"The Gentlemen" Ransomware Claims 478 Victims and Spreads Like a Worm

Worm-like spread, 478 claimed victims, and a Krebs investigation that puts a real-world name to the person allegedly running the program.

IZHEVSK, RUSSIA — The ransomware-as-a-service operation known as The Gentlemen has claimed 478 victims and operates with worm-like spreading capabilities that set it apart from most contemporary ransomware-as-a-service (RaaS) programs. On June 10, 2026, cybersecurity journalist Brian Krebs published a deep-dive identifying the person he says runs the group, capping a months-long investigation into one of the year's fastest-growing extortion brands.

The Gentlemen first surfaced in 2025 and has since climbed to become, by several researchers' counts, one of the most active ransomware groups of the year. Its rise mirrors a broader shift in the ransomware economy, where aggressive affiliate recruitment and self-spreading malware are pushing victim counts higher even as law enforcement scores high-profile wins — from the takedown documented in Operation Endgame 2.0 to the recent sentencing of a Karakurt extortion negotiator.

The Gentlemen, in Profile

The Gentlemen is a ransomware-as-a-service (RaaS) operation, meaning a core team builds and maintains the malware and the affiliate infrastructure while outside operators — affiliates — carry out the actual intrusions and share the proceeds. According to The Hacker News, the group has claimed 478 victims to date, a figure drawn from the tracking service Ransomware.Live. That number reflects what the group has posted to its leak infrastructure; it should be read as the operation's own claim rather than an independently confirmed count of breached organizations.

What distinguishes The Gentlemen from many competitors is its recruitment economics. Where the industry standard affiliate split is roughly 80/20 in the affiliate's favor, security firm Check Point reported that The Gentlemen offers affiliates 90 percent of any ransom paid, leaving 10 percent for the operator. Check Point assessed that this aggressive split has accelerated the group's growth by luring experienced operators away from rival programs.

The group's reach is also notably international. According to reporting compiled by The Hacker News, only about 13 percent of the group's claimed victims are based in the United States, with the largest concentrations in Thailand, the United Kingdom, Brazil, Germany, and India. The Gentlemen has appeared in prior CyberSignal coverage as well, when Microsoft documented the group's Go-based encryptor under the tracking name Storm-2697.

Why Worm-Like Spread Changes the Response Model

The capability drawing the most attention is the malware's ability to spread like a worm. Microsoft, which tracks the cluster as Storm-2697, reported that the encryptor is written in the Go programming language and that, when launched with a specific command-line argument, it changes behavior fundamentally. "When enabled with the --spread argument, it turns the malware from a single-host encryptor into a self-propagating worm that attempts to deploy its encryptor to every reachable system on the network," the company said.

That distinction matters for defenders. Most contemporary ransomware relies on operators to move laterally by hand — stealing credentials, abusing administrative tooling, and manually pushing the locker to additional machines. A worm-like mode automates that lateral movement, allowing a single foothold to cascade across an entire network far faster than a human operator could manage, and compressing the window in which defenders can intervene.

The Hacker News also reported, citing Microsoft, that a separate --wipe argument triggers a post-encryption routine designed to eliminate recoverable artifacts from disk, complicating both recovery and forensic analysis. For incident-response teams, automated propagation and anti-recovery behavior together argue for tighter network segmentation, rapid isolation playbooks, and offline backups — defenses that blunt a self-spreading locker before it can reach every reachable host.

Krebs's Identification of the Operators

On June 10, 2026, Brian Krebs published an investigation on Krebs on Security titled "Who Runs the Ransomware Group 'The Gentlemen?'" In it, Krebs reported clues that he says point to a real-world identity for the group's administrator. It is important to be precise about attribution here: the identification is Krebs's investigative conclusion, drawn from open-source intelligence and commercial threat-intelligence data, and is reported here as his finding rather than as established or adjudicated fact.

According to Krebs, security firm Check Point assessed that the group's administrator uses the nickname Zeta88 on Russian-language cybercrime forums and was previously known as Hastalamuerte. Krebs wrote that, drawing on records from Intel 471, Constella Intelligence, Epieos, and Flashpoint, those personas trace back to a 36-year-old man named Alexander Andreevich Yapaev from Izhevsk, the capital of Russia's Udmurt Republic. Krebs reported that the man did not respond to multiple requests for comment.

In an update the following day, Krebs noted that the threat-research group PRODAFT released its own writeup on the group, which PRODAFT tracks as Phantom Mantis, and said its findings matched the same persona with "high confidence." PRODAFT also reported that the administrator relies heavily on artificial intelligence to develop and maintain the ransomware and tooling. As with the underlying identification, these are the researchers' assessments; CyberSignal is reporting them as attributed claims.

What This Means for Ransomware-Response Teams

For defenders, the practical takeaways sit at the intersection of the group's economics and its technical capabilities. The 90/10 split signals a well-resourced operation that can attract skilled affiliates, which in turn means a wide and unpredictable range of intrusion tradecraft rather than a single signature playbook. Reporting indicates initial access frequently comes through internet-facing edge devices such as VPN appliances and firewalls — a reminder that perimeter hardening and prompt patching of edge infrastructure remain front-line defenses.

The worm-like spread mode raises the stakes on containment speed. Once an affiliate gains a foothold and invokes self-propagation, the time available to detect and isolate shrinks dramatically. That places a premium on network segmentation, least-privilege administration, and rehearsed isolation procedures — the same fundamentals emphasized in established incident-response practice, but with less margin for delay.

Finally, the anti-recovery --wipe behavior underscores why resilient, offline, and tested backups are not optional. When a locker is built to remove recoverable artifacts after encryption, the difference between a contained incident and a catastrophic one often comes down to whether clean backups exist beyond the malware's reach.

Open Questions

Several material points remain unconfirmed and should not be assumed. The 478 figure is the group's own claim as catalogued by trackers; how many of those listings represent confirmed, breached organizations versus disputed or recycled entries is not established. The specific countries from which the operation is run, beyond the identification Krebs attributes to his sources, are not independently confirmed by CyberSignal.

It is also not known whether law enforcement is moving against the individuals Krebs and other researchers have named, nor have the group's initial-access vectors, cryptocurrency wallets, or total revenue been comprehensively documented in public reporting. Suggestions in some quarters that The Gentlemen overlaps with other extortion brands via shared affiliates remain unproven. What is firmly established is narrower but significant: a fast-growing RaaS operation with a self-spreading locker, hundreds of claimed victims, and a detailed Krebs investigation that — by its author's account — puts a name to the person running it.

Sources