TL;DR: In June 2026, security researchers tracked The Gentlemen ransomware to the #2 spot among active ransomware-as-a-service groups by victim count - per Security Affairs, 483 victims on their leak site as of June 13, 2026, with 380 of them in 2026 alone. Brian Krebs traced the operator to a Russian-language forum handle "Zeta88" (previously "Hastalamuerte") and a Halcyon assessment ranks The Gentlemen as the fastest-scaling RaaS on record, driven by an aggressive 90/10 affiliate revenue split versus the industry-standard 80/20. For NC SMBs - manufacturers, distributors, professional services, healthcare practices - the Gentlemen surge confirms 2026 as the year every SMB needs a tested ransomware recovery plan, not just a tape backup.
Key takeaway: A 90/10 affiliate split is an economic lever. It attracts the more capable affiliates away from competing RaaS programs, which means more sophisticated initial-access tradecraft, faster lateral movement, and more aggressive double-extortion. The defense is the same as it was last quarter - EDR, MFA, immutable backups, tested IRP - but the time-to-impact has compressed.
Need a ransomware-readiness review while The Gentlemen is scaling? Preferred Data Corporation has run managed cybersecurity for NC small businesses since 1987 from High Point. Call (336) 886-3282 or book a ransomware readiness review.
Who is The Gentlemen and why is the affiliate split the story?
The Gentlemen surfaced in September 2025. By June 13, 2026, the group had listed 483 victims on their dark-web leak site, 380 of them in 2026 alone. Per Krebs on Security's investigation, the lead operator uses the handle Zeta88 (previously Hastalamuerte) on Russian-language cybercrime forums.
Three facts an NC SMB owner should write down:
- 90/10 affiliate revenue split. Per Security Affairs, affiliates keep 90 cents of every ransom dollar. Most RaaS programs offer 70-80% to affiliates; only RansomHub previously matched this rate. The economic effect is to pull the most capable affiliates from competing programs.
- Self-propagating Go encryptor. Per Microsoft Security, the ransomware is written in Go and uses self-propagation features to move laterally on its own once it lands. The implication for SMB defenders is that the lateral-movement clock between initial access and full-environment encryption is shorter than in older ransomware families.
- BYOVD EDR killer toolkit handed to affiliates. Per the Halcyon assessment, affiliates receive a "Bring Your Own Vulnerable Driver" toolkit designed to disable EDR / XDR before the encryptor runs. An NC SMB whose endpoint defense relies on stock antivirus is in the easiest-victim bucket.
The economic signal matters because it forecasts the rest of 2026. A 90/10 split attracts initial-access brokers, vishing crews, and credential-stuffing operators away from other programs. Expect Gentlemen affiliates to compete on speed and creativity of initial access, not just on encryption performance.
What sectors does The Gentlemen actually hit?
Per the Halcyon threat assessment and ongoing leak-site monitoring, the leak-site target distribution skews toward small and mid-market businesses across manufacturing, professional services, healthcare, construction, and technology - the same set NC SMBs occupy. The group's leak site has named victims in 66 countries, but the United States dominates the victim list.
| Sector | NC SMB Exposure 2026 | Gentlemen-Era Defense Priority |
|---|---|---|
| Manufacturing | OT/IT flat networks, legacy PLCs | IT/OT segmentation + immutable backups |
| Professional services | Local-only file shares, M365 only | EDR + cloud backup + IRP |
| Healthcare | EMR / PMS sprawl, BYOD | EDR + identity + immutable backups |
| Construction | Mobile workforce, jobsite WiFi | MDM + DNS filter + EDR |
| Distribution / wholesale | ERP + EDI dependencies | Backup of ERP DB + tabletop |
| Technology / MSP | Privileged admin accounts | PAM + phishing-resistant MFA |
Two observations NC SMB owners should not skip:
- A small or mid-market victim is the median target, not the exception. The marketing framing "ransomware hits enterprise" understates the SMB reality. The Halcyon and Krebs data show the median Gentlemen victim is mid-market, not Fortune 500.
- Manufacturing remains the lead target. Manufacturing has been the #1 cyber-target sector for the fifth consecutive year per IBM X-Force. The Gentlemen surge is consistent with that trend, not a deviation from it.
What does the Gentlemen kill chain look like for an NC SMB?
The chain matches the modern ransomware standard, compressed in time. Per the Microsoft Security analysis of the encryptor and the Halcyon assessment of operator tradecraft:
- Initial access via phishing, credential reuse, or vendor compromise. Affiliates use whichever path is cheapest. For NC SMBs, that has historically been phishing of office staff (especially finance and HR), reuse of credentials from past breach corpuses, and exploitation of unpatched edge devices (FortiGate, Citrix, Ivanti, RDP).
- EDR disable via BYOVD. Affiliates drop a signed-but-vulnerable driver, load it, and use it to disable the EDR / XDR agent before any encryption runs. Stock antivirus rarely survives this step; mature EDR with anti-tampering and tamper-protection rules often does.
- Credential harvesting and lateral movement. Mimikatz, LSASS dumps, or AD discovery via BloodHound. The Go encryptor self-propagates from the first foothold to network shares and remote endpoints.
- Data exfiltration before encryption. Double-extortion playbook: exfiltrate 5-50 GB of business-sensitive data first; then encrypt. The exfil typically uses Rclone or MEGA-CMD, sometimes piped through cloud storage providers to look like legitimate traffic.
- Encryption + ransom note. Go encryptor runs across the environment; ransom note demands payment in cryptocurrency, threatens publication on the leak site, and provides a 48-72-hour negotiation window.
Quotable definition: The Gentlemen ransomware is a self-propagating Go encryptor handed to affiliates under a 90/10 revenue split, with a BYOVD EDR-disable toolkit included. The economic structure is the differentiator, not the encryption math.
What should an NC SMB do this quarter about The Gentlemen?
Run a five-pillar plan inside 90 days. The pillars are the same ones every credible managed cybersecurity provider has recommended for two years; the urgency is what changed with the Gentlemen surge.
- Pillar 1 - immutable backups (this month). Move from "backup runs nightly" to "backup is immutable, off-site, off-network, and tested." The 3-2-1-1-0 model (3 copies, 2 media, 1 off-site, 1 immutable / air-gapped, 0 errors in last restore test) is the SMB target. Verify restore time for ERP, file shares, M365, and the line-of-business database. If a quarterly restore test has never happened, schedule it.
- Pillar 2 - EDR / MDR with anti-tampering (this month). Replace stock antivirus with EDR that includes tamper protection and managed detection content. Defender for Business with the right configuration, CrowdStrike Falcon Go, SentinelOne Singularity, Huntress MDR, and similar are the realistic options for NC SMBs in 2026. The BYOVD EDR-killer threat makes anti-tampering and isolated kernel mode protection table stakes, not a premium.
- Pillar 3 - phishing-resistant MFA + identity hygiene (this month). Every administrative account requires hardware-token or passkey MFA. Every user account requires at least TOTP MFA. Disable legacy authentication (basic auth, IMAP / POP / SMTP basic auth) in M365 and Google Workspace. Remove unused accounts and reduce privileged-account count to the minimum that runs the business.
- Pillar 4 - segmentation and edge hygiene (this quarter). Default-deny east-west on the network. Patch FortiGate, Citrix, Ivanti, RDP, and any other edge device exposed to the public internet to current firmware. Restrict admin interfaces to a management VLAN or source-IP allowlist. Remove any local-admin-rights-to-domain-admin lateral movement path.
- Pillar 5 - Incident Response Plan with a tested tabletop (this quarter). A real IRP names the players (operations, IT, leadership, counsel, communications, insurance carrier), defines the decision tree (pay, do not pay, when to notify, what to disclose), and has been rehearsed in the last six months. The Gentlemen 48-72-hour negotiation window is too short to invent the plan in the moment.
Key takeaway: No NC SMB will out-spend the Gentlemen affiliate pool. The defense is operational discipline: immutable backups verified by restore tests, EDR with anti-tampering, phishing-resistant MFA, segmentation, and a tested IRP. The cost is meaningful; the avoided ransomware payment is the comparison.
Need a ransomware-readiness review and tabletop scoped to your NC SMB? Call (336) 886-3282 or book a ransomware readiness review.
What about cyber insurance, ransom payment, and reporting?
Three points NC SMB owners and CFOs should treat as non-negotiable.
- Cyber insurance increasingly excludes or sub-limits ransomware payments. The 2026 underwriting cycle has tightened controls on ransomware coverage, especially for organizations without EDR, MFA on all admin accounts, immutable backups, and a tested IRP. The pre-binding controls questionnaire is now an operational checklist, not a paperwork exercise. Score-card yourself before the carrier does.
- Paying the ransom is a business decision with legal, ethical, and operational tradeoffs. OFAC sanctions risk applies when payment routes to a sanctioned entity. CISA's reporting expectations under CIRCIA add another layer. The decision must be made with counsel, the insurance carrier, and an experienced IR provider - not by the IT director under pressure at 2 AM.
- Reporting is faster than recovery. Per CISA's reporting guidance, federal reporting timelines under CIRCIA are tightening through 2026. The right time to know the obligations is before the event, not during it.
For a fuller treatment of payment + reporting calculus, see Conti Plea June 2026: NC SMB Ransomware Reporting Plan.
How does Preferred Data Corporation help NC SMBs prepare for the Gentlemen surge?
PDC has run managed cybersecurity, managed IT, and backup services for NC small businesses since 1987 from High Point. Three concrete service lines align with the Gentlemen-era defense pillars:
- Managed cybersecurity services: EDR / MDR rollout with anti-tampering (Defender for Business, CrowdStrike Falcon Go, SentinelOne), phishing-resistant MFA across the identity estate, segmentation and edge hardening, and an Incident Response Plan with tabletop exercises and insurance-carrier alignment.
- Backup services: Immutable, off-site, off-network backups with the 3-2-1-1-0 model, verified by scheduled restore tests against ERP, file shares, M365, and line-of-business databases. The backup is only as valuable as the last successful restore.
- Managed IT services: Patching cadence, firmware maintenance windows on edge devices, identity and admin-account governance, M365 / Google Workspace baseline hardening, and the operational rhythm that turns the five pillars into a sustained practice instead of a one-quarter project.
For NC manufacturers in High Point, NC professional services firms across the Piedmont Triad, NC healthcare practices in Greensboro and Winston-Salem, NC construction firms in Charlotte and the Research Triangle, and NC distributors and importers - The Gentlemen surge is a forecast, not a one-off news story. The work this quarter decides whether the next 48-hour negotiation window is a controlled drill or a real-life crisis.
Need a 90-day ransomware-readiness program scoped to your NC SMB? Call (336) 886-3282 or book a ransomware readiness review.
Frequently Asked Questions
Who runs The Gentlemen ransomware?
Per Krebs on Security's June 2026 investigation, the primary operator uses the nickname Zeta88 on Russian-language cybercrime forums and was previously known as Hastalamuerte. The group has been linked to a Russian national identified as Alexander Andreevich Yapaev. Attribution is investigative-grade, not law-enforcement-published.
Why is the 90/10 affiliate split a big deal?
Because most RaaS programs offer 70-80% to affiliates. A 90/10 split is an economic incentive to attract experienced affiliates from competing programs - including initial-access brokers, vishing crews, and credential-stuffing operators. Per Security Affairs, the split is the primary driver of The Gentlemen's rapid 483-victim growth since September 2025.
How fast is The Gentlemen scaling?
Per the Halcyon threat assessment, The Gentlemen is scaling faster than any prior RaaS group on record - from launch in September 2025 to 483 listed victims by mid-June 2026, with 380 of those in 2026 alone. The growth is also driven by self-propagation in the encryptor itself, per Microsoft's analysis.
What is BYOVD and why does it matter to NC SMB defenders?
BYOVD = Bring Your Own Vulnerable Driver. Attackers drop a legitimately signed but vulnerable kernel driver onto the target, load it, and use it to disable the EDR / XDR agent before the ransomware runs. Per the Halcyon assessment, The Gentlemen ships a BYOVD toolkit to affiliates. The mitigation is EDR with tamper protection, Microsoft's vulnerable driver blocklist, and managed detection content tuned for BYOVD signatures.
Should NC SMBs pay the ransom?
It is a business and legal decision, not a technical one. OFAC sanctions risk applies when payment routes to a sanctioned entity. CISA reporting expectations under CIRCIA continue to tighten. The right NC SMB process is: contact your insurance carrier within hours of detection, engage an experienced IR provider, involve counsel, and run the decision through your tested IRP. Never have the IT director make the call alone at 2 AM. See Conti Plea June 2026: NC SMB Ransomware Reporting Plan for a fuller treatment.
What is the minimum credible ransomware defense for an NC SMB?
Five non-negotiables in 2026: EDR / MDR with anti-tampering on every endpoint; phishing-resistant MFA on every administrative account; immutable, off-network backups with quarterly restore tests; segmented network with default-deny east-west and patched edge devices; and a written, rehearsed Incident Response Plan with the insurance carrier, counsel, and an IR provider on retainer. The pillars are well-known; the Gentlemen surge is the reminder that the discipline has to actually be in place, not on the roadmap.
Related Resources
- Cybersecurity Services - EDR / MDR, MFA, IRP, tabletop exercises
- Backup Services - Immutable, off-site, off-network with restore testing
- Managed IT Services - Patching, identity governance, M365 hardening
- Conti Plea June 2026: NC SMB Ransomware Reporting Plan - Payment + reporting calculus
- NightSpire Ransomware Hits Manufacturers: NC SMB Defense - Companion manufacturer ransomware analysis
- Contact Preferred Data Corporation - Ransomware readiness review for NC SMBs