🇷🇺 The Gentlemen

Threat-actor battle card · maintained from public sources · last updated 2026-06-23

CategoryRansomware-as-a-Service

AttributionQilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis)

First seenMid-2025

StatusActive

Rank#4

Recent victims · last ~9d13

All-time victims517

Primary targetsManufacturing, Critical infrastructure, Professional services, Healthcare

Overview

The Gentlemen is a Qilin splinter that surfaced mid-2025 after a payment dispute, founded by a disgruntled former Qilin affiliate ("hastalamuerte" / "zeta88"). It is the fastest-scaling ransomware group on record — 504 claimed victims across 66+ countries and 20+ verticals as of June 23, 2026, with 200+ of its claims landing in Jan–Mar 2026 alone, putting it second only to Qilin. Currently #2 globally with worm-like LAN propagation confirmed. (Note: YTD figure from DLS; official monthly report pending.)

Tradecraft

• Go-based locker targeting Windows, Linux, NAS and CSD, with a dedicated C locker for ESXi.
• Aggressive 90% affiliate payout to attract operators; official BreachForums partnership announced May 2026.
• Worm-like self-propagation: can autonomously spread laterally across LAN segments within minutes from a single initial access; AI-assisted RaaS operations.
• Actively exploiting Fortinet FortiGate vulnerabilities for initial access.
• GentleKiller — an in-house, centrally maintained BYOVD EDR-killer suite (≥8 variants, each abusing a different vulnerable/malicious driver) that targets 400+ processes across 48 security products (CrowdStrike, SentinelOne, Defender, ESET, Palo Alto, Sophos, etc.). Can operationalise newly public BYOVD PoCs within days.
• SystemBC C2 infrastructure implicated in 1,570+ infections.

Notable recent victims

• Mackay Sugar (Australia) — agri-industrial; mills shut, harvest disrupted (first OT-disrupting named victim)

Assessment

A tier-1 capability threat: if it is in your sector, assume EDR bypass is the default pre-encryption step. Watch for continued multi-OS expansion and affiliate poaching from Qilin. A May 2026 internal backend leak exposed the operator's identity: Krebs on Security (Jun 10, 2026) identifies admin "hastalamuerte"/"zeta88" as Alexander Andreevich Yapaev, 36, of Izhevsk, Republic of Udmurtia, Russia — a marketing professional by day; attribution corroborated by Constella Intelligence phone-number pivot and Check Point's analysis of the leaked Rocket backend. No arrest or indictment has been publicly reported.

Sources

• Krebs on Security — Who Runs the Ransomware Group 'The Gentlemen'?
• Check Point Research — Thus Spoke The Gentlemen
• SC Media — Ransomware group The Gentlemen linked to Russian national
• Halcyon — The Gentlemen: Scaling Faster Than Any Group on Record
• ESET WeLiveSecurity — Killing me gently: Inside Gentlemen's EDR-killer framework
• The Hacker News — The Gentlemen RaaS uses GentleKiller
• The Hacker News — The Gentlemen claims 478 victims, can spread like a worm
• Help Net Security — GentleKiller targets 400+ processes across 48 products
• Rescana — Gentlemen actively exploiting Fortinet FortiGate vulnerabilities

🗂️ Attacks & victims

All disclosed victims attributed to this actor, newest first.

June 2026

Jun 23 (Jun 22-23 DLS batch: 15 new victims claimed past 24h incl. healthcare×3, hospitality, manufacturing, transportation The Gentlemen Ransomware · individual org names not yet enumerated in public feeds; to be split as sources firm up) · — 🟩 Corroborated · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 2d ago · Sources: PurpleOps

Jun 23 Canada Wide Media The Gentlemen Ransomware · media · publishing/Canada 🟥 Claimed (leak-site) · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 2d ago · Sources: ransomware.live DLS / breachsense

Jun 23 GIA Partners LLC The Gentlemen Ransomware · IT services · US 🟥 Claimed (leak-site) · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 2d ago · Sources: ransomware.live DLS / breachsense

Jun 20 hiddenn The Gentlemen Ransomware · unknown · — 🟥 Claimed (leak-site) · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 5d ago · Sources: ransomware.live DLS

Jun 20 Vera Chimie Management The Gentlemen Ransomware · unknown · France 🟥 Claimed (leak-site) · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 5d ago · Sources: ransomware.live DLS

Jun 20 Alexander Buch Bilanzbuchhalter The Gentlemen Ransomware · unknown · Germany 🟥 Claimed (leak-site) · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 5d ago · Sources: ransomware.live DLS

Jun 20 SGS Malaysia The Gentlemen Ransomware · unknown · Malaysia 🟥 Claimed (leak-site) · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 5d ago · Sources: ransomware.live DLS

Jun 20 TERRIO Therapy Fitness The Gentlemen Ransomware · unknown · Mexico 🟥 Claimed (leak-site) · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 5d ago · Sources: ransomware.live DLS

Jun 20 Ty Thac Co The Gentlemen Ransomware · unknown · Vietnam 🟥 Claimed (leak-site) · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 5d ago · Sources: ransomware.live DLS

Jun 20 Amigest The Gentlemen Ransomware · unknown · France 🟥 Claimed (leak-site) · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 5d ago · Sources: ransomware.live DLS

Jun 20 Yudu Technology The Gentlemen Ransomware · unknown · Singapore 🟥 Claimed (leak-site) · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 5d ago · Sources: ransomware.live DLS

Jun 20 Burris MacOmber The Gentlemen Ransomware · unknown · United States 🟥 Claimed (leak-site) · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 5d ago · Sources: ransomware.live DLS

Jun 20 Sertrans The Gentlemen Ransomware · unknown · Spain 🟥 Claimed (leak-site) · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 5d ago · Sources: ransomware.live DLS

Jun 20 Cofaq The Gentlemen Ransomware · unknown · France 🟥 Claimed (leak-site) · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 5d ago · Sources: ransomware.live DLS

Jun 20 Al Khaja Holding The Gentlemen Ransomware · unknown · United Arab Emirates 🟥 Claimed (leak-site) · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 5d ago · Sources: ransomware.live DLS

Jun 20 Athens Orthopedic Clinic The Gentlemen Ransomware · unknown · United States 🟥 Claimed (leak-site) · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 5d ago · Sources: ransomware.live DLS

Jun 10 Mackay Sugar The Gentlemen Ransomware · agri-industrial · Australia 🟩 Corroborated · 🇷🇺 Qilin splinter (founded by ex-affiliate "hastalamuerte" / "zeta88"; Krebs Jun 2026 identifies admin as Alexander Andreevich Yapaev, 36, Izhevsk, Russia — corroborated by Check Point backend-leak analysis) · #4 active · 517 total · disclosed 15d ago · mills shut, harvest disrupted; ransomware confirmed (The Gentlemen attribution) · Sources: SecurityWeek / The Record

---

← All threat actors · Full victim database →