• Home  
  • Inside The Gentlemen: Who Runs the Ransomware-as-a-Service Gang
- Cybersecurity

Inside The Gentlemen: Who Runs the Ransomware-as-a-Service Gang

The Gentlemen ransomware group has claimed 332 victims, using a 90/10 affiliate split. Discover who runs it, their recruitment tactics, and what it means for developers.

Inside The Gentlemen: Who Runs the Ransomware-as-a-Service Gang

The Gentlemen have logged 332 published victims since mid‑2025, making them the second most active ransomware gang by victim count this year. That raw figure alone tells you why everyone’s watching the group’s rapid rise.

Key Takeaways

  • Check Point reports a 90/10 affiliate revenue split, far above the industry‑standard 80/20.
  • The group’s administrator uses the nicknames Zeta88 and Hastalamuerte, both tied to Izhevsk, Russia.
  • Intel 471 links the Hastalamuerte email to an Apple account and a GitHub profile named SantaMuerte.
  • Targeting focuses on internet‑facing devices like VPNs and firewalls, with encryption of whole networks in hours.
  • Affiliates earn 90% of ransom payments, fueling aggressive recruitment from competing RaaS programs.

Ransomware as a Service: The Gentlemen’s 90/10 Model Explained

Check Point’s researchers called the split “a 90/10 affiliate revenue split — compared to the industry standard 80/20 — is accelerating the group’s growth by attracting experienced operators from competing programs,” and they’re not exaggerating. By handing 90% of any paid ransom to affiliates, the group incentivizes seasoned hackers to migrate their loot‑sharing arrangements, which in turn inflates the victim count.

Historical Context: The Evolution of Ransomware‑as‑a‑Service

Ransomware‑as‑a‑Service didn’t appear overnight. Early operators realized that packaging malware for rent lowered the barrier to entry for less‑skilled actors. Over time, the business model settled around a revenue‑share arrangement, typically 80% to the affiliate and 20% to the platform operator. That split became the de facto baseline, shaping expectations across underground markets.

When a new group offers a more generous cut, the market reacts quickly. The Gentlemen’s 90/10 proposition is a direct challenge to the long‑standing norm. It forces other RaaS outfits to reassess their own economics, because affiliates naturally gravitate toward the highest guaranteed payout. The shift isn’t just about money; it reshapes the talent pool, the speed of attacks, and ultimately the number of victims each campaign can reach.

Because the affiliate share is so large, the platform can afford to invest in better infrastructure, faster encryption modules, and more polished affiliate portals. Those improvements translate into a smoother onboarding experience for new partners, which in turn fuels the cycle of rapid expansion.

Who Is Behind the Alias Zeta88?

The administrator behind The Gentlemen goes by Zeta88 on Russian‑language cybercrime forums, but he previously operated under the moniker Hastalamuerte. A breach of the group’s backend revealed that this individual assembles the locker, runs the RaaS panel, and manages payments, pocketing a 10% cut of every ransom.

Intel 471’s Profile

Intel 471’s intel shows that Hastalamuerte is a bilingual Russian‑English speaker who signed up on nearly a dozen forums between 2019 and now. He first appeared on Breachforums in January 2025 from an IP address in Izhevsk, the capital of Russia’s Udmurt Republic. The same city shows up again when Zeta88 registered on the English‑language forum Breached in August 2022, albeit from a different IP.

His 2020 registration on Raidforums used the email hastalamuerte1488@protonmail.com – a handle that blends the notorious 1488 numeric symbol with the name of the Mexican deity. Open‑source intelligence from Epieos links that ProtonMail address to an Apple account and a phone number ending in 04, and it also ties the address to a GitHub user called SantaMuerte.

Recruitment Tactics That Defy the Industry Norm

The Gentlemen’s aggressive recruitment is a direct response to the lucrative 90/10 split. By promising affiliates a near‑full share of ransoms, they’re pulling talent away from other RaaS outfits that cling to the traditional 80/20 model. That’s why Check Point sees a sharp uptick in the group’s activity after the split was publicized.

  • Affiliates receive 90% of ransom payments.
  • Standard industry split remains 80/20.
  • Group’s victim count rose from mid‑2025 to over 240 in 2026 alone.
  • Recruitment messages appear on Breachforums, Ramp_V2, BHF, and other platforms.

Because the pay‑out model is so generous, the group can afford to bring in operators who already know how to bypass modern defenses. That’s why the ransomware spreads faster than many of its peers.

Recruiters typically post screenshots of recent payouts, outline the steps to join the affiliate portal, and emphasize the low barrier to entry. They also highlight the group’s focus on high‑value targets, which appeals to operators looking for quick, lucrative strikes. The messaging is crafted to appear both professional and welcoming, a combination that reduces hesitation among potential affiliates.

Competitive Landscape

Within the RaaS ecosystem, most platforms cling to the 80/20 split because it has proven sustainable for years. The Gentlemen’s deviation forces competitors to reconsider their own pricing structures. Some groups have begun experimenting with tiered payouts, offering higher percentages to affiliates who meet certain performance thresholds. Others double‑down on the traditional model, betting that a larger operator cut funds more strong development and support.

When a new entrant offers a 90/10 split, the ripple effect is immediate. Affiliates weigh the guaranteed earnings against the perceived quality of the ransomware. The Gentlemen’s focus on internet‑facing devices and rapid network encryption gives them a technical edge that complements the financial incentive. As a result, the group not only attracts more affiliates but also draws attention from security vendors that monitor emerging threats.

Market observers note that the shift in revenue sharing could lead to a bifurcated ecosystem: one side with high‑cut, high‑speed operators; another with lower‑cut, more mature platforms. The balance between those forces will shape the volume and sophistication of ransomware campaigns over the next few years.

Operational Footprint: How the Group Breaches Networks

Check Point says The Gentlemen target internet‑facing devices – VPNs, firewalls, and the like – as their entry point. Once they get in, they move quickly, encrypting entire networks within hours. The speed of encryption suggests they’ve refined their locker code to run with minimal manual intervention.

Target Vectors and Encryption Speed

In the breach data, you can see a pattern: the group first compromises a VPN gateway, then pivots laterally to spread across the internal network. The encryption routine then triggers across all reachable endpoints, which is why victims report entire data centers going dark in under a day.

That rapid rollout is a nightmare for incident responders. It means that even if you spot the initial intrusion, you might not have enough time to isolate the infection before the ransomware locks everything down.

What This Means For You

If you’re a developer building SaaS platforms, you need to audit any internet‑exposed services for weak VPN configurations or outdated firewall rules. The Gentlemen’s playbook shows that a single exposed port can open the door to a network‑wide encryption spree.

For security teams, the takeaway is to enforce strict segmentation and to monitor for the tell‑tale signs of a RaaS affiliate payload – especially the kind of encryption routines that hit whole subnets in under an hour. Deploying honeypots on VPN endpoints could also give you early warning before the ransomware gains a foothold.

And if you’re considering a partnership with any RaaS provider, remember that the 90/10 split isn’t just a marketing gimmick – it’s a lever that reshapes the threat landscape. The more generous the affiliate cut, the more skilled operators you’ll see targeting your sector.

Three concrete scenarios illustrate how the model translates into everyday risk:

  • Scenario 1 – SaaS startup: Your product relies on a public API that terminates TLS sessions on a single VPN appliance. An attacker discovers a default credential, breaches the appliance, and then uses the affiliate’s encryption module to lock every customer database in under 45 minutes. The downtime erodes trust and triggers costly breach notifications.
  • Scenario 2 – Enterprise IT department: Your organization segments finance and HR on separate VLANs, but shares a firewall management console that is exposed to the internet. A malicious affiliate gains access, pivots to the console, and launches a network‑wide encryptor that simultaneously cripples payroll and invoicing systems. The rapid spread forces you to choose between paying the ransom or rebuilding critical services from backups.
  • Scenario 3 – Managed security service provider (MSSP): You host monitoring agents for dozens of clients on a cloud‑based bastion host. An affiliate exploits a misconfigured firewall rule, installs the ransomware, and encrypts all agent logs across the tenant pool. Clients lose visibility into their own environments, and you scramble to restore monitoring while negotiating with the attackers.

Each example underscores a common thread: a single vulnerable internet‑facing component can become the launchpad for a cascade of encryption events. Mitigation therefore starts with hardening that first point of entry, and ends with a layered response plan that anticipates rapid lateral movement.

In the end, the story of The Gentlemen is a reminder that ransomware economics matter as much as the technical exploits themselves. As the affiliate model evolves, defenders will have to adapt their threat‑intel pipelines to track not just the malware, but the money flow that fuels it.

Key Questions Remaining

Analysts are still debating how sustainable the 90/10 split will be over the long term. Will affiliates eventually demand a larger share, or will the model attract enough new participants to keep the balance stable? How will rival RaaS platforms respond—by lowering their own cuts, improving technical capabilities, or both? Finally, what impact will the growing profitability of affiliate programs have on the overall frequency of ransomware incidents across different industry sectors?

Sources: Krebs on Security, Check Point Research

About the Author

— AI & Technology Reporter

Halil Kale is an AI and technology reporter at AI Post Daily, where he covers artificial intelligence, machine learning, cybersecurity, and the business of tech. With a background in computer science and over five years of experience tracking the AI industry, Halil specializes in translating complex technical developments into clear, actionable insights for developers, founders, and technology professionals. He has reported on breakthroughs from Anthropic, OpenAI, Google DeepMind, and NVIDIA, as well as critical cybersecurity incidents and emerging robotics applications. Halil believes that understanding AI is no longer optional — it's essential for anyone working in or around technology. At AI Post Daily, he applies rigorous editorial standards to ensure every story is accurate, sourced, and genuinely useful to readers.

About AI Post Daily

Independent coverage of artificial intelligence, machine learning, cybersecurity, and the technology shaping our future.

Contact: Get in touch

We use cookies to personalize content and ads, and to analyze traffic. By using this site, you agree to our Privacy Policy.