Who Runs the Ransomware Group ‘The Gentlemen?’

The Gentlemen ransomware gang ranks second in victim volume among active extortion groups, operating a model that pays affiliates 90 percent of ransom proceeds. This unusually high cut incentivizes recruitment and explains the group's rapid expansion across the cybercrime underground.

The gang uses a tiered affiliate structure where recruited hackers conduct initial breaches while the core leadership handles negotiations and infrastructure. This separation of labor reduces individual risk and enables scale. The Gentlemen operates a leak site showcasing victim data, pressuring organizations to pay before sensitive information appears publicly.

Krebs on Security investigation traced clues suggesting real-world identity connections for the group's administrator. Technical artifacts, operational patterns, and communication metadata point toward individuals with prior involvement in earlier ransomware operations. The analysis examined forum accounts, infrastructure registration details, and timeline overlaps with previous threat actors.

The group targets sectors beyond typical ransomware victims, demonstrating operational flexibility. Victims span healthcare, finance, manufacturing, and retail. Payment demands range from hundreds of thousands to millions of dollars depending on target size and data sensitivity.

Security researchers note The Gentlemen employs standard double-extortion tactics. The gang encrypts systems while simultaneously stealing data, creating dual pressure for payment. Victims face both operational disruption and breach disclosure threats.

The 90 percent affiliate payout structure distinguishes The Gentlemen from competitors offering 60-70 percent splits. This aggressive economics reflects competition for skilled operators in an oversaturated ransomware market. Higher payouts attract experienced actors previously affiliated with rival groups.

Organizations targeted by The Gentlemen face significant exposure. The group demonstrates technical competence in lateral movement, persistence mechanisms, and data exfiltration. Incidents typically involve custom tooling and living-off-the-land techniques using legitimate Windows utilities to avoid detection.

Law enforcement agencies track The Gentlemen's infrastructure and