# Rogue ‘Gentlemen’ Ransomware Crew Offers 90% Cut, Puts Enterprises Under New Pressure *Thursday, June 11, 2026 at 6:07 PM UTC — Hamer Intelligence Services Desk* **Published**: 2026-06-11T18:07:09.927Z (3h ago) **Category**: cyber | **Region**: Global **Importance**: 7/10 **Sources**: OSINT **Permalink**: https://hamerintel.com/data/articles/7035.md **Source**: https://hamerintel.com/summaries --- **Deck**: A group calling itself The Gentlemen has broken away from major ransomware brands to run its own service, claiming 478 victims, using AI to refine tools, and luring affiliates with an unprecedented 90% profit share. For hospitals, manufacturers, and local governments, that business model means more attackers, faster. This piece breaks down how the crew operates, what makes its offer different, and how defenders should recalibrate. Ransomware is evolving from a criminal tactic into a full‑fledged industry, and one new player is pushing the business model to a fresh level of aggression. The result is more pressure on already stretched defenders. A group calling itself “The Gentlemen” has shifted from acting as an affiliate of established ransomware operations — including LockBit, Qilin, and Medusa — to running its own ransomware‑as‑a‑service (RaaS) program. The crew claims to have hit 478 victims so far. What sets it apart is not only that victim count, but how it recruits and rewards other criminals: it offers affiliates a striking 90% share of ransom payments, retaining just 10% for itself. Behind those numbers are real organizations and people. Victims of RaaS operations range from city governments and school districts to hospitals, manufacturing plants, and small businesses with limited IT staff. When such an entity is hit, the immediate effects can include cancelled surgeries, disrupted water and power services, or shutdown assembly lines. Employees find themselves locked out of critical systems with no way to access records or process payments; patients and residents experience delayed care and lost services; and local officials must explain why their systems went dark. Strategically, The Gentlemen’s model points toward even greater fragmentation and professionalization of the ransomware ecosystem. By taking a comparatively small cut and giving affiliates 90%, the group lowers the barrier for technically capable but less organized criminals to join a branded operation rather than building their own from scratch. That could expand the pool of active attackers willing to take on higher‑risk targets, knowing they will keep most of any payout. The group’s reliance on AI to maintain and adapt its tooling further accelerates this dynamic, making it easier to update malware, tailor phishing lures, and evade static defenses. For enterprises, this development shifts the threat calculus. Instead of tracking a handful of large, semi‑centralized ransomware brands, defenders face a growing number of semi‑independent crews all drawing on shared infrastructure and playbooks. Even if law‑enforcement or sanctions work disables one brand, affiliates can re‑flag under another without losing their core capabilities. The Gentlemen’s emergence from the affiliate ranks of other RaaS families illustrates how quickly operators can pivot when pressure mounts. The group’s tactics appear consistent with broader ransomware trends: initial access through phishing, credential theft, or exploitation of exposed services; lateral movement across networks; exfiltration of sensitive data; and then encryption to raise the stakes. The data‑theft component means that even organizations with good backups face extortion threats, as attackers threaten to leak personal, medical, or proprietary information. A group that advertises both technical sophistication and a generous affiliate cut is well‑positioned to attract partners skilled at each stage of that process. What to watch now is how quickly The Gentlemen’s footprint expands and whether it begins to specialize in particular sectors or regions. A crew that targets healthcare, for example, can generate intense pressure to pay quickly, while one focused on small municipalities might expect weaker defenses and slower law‑enforcement response. The AI component is a wildcard: if used mainly to automate testing and minor code changes, it raises defenders’ workloads; if used to meaningfully innovate on evasion and social engineering, it could erode the effectiveness of current security awareness training and email filters. For defenders, the answer is not panic but prioritization. Multi‑factor authentication for remote access, rapid patching of public‑facing systems, segmentation to limit lateral movement, and routine offline backups remain essential. But as RaaS groups scale, organizations may need to invest more heavily in detection and response — from 24/7 monitoring to rehearsed incident‑response plans that define who does what in the first hours of an attack. Cyber insurers, facing higher loss potential from fast‑moving affiliates, are also likely to tighten requirements and premiums, which may in turn force better baseline hygiene. ## Key Takeaways - The Gentlemen ransomware group has moved from being an affiliate user of other ransomware brands to operating its own ransomware‑as‑a‑service platform. - The group claims 478 victims and offers affiliates a 90% share of ransom payments, an unusually high cut in the criminal ecosystem. - It uses AI to maintain and refine its tools, aiming to keep ahead of static defenses and speed up operations. - The model incentivizes more actors to join, potentially increasing the volume and diversity of ransomware attacks. - Critical services such as healthcare, local government, and manufacturing remain especially vulnerable to such scalable, service‑based ransomware operations. ## Outlook & Way Forward The Gentlemen’s emergence signals that the ransomware landscape is likely to become more fragmented and competitive, with multiple RaaS brands vying to offer the best terms to affiliates. That competition can translate into more aggressive targeting, faster time‑to‑breach, and higher demands as criminals race to maximize returns before defenses and law‑enforcement cooperation catch up. To keep pace, governments and industry will have to lean harder on coordinated action: from information‑sharing on indicators of compromise and affiliate infrastructure to cross‑border efforts to seize servers and arrest operators. At the organizational level, the expectation must shift from “we might be targeted” to “we will be tested” — and planning, budgets, and board‑level oversight need to reflect that new baseline reality.