LIVE · cybersecurity feed
ransomware

Who Runs the Ransomware Group ‘The Gentlemen?’

zeroday.news·28d ago

A rapidly growing ransomware-as-a-service operation known as The Gentlemen has become the second most active ransomware group by victim count, according to security firm Check Point Software. The group has attracted skilled hackers by offering affiliates a generous 90 percent share of ransom payments, a higher split than the industry standard. Since its inception in mid-2025, The Gentlemen has claimed at least 332 victims, with over 240 occurring in 2026 alone.

The Gentlemen's operational model focuses on exploiting internet-facing devices, such as VPNs and firewalls, as initial entry points. Once inside a network, the group is known to move quickly, encrypting entire systems within hours. Check Point researchers have identified the administrator of The Gentlemen, who operates under the nickname Zeta88 on Russian-language cybercrime forums, as the same individual previously known as Hastalamuerte. This person is responsible for assembling the ransomware and its management panel, handling payments, and ultimately receives the 10 percent commission from all ransoms.

Cyber intelligence firm Intel 471 has tracked the user Hastalamuerte across numerous cybercrime forums since 2019, noting registration on platforms including Exploit, Breachforums, Ramp_V2, BHF, Raidforums, and Nulled. In January 2025, Hastalamuerte registered on Breachforums from an internet address located in Izhevsk, Russia. Separately, the username Zeta88 signed up for the English-language forum Breached in August 2022, also originating from Izhevsk.

Further investigation by Intel 471 revealed that Hastalamuerte registered on Raidforums in 2020 using the email address hastalamuerte1488@protonmail.com. The inclusion of "1488" in the email address is noted as a combination of symbols often associated with white supremacy. An analysis of this email address by the open-source intelligence service Epieos linked it to an Apple account and a phone number ending in 04. Epieos also found that the Protonmail address was connected to a private GitHub account under the username SantaMuerte, which, despite being private, showed activity related to the development of malware and exploits.

In April 2020, Hastalamuerte indicated on the Nulled forum that they could be reached via Telegram at the username @hastalamuerte18. Threat intelligence company Flashpoint identified this username as corresponding to a unique Telegram ID number. The breach tracking service Constella Intelligence reported that Hastalamuerte's Telegram ID is also linked to another username, bu4vs, and a Russian phone number.

Cross-referencing this phone number in Constella's data revealed multiple records from compromised Russian government databases. These records assigned the number to Alexander Andreevich Yapaev, a 36-year-old individual from Izhevsk. Constella's findings indicate that this phone number was used to create an account on the Russian social media platform Pikabu under the name 4apai18. Additionally, Mr. Yapaev has reportedly used variations of the surname Ivanov or Chapaev when signing up for various websites.

Intel 471's search for cybercrime forum members using the nickname SantaMuerte uncovered an account created in 2020 on the Russian hacking forum Codeby. This user initially registered on Codeby with the username Alexandr 4apaev. Constella Intelligence found that Mr. Yapaev frequently used the email address bu4vs@mail.ru. Epieos connected this email address to a LinkedIn profile for Alexander Yapaev, who lists his position as head of B2B marketing at Uralenergo Udmurtia, a significant supplier of electrotechnical and lighting products in Russia. Mr. Yapaev did not respond to requests for comment.

The article suggests that the relative lack of anonymity among some Russian cybercriminals may stem from a gradual immersion into the scene, a general tendency for the Russian government to either co-opt or ignore cybercriminal activity within its borders as long as it does not target Russian entities, and early-career operational security mistakes. Early posts by Hastalamuerte from 2019-2020 indicate a less experienced hacker learning the trade.

An update from threat research group PRODAFT corroborates these findings, stating with high confidence that the administrator (Zeta88/Hastalamuerte) directly supplies affiliates with initial access, primarily through Fortinet SSL-VPN credentials obtained via brute-force attacks or from the group's own leak database. PRODAFT also reported that the administrator is employing artificial intelligence for developing and maintaining ransomware and associated tools, as well as for post-exploitation activities.

ransomware
← Back to latest

More News

view all →
zeroday.news · 3h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 3h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 4h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 4h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 4h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.

zeroday.news · 4h ago·critical

Attackers using Langflow flaw for credential harvesting (CVE-2026-55255)

CISA has issued a warning regarding a critical vulnerability (CVE-2026-55255) in the Langflow AI framework, which is being actively exploited by attackers. The flaw allows authenticated users to execute arbitrary flows belonging to other users, potentially leading to the theft of sensitive credentials and data exposure, especially in multi-tenant environments. US federal agencies have been mandated to patch this vulnerability by July 10th.