Back

Ransomware Group The Gentlemen Linked to Russian National Yapaev

Severity: High (Score: 70.5)

Sources: Scworld, Feeds.Feedburner

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: group, gentlemen, ransomware, linked, russian, national, rapidly

Severity indicators: ransomware, ransomware group

Summary

The ransomware group known as The Gentlemen has been linked to Alexander Andreevich Yapaev, a 36-year-old Russian national. This group has rapidly become the second most active ransomware gang, with at least 332 victims reported since mid-2025. They utilize a ransomware-as-a-service model, offering affiliates a lucrative 90% revenue share from ransoms. The group primarily targets internet-facing devices such as VPNs and firewalls, encrypting entire networks within hours. Investigations by Check Point and Intel 471 have connected Yapaev to the group through various digital footprints including email addresses and social media profiles. Russian cybercriminals often operate with minimal repercussions, provided they avoid domestic targets. The Gentlemen's aggressive recruitment strategy has significantly increased their activity and impact in the cybercrime landscape. Key Points: • The Gentlemen ransomware group is linked to Russian national Alexander Yapaev. • The group has claimed at least 332 victims since mid-2025, making them the second most active ransomware gang. • They employ a ransomware-as-a-service model with a 90% revenue share for affiliates, targeting VPNs and firewalls.

Detailed Analysis

**Impact** The Gentlemen ransomware group has targeted at least 332 victims since mid-2025, becoming the second most active ransomware gang by victim count. The group primarily affects organizations with internet-facing devices such as VPNs and firewalls, leading to rapid network-wide encryption within hours. The sectors and geographies impacted are not specified, but the group's operations suggest a broad scope given the volume of victims. Data at risk includes all network-accessible information due to the speed and extent of encryption. **Technical Details** The group operates on a ransomware-as-a-service model with a 90/10 affiliate revenue split, attracting skilled hackers. Initial access is gained through exploitation of internet-facing devices like VPNs and firewalls, though specific CVEs or malware variants are not detailed. The ransomware encrypts entire networks rapidly, indicating a focus on lateral movement and fast kill chain progression. The administrator is linked to the Russian national Alexander Andreevich Yapaev, known online as Zeta88/Hastalamuerte. No specific IOCs are provided in the articles. **Recommended Response** Defenders should prioritize securing and monitoring internet-facing VPNs and firewall devices, ensuring all relevant patches and firmware updates are applied promptly. Network segmentation and strict access controls can limit lateral movement. Deploy detections for unusual encryption activity and rapid file modifications. Monitor for indicators of compromise related to known ransomware behaviors, as no specific IOCs are currently available.

Source articles (2)

  • Who Runs the Ransomware Group ‘The Gentlemen?’ — Feeds.Feedburner · 2026-06-10
    A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strateg…
  • Ransomware group The Gentlemen linked to Russian national | brief — Scworld · 2026-06-10
    Krebs on Security reports that the rapidly growing ransomware-as-a-service operation known as The Gentlemen has been linked to a Russian national identified as Alexander Andreevich Yapaev. The group h…

Timeline

  • 2025-06-01 — The Gentlemen ransomware group becomes active: The group quickly rises to prominence, becoming the second most active ransomware gang by victim count.
  • 2025-06-10 — Yapaev identified as group administrator: Investigations link Alexander Yapaev to The Gentlemen through digital evidence including email and social media.
  • 2026-06-10 — Group's recruitment strategy detailed: The Gentlemen's aggressive affiliate recruitment offers a 90% revenue split, attracting skilled hackers.

Related entities

  • Ransomware (Attack Type)
  • Russia (Country)
  • T1133 - External Remote Services (Mitre Attack)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • The Gentlemen (Ransomware Group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed