A ransomware group grew from 35 victims to 182 in a single quarter. They did it by offering affiliates 90% of every ransom paid.
A ransomware group grew from 35 victims to 182 in a single quarter. They did it by offering affiliates 90% of every ransom paid.
That’s not a cyber story. That’s a business model.
The Gentlemen launched in August 2025. By Q1 2026 they were the second most active ransomware group globally, claiming 300+ victims publicly â but Check Point Research gained access to a live command-and-control server that shows 1,570+ likely corporate victims. The public leak site is less than 20% of the actual operation.
The mechanics: a Go-based locker for Windows, Linux, NAS, and BSD, plus a separate C-based encryptor for ESXi. 90% affiliate revenue share â matching RansomHub as the highest payout in the ransomware underground. At 70â80%, operators consider other options. At 90%, they stay.
The real issue isn’t the malware. It’s the talent acquisition. When you offer the best economics in a market of skilled operators, you attract the most capable ones. The result is better reconnaissance, more persistent access, and higher ransom demands.
Manufacturing and technology are primary targets. Healthcare is the third and growing â with no ethical limits observed on critical services.
What to do next: – Review your incident response plan: does it cover encryptionless extortion as well as encryption events? – Validate offline backup integrity â The Gentlemen target NAS and ESXi specifically – Check exposure of ESXi hypervisors on network segmentation: they are the highest-value single target in any estate
For DACH manufacturing companies: this group has documented victims across 70+ countries including Germany. They are not targeting around you.
Links for a deeper technical dive are in the comments.
For those who want a deeper dive into this topic:
