead of Knicks in 2027 title odds

 a group of people walking down a street holding a banner
Politics

Why can’t we win it? Inside the Japanese embassy for Sunday’s World Cup opener.

 soccer game
World

World Cup nations slam UEFA chief for ‘disappointing’ 48-team criticism

 a group of people on stage playing instruments
Entertainment

Amy Adams Rejected Andy Samberg's "Graphic" 'SNL' Sketch to Protect Young 'Enchanted' Fans

 A hand holding a Bitcoin coin in front of a stock market chart, symbolizing analysis and finance.
Crypto

StanChart looks for 3 signs of BTC bottom, including Strategy’s Monday news

 group of person protesting outdoors
World

Thousands protest as Trump, other world leaders set to meet for G7 summit

 a very old book with some writing on it
Technology

Did a medieval flying monk spot Halley's comet, twice? It's complicated

 A man holding a sign reading 'FRAUD' in a tech environment, highlighting cybersecurity concerns.
Cybersecurity

FBI disrupts massive AI-powered phishing service using a million URLs