Ransomware has been franchised

A cybercrime crew called The Gentlemen just became the second most active ransomware group on the planet, measured by how many victims they have publicly named. They got there the same way a fast-food chain expands: by offering a better cut to the people doing the work. Researchers at the security firm Check Point have tracked the group since it appeared in mid-2025, and the numbers are steep. At least 332 published victims, more than 240 of them in the first few months of 2026.

The secret sauce was their recruitment. Most ransomware operations pay the hackers they hire 80% of whatever a victim pays and keep 20% for the house. The Gentlemen offered 90%. Experienced criminals jumped at the opportunity to switch teams.

Then last week, security journalist Brian Krebs published his findings on who runs "The Gentlemen." The person who appears to run the operation is, most likely, a 36-year-old man in Izhevsk, Russia, who lists "head of B2B marketing" as his day job.

How the franchise works

Modern ransomware has very little to do with a hacker in a hoodie. These days it runs as a gig economy with a clear division of labor, and the industry even has a name for the arrangement: ransomware-as-a-service, or RaaS. One person (the administrator) writes the malware, runs the leak site where stolen files get published, and handles the cryptocurrency. The actual break-ins are outsourced to independent contractors called affiliates, who get paid a percentage of every successful ransom.

It is a franchise. The administrator builds and maintains the product. The affiliates go out and use it. The house takes a cut of the revenue. The only real difference from a legitimate franchise is the product. Instead of slinging burgers, it encrypts a dentist's office or a county water district and demands a payout to give the files back.

That structure is why a single crew can rack up hundreds of victims in a year. The administrator never has to break into anything personally. He just has to keep enough skilled affiliates happy, and the way you keep affiliates happy is paying up.

The 90% hustle

The standard split across the ransomware underground has been 80/20 for years, 80% to the affiliate and 20% to the operator. The Gentlemen showed up offering 90/10.

This poaching strategy attracts top-tier criminals who can reliably break into corporate networks. They are free agents, and ten extra points of every payout is a real raise. Check Point's researchers put it plainly back in April: the better split is pulling experienced operators away from competing programs. The victim count followed. They are now the second most active group in the world, in well under a year, on a business built almost entirely on commission.

The professionalism goes past the payroll split. Analysts who went through the leaked chats found the crew looking companies up to estimate revenue, then sizing the ransom to the ceiling of the victim's cyber-insurance policy. In one case they knew the target carried $10 million in coverage and asked for exactly $10 million. The insurance meant to cover the disaster sets the price of it.

How they break in

The methods are not exotic, which is what makes this scary. The Gentlemen's affiliates get their initial foothold mostly through internet-facing equipment: VPN appliances and firewalls, the boxes that sit at the edge of a network and face the open internet. Think Fortinet and Cisco gear. They brute-force login pages, they exploit known holes in equipment that has not been updated, and they buy access from other criminals who specialize in finding open doors. Once inside, Check Point says they move fast enough to encrypt an entire network within hours.

None of that requires a genius hacker. What it takes is a list of internet addresses and a scanner that checks each one for a firewall nobody has patched since 2023. The work is closer to telemarketing than espionage. You dial enough numbers, you get enough yeses. It's a numbers game. This is the same shift I wrote about in patching is the new password: the unlocked door now matters more than the stolen key.

The boss is not a supervillain

The unmasking is my favorite part. It is also useful for understanding the threat.

After someone leaked the group's own backend database in May, Check Point, the intelligence firm Intel 471, and the breach-tracking service Constella Intelligence pieced together a trail from the administrator's forum handles ("Hastalamuerte," later "Zeta88"). They traced a Telegram ID, a phone number, and an email address. The trail led to a name: Alexander Yapaev, 36, of Izhevsk.

The same email is tied to a LinkedIn profile listing him as head of B2B marketing at a Russian electrical-supply company. Krebs is careful to call this a likely identity built from breadcrumbs, not a courtroom-proven fact, and Yapaev did not respond to requests for comment. Russian authorities tend to leave cybercriminals alone as long as they do not hit Russian targets, which is part of why so many of them barely hide.

Digging back through this person's forum posts from 2019 and 2020, you'll find an unsophisticated amateur asking beginner questions, fumbling with penetration-testing tools in a training channel, trying to build a reputation. This was not a state-sponsored mastermind. The forum history shows a guy who was bad at this, stuck with it, got better, and eventually turned it into a profitable software business with a recruiting funnel.

Now with more AI

In the leaked chats, the administrator says he built his admin control panel in three days using AI coding assistants. He was candid enough to state that you still have to understand the code well enough to fix what the AI gets wrong. The crew trades tips on which models work best for them, leaning on Chinese ones, and at one point recommends a version stripped of its safety limits so it will answer anything. This is the same uncomfortable pattern I covered in the AI hard drive hostage crisis: the tools that make a small business more productive make a small criminal operation more productive too, and the criminals are not waiting for permission.

What it all means

Nobody studied you or your company and singled you out. You became a target because an automated scanner found a device on your network that answers to the open internet and has a known weakness. Then an affiliate working on commission followed up because there was money to be made. The algorithm found a door that was not locked, and a contractor walked through it for his 90% cut.

That is why "we're too small to bother with" is not a valid defense. Verizon's 2025 Data Breach Investigations Report found ransomware involved in 88% of breaches at small and midsize businesses, against 39% at large companies. The 2026 edition is blunter about why: these attacks are opportunistic, and the most common ways in were a stolen password or an unpatched device sitting on the edge of the network. Small operations get hit more, not less. This is because they run the same internet-facing gear as everyone else but patch it less often. The attack is a volume play where small and large look identical to a scanner.

What to do

• Patch your edge devices first. The firewall, the VPN box, anything that faces the internet. These are the front door, and they are exactly what the scanners look for. If a vendor pushes a security update for one of these, it is not a "this weekend" job.
• Put multi-factor authentication on every remote login. Brute-forcing a VPN password is a core part of how these crews get in, and a second factor stops that. It is a minor daily annoyance, and it is the cheapest thing on this list that can stop a real attack.
• Find out what you are actually exposing. Most small businesses do not know which of their devices are reachable from the open internet. If you have an IT person or a managed provider, ask them for the short list. If a piece of gear does not need to be internet-facing, take it off.
• Keep backups you can actually restore. The whole point of ransomware is that you cannot get your files back. Real backups, tested and kept offline, turn a catastrophe into a bad afternoon.
• Assume a scanner will reach you, because one will. A criminal did not single you out; your address is just one more line in a list the script runs against everyone. The defenses above are the difference between being on that list and being a casualty.

There is no shadowy genius picking you out of a crowd. There is a product, a commission plan, and a few hundred contractors running the same handful of plays against everyone with an exposed firewall. That should not feel reassuring. The franchise version is more dangerous than the Hollywood one, because it scales. The only thing standing between your network and a financially motivated franchisee is whether you patched the box at the edge of it.

Sources: Krebs on Security on the administrator's likely identity; Check Point Research on the group's structure, growth, and the leaked internal chats; Verizon 2025 Data Breach Investigations Report on small-business ransomware rates.