A new report identifies a suspected real-world operator behind The Gentlemen, one of 2026's most active ransomware groups. KrebsOnSecurity, drawing on Check Point, Intel 471, Flashpoint, and Constella data, says the ransomware-as-a-service group has claimed at least 332 victims since mid-2025 and more than 240 in 2026, recruits affiliates with a 90/10 ransom split, and commonly gains entry through internet-facing VPN and firewall devices before rapidly encrypting networks.
Why it matters: This is a major ransomware actor by victim volume, so the attribution and tradecraft details help defenders prioritize monitoring of exposed remote-access and edge devices. Organizations should review exposure of VPNs and firewalls, harden remote access, and watch for intrusion patterns associated with fast-moving affiliate-led ransomware attacks.
BrianKrebs
2026.06.10
100% relevant
This article establishes a distinct story centered on attribution and operational analysis of The Gentlemen ransomware group, not an update to an existing tracked event.
← Back to all stories