THE Gentlemen ransomware gang has risen to become the second most active ransomware operation by victim count, with 332 organisations compromised since the group emerged in mid‑2025, according to KrebsOnSecurity.
The gang’s affiliate programme offers participants a staggering 90 % share of any ransom paid, a lure that has drawn in experienced hackers and accelerated its growth. Their primary intrusion vector consists of exposed internet‑facing devices such as VPN appliances and perimeter firewalls, which are abused to gain initial access before ransomware is deployed across the entire network within hours.
No CVEs have been publicly linked to the group’s tactics, highlighting their reliance on legitimate credentials and weak remote‑access configurations rather than software vulnerabilities. The operation is overseen by a figure known as Zeta88, also referred to as Hastalamuerte, who handles recruitment and day‑to‑day management of the affiliate network.
Investigative clues point to a possible real‑life identity tied to Alexander Yapaev from Izhevsk, reflecting a broader trend where Russian‑based cybercriminals often operate openly due to domestic authorities generally overlooking attacks that do not target local victims. The Gentlemen’s rapid ascent underscores how lucrative affiliate models can reshape the ransomware threat landscape.
Defenders should prioritise securing VPN and firewall interfaces by enforcing strict access controls, disabling unused services, and ensuring all remote‑access solutions are patched and monitored for anomalous login attempts. Multi‑factor authentication must be mandatory for any administrative portal, and network segmentation should limit lateral movement once an attacker gains a foothold.
Maintaining offline, immutable backups and testing restoration procedures regularly remains essential, while continuous threat‑hunting and employee phishing awareness training can reduce the likelihood of initial compromise. Organisations that adopt these measures will be better positioned to detect and halt the Gentlemen’s encryption attempts before they cause widespread damage.