العودة إلى المدونة
RansomwareCybercrime

The Gentlemen Ransomware Group Shows How Affiliate Economics Drive Risk

KrebsOnSecurity reported on The Gentlemen, a fast-growing ransomware-as-a-service group using aggressive affiliate payouts and edge-device access to scale attacks.

Author
ECEvolving Cyber
Published
Jun 10, 2026
Reading Time
6 min read
Faceless cybercriminal using a tablet in red and blue light
Supporting image: cyberextortion concept, Adobe Stock file #203954864.

On June 10, 2026, KrebsOnSecurity published an investigation into The Gentlemen, a ransomware-as-a-service group that researchers described as one of the most active ransomware operations by victim count. Krebs reported that the group was attracting affiliates with a 90/10 revenue split, better than the common 80/20 split used by many ransomware programs.

That detail matters. Ransomware is not only malware. It is a business model built around recruitment, access, specialization, and incentives. Krebs cited Check Point research that placed The Gentlemen as the second most active ransomware group by victim count at the time, claiming hundreds of published victims since mid-2025 and more than 240 in 2026 alone.

Why affiliate economics matter

When a ransomware group offers better payouts, it can attract operators who already know how to obtain access, move laterally, steal data, and pressure victims. The result is not just more attacks. It can be faster attacks, because affiliates bring playbooks and infrastructure with them.

Krebs also noted reporting that The Gentlemen often targets internet-facing devices such as VPNs and firewalls, then moves quickly once inside. That matches a broader trend: edge devices are becoming both entry points and credential sources for ransomware crews.

The 90/10 model is not a small detail. It is a recruitment strategy. A skilled affiliate deciding between ransomware programs will look at payout, support, tooling reliability, leak-site pressure, and whether the group can help turn initial access into payment. A better split can pull operators away from other programs, increasing the new group's operational capacity.

What the operating model suggests

The Gentlemen story also illustrates how ransomware-as-a-service separates roles:

  • Initial access brokers or affiliates find footholds, often through exposed VPNs, firewalls, weak credentials, or bought access.
  • Core operators maintain the locker, payment panel, leak site, and affiliate infrastructure.
  • Negotiation and pressure teams manage victim communication and public shaming.
  • Data theft and encryption are used together to increase payment pressure.

That structure means defenders are not facing one monolithic group. They are facing a marketplace. Even if one operator disappears, the affiliates, access sources, and methods can move elsewhere.

What defenders should do

  • Treat VPNs, firewalls, and remote access systems as high-risk assets.
  • Patch edge devices faster than ordinary internal systems.
  • Restrict management access to trusted networks.
  • Rotate credentials after edge-device compromise or suspected exposure.
  • Monitor for unusual VPN logins, new admin accounts, and configuration changes.
  • Segment critical systems so perimeter compromise does not become full network encryption.
  • Test ransomware containment scenarios, not just backup restoration.

The takeaway

Ransomware groups grow when the business model works. Defenders need to disrupt the economics by making access harder to buy, harder to reuse, and less valuable once obtained.

Sources