Inside The Gentlemen ransomware: Who Is Steering the Fast‑Growing RaaS Outfit?

The Gentlemen ransomware has vaulted to the second‑largest RaaS operation by victim count, luring seasoned hackers with a ↑ 90% affiliate cut. Security firm Check Point reports 332 disclosed victims since mid‑2025 and more than 240 in 2026 alone. The group exploits internet‑facing assets, hijacks VPNs and firewalls, and encrypts whole networks within hours. According to the same researchers, the mastermind behind the operation hides behind the monikers Zeta88 and Hastalamuerte, managing the locker, payments and the RaaS panel.

The Gentlemen ransomware: Operational Blueprint

Check Point notes the gang targets exposed VPN gateways, often brute‑forcing Fortinet SSL‑VPN credentials before deploying the encryptor. Once inside, the malware spreads laterally, encrypting file systems at machine‑wide speed.

“Their 90/10 revenue split is a magnet for operators abandoning rival RaaS schemes,” a Check Point analyst told Reuters.

Identifying the Administrator

Open‑source intelligence traced the alias Hastalamuerte to a Russian‑English speaker registering on Breachforums from Izhevsk in January 2025. The same individual later appeared as Zeta88 on the English‑language forum Breached in August 2022, using the same IP block. Email traces (hastalamuerte1488@protonmail.com) link to an Apple‑associated account and a phone number ending in 04, which Constella Intelligence matched to Alexander Andreevich Yapaev, a 36‑year‑old marketing director at Uralenergo Udmurtia.

Further digging revealed the ProtonMail address is tied to a private GitHub profile “SantaMuerte,” where the user follows malware‑tool repositories. On Telegram, the handle @hastalamuerte18 carries the unique ID 30907522, confirming cross‑platform consistency.

The admin supplies affiliates with initial access bundles, predominantly harvested Fortinet credentials, and leverages AI to refine the ransomware payload and post‑exploitation scripts, as detailed in a recent Bloomberg briefing. The same report highlighted the group’s tolerance for sloppy OPSEC among newcomers, explaining why early forum posts expose rudimentary training attempts – a pattern mirrored across many Russian cybercrime outfits, especially during the pandemic era.

Intel provided by Kaelen Frost (Lead Cybersecurity Analyst).