Foothold OSINT
Who Runs The Gentlemen Ransomware Group?

Who Runs The Gentlemen Ransomware Group?

OSINT tradecraft and threat intelligence takeaways from Krebs's attribution investigation into The Gentlemen ransomware group—now second by victim count.

Brian Krebs published an attribution investigation this month into a ransomware operation called The Gentlemen — a group that has already climbed to second place by active victim count (KrebsOnSecurity, June 2026). The methodology is classic Krebs: forum handle correlation, cryptocurrency address clustering, timezone-consistent posting patterns, and the specific opsec mistake that cracked the administrator’s identity open years after the artifact was created.

This isn’t a summary of what he found. It’s an analysis of what the investigation illustrates — about RaaS economics, OSINT methodology, and what defenders and red teamers should actually do with it.

The 90-Percent Split Is a Strategic Signal, Not Generosity

The RaaS market has historically settled at 70/30 or 80/20 in favor of affiliates. The Gentlemen advertise 90/10. That spread means one of two things: the operators believe their tooling and targeting intelligence are strong enough to profit at thin margins on volume, or they’re in a deliberate land-grab, buying affiliate loyalty from skilled intrusion operators who have their own negotiating leverage.

Either way, the economics force a volume strategy. Volume means broader targeting criteria and a lower floor on which organizations are worth hitting. This is not a group sitting on a shortlist of Fortune 500 targets. The incentive structure pushes affiliates toward mid-market manufacturers, regional healthcare systems, municipal governments, and law firms — organizations that have historically written themselves off as too small to be interesting. That assessment needs to go.

RAND’s research on cybercriminal labor markets makes this structural point directly: affiliate-split competition among RaaS operators correlates with increased attack frequency across SMB and mid-market sectors, not enterprise targets (RAND Corporation, “The Ransomware Threat Landscape,” 2023).

Attribution Journalism as a Primary OSINT Resource

A lot of security teams treat investigative journalism as awareness content — background reading, not operational input. The Krebs investigation into The Gentlemen is a published OSINT case study. The methodology is the same one threat intelligence analysts use professionally; Krebs just publishes his output.

Three things the investigation demonstrates:

For red teamers: the same methodology Krebs applies to criminal actors applies directly to adversary emulation profiling. How a group communicates, recruits, and handles affiliate disputes gives you behavioral signal that IOC lists don’t.

What Defenders Should Actually Do With This

Model the Affiliate, Not the Operator

When a RaaS operator offers 90 percent to affiliates, the affiliate is the primary threat actor in your threat model. The operator provides tooling and infrastructure. The affiliate provides initial access, lateral movement, and exfiltration — and the affiliate’s tradecraft is what your detection engineering has to catch.

The Gentlemen’s encryptor can be swapped, obfuscated, or replaced. The affiliate’s preference for exposed RDP as an entry point, their living-off-the-land binary choices during lateral movement, their consistent C2 framework — these are harder to change and more detectable across engagements.

CISA’s StopRansomware guidance makes this explicit: affiliate-based operations require detection of precursor activity — credential theft, discovery commands, internal reconnaissance — not encryption events, which by definition occur after the meaningful damage window has closed (CISA, “#StopRansomware Guide,” updated 2023).

RaaS Recruitment Posts Are Intelligence

The Gentlemen are advertising — on dark web forums, in private Telegram channels, through criminal referral networks. Those advertisements describe required skill sets, preferred targets, and prohibited sectors (most RaaS groups exclude CIS-region victims by written policy).

Threat intelligence teams should be collecting and analyzing RaaS recruitment posts the same way competitive intelligence analysts read job postings. A group advertising for affiliates with “experience in large enterprise Active Directory environments” is telling you something specific about targeting ambitions. A group that shifts its prohibited-sector language is giving you an early indicator of targeting expansion before the incident reports start coming in.

What Red Teamers Should Do Now

The Gentlemen’s rise to second place by victim count happened fast. Either the tooling is exceptional, the recruitment network is pulling in experienced operators, or both. Until technical detail surfaces from researchers or IR engagements, emulate the structural characteristics of high-velocity RaaS affiliates: short dwell time, aggressive use of legitimate remote management tools for persistence, systematic targeting of backup infrastructure before encryption. Don’t wait for a specific malware sample.

The attribution methodology Krebs uses is also directly applicable to internal purple team exercises. Running OSINT sweeps against your own organization’s external footprint — forum-style handle correlation, credential leak searches, infrastructure enumeration — using the same approach a threat actor’s reconnaissance team would apply will surface exposed credentials, leaked internal documents, and infrastructure details that vulnerability management programs miss. Your vuln scanner doesn’t check paste sites.

The Attribution Question Has Compliance Weight

The question Krebs poses — who actually runs The Gentlemen — carries practical weight beyond its journalistic interest. Public attribution, even partial attribution that identifies a nationality or criminal network affiliation, shapes how law enforcement prioritizes takedown operations and how sanctions exposure applies to ransom payment decisions.

For organizations with cyber insurance weighing payment in an active incident: the operator’s identity and jurisdiction is a compliance question. OFAC’s ransomware advisory is unambiguous that payments to sanctioned entities carry legal exposure regardless of whether the victim knew at the time of payment (U.S. Department of Treasury, OFAC, “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” 2021). An investigation that narrows the operator’s potential jurisdiction is operationally material for incident response counsel and insurance carriers — not just interesting.

Takeaway

The Gentlemen are worth sustained analytical attention for three reasons: their velocity, their affiliate economics, and the specific opsec failure their administrator made early enough that it’s now documentable by a journalist. That third factor is the most instructive. Digital artifacts generated before a threat actor becomes prominent don’t disappear — they accumulate, get indexed, get correlated, and eventually get published.

The same permanence applies to your organization’s external footprint. The credentials leaked in 2019, the misconfigured bucket from a decommissioned product, the forum post a current employee made on a hacker forum five years ago — all durable, all in the same OSINT environment Krebs uses to find ransomware operators.

Read the original investigation. Then run the same methodology against your own organization before an affiliate does.