Cybercriminals are rewriting the rules of corporate extortion. For years, the underground economy relied on a predictable business model. A central ransomware gang built the malicious software, maintained the payment portals, and handled negotiation. Independent hackers, known as affiliates, did the dirty work of breaking into corporate networks to deploy the payload. The standard financial split was predictable, usually giving the affiliate 70% or 80% of the extorted funds while the core creators took the rest.
That baseline just shattered. A new player operating under the moniker The Gentlemen is turning the cybercrime market upside down by offering an unprecedented 90% cut to its affiliates.
This is not a minor shift in the threat environment. It is an aggressive, corporate-style poaching strategy designed to drain talent away from established syndicates like LockBit or BlackCat. When a criminal enterprise slashes its own corporate tax from 30% down to 10%, it changes who security teams are fighting. It means highly skilled network intruders who used to operate independently or work for legacy syndicates are flocking to a new banner. The result is a massive influx of aggressive, highly motivated threat actors targeting mid-market enterprises and critical infrastructure.
Understanding the mechanics of this shift reveals why traditional corporate defense models are failing. If you think ransomware is just a software problem, you are missing the point entirely. It is an economic problem.
The Economic Reality of Ransomware as a Service
To see why a 90% split matters, look at how Ransomware as a Service operates. The software itself is a commodity. Anyone with access to underground forums can rent a fully functional encryption suite. The real bottleneck in the cybercrime ecosystem has always been the initial access. Breaking into a well-defended corporate network requires specialized skill, patience, and time.
The people who possess those skills are the elite affiliates. They buy zero-day exploits, compromise corporate Virtual Private Networks, or buy access from specialized initial access brokers. They bear almost all the operational risk. If an affiliate gets caught inside a network, the core ransomware developers lose nothing. The developers simply recruit another hacker.
Because the affiliate takes the physical risk of law enforcement tracking their infrastructure, a 70% cut started feeling like a bad deal to top-tier hackers. The Gentlemen capitalized on this growing resentment. By shrinking their own platform fee to a bare-minimum 10%, they basically turned their operation into a low-margin, high-volume clearinghouse.
Think about the math behind a typical five-million-dollar corporate extortion demand. Under an old-school 70% split, the affiliate took home three and a half million dollars. With the new model, that same hack yields four and a half million dollars to the intruder. That extra million dollars is a massive incentive. It allows hackers to invest more cash into purchasing high-grade corporate access, buying custom defensive bypass tools, and renting faster command-and-control infrastructure.
Behind the Soft Corporate Branding
The name chosen by this group is not an accident. Cybercrime syndicates have long adopted pseudo-corporate structures, complete with human resource departments, public relations representatives, and technical support desks for victims. The Gentlemen take this corporate mimicry a step further by emphasizing a professional, predictable approach to extortion.
They promise victims rapid decryption upon payment. They offer clean documentation showing exactly how they breached the network, mimicking a legitimate cybersecurity penetration test. They keep their word because bad reviews on darknet forums ruin their business model. If a ransomware group takes the money and runs without providing the decryption keys, future victims will refuse to pay, and top affiliates will abandon the platform.
For corporate defense teams, this professionalization makes containment harder. These attackers do not stumble around a network setting off alarms. They move with absolute precision. They study corporate financial documents, insurance policies, and legal disclosures before making a demand. They know exactly how much cash a company has on hand, and they price their extortion demands to sit just below the threshold where a company would choose bankruptcy over payment.
Why Legacy Defensive Playbooks Fail
Most corporate defense strategies were built for an era where hackers used automated scanners to find unpatched servers. Security teams relied on firewalls and basic antivirus software to block known threats. That approach is completely useless against the wave of talent driven by hyper-profitable affiliate programs.
When an intruder is motivated by a 90% payout, they do not use loud, generic tools. They use living-off-the-land techniques. This means they abuse legitimate administrative tools already installed on your systems, such as PowerShell, Windows Management Instrumentation, and remote desktop protocols. To a standard monitoring tool, an affiliate moving sideways through a network looks exactly like a network administrator doing routine maintenance.
Traditional Attacks: Broad Scans -> Automated Exploits -> Loud Encryption
Modern RaaS Attacks: Targeted Access -> Living-off-the-Land -> Data Exfiltration -> Silent Encryption
The encryption of files is no longer the first step. It is the final blow. Before a single file is locked, affiliates spend days or weeks quietly exfiltrating sensitive data. They steal employee records, intellectual property, customer databases, and proprietary source code. If a company has excellent backups and can restore its systems without a decryption key, the attackers switch to double extortion. They threaten to leak the stolen data onto public mirrors or sell it to direct competitors unless the ransom is met.
How Defenders Must Pivot
Surviving this aggressive shift in the threat market requires moving past simple perimeter security. You have to assume an attacker driven by these massive financial payouts will eventually find a way past your outer walls. The goal is to make the internal network so hostile and difficult to navigate that the attacker runs out of time before they can steal data or deploy encryption.
First, implement a radical approach to credential management. Affiliates thrive on harvesting compromised administrative passwords from memory. Implement local administrator password solutions to ensure every single workstation in your enterprise has a unique, rotating password. If an attacker compromises a single receptionist laptop, that access should not grant them the keys to the entire corporate data center.
Second, aggressively monitor internal lateral movement. Watch for unusual internal remote desktop connections, especially those occurring outside normal business hours or originating from unexpected segments of the network. Block all outbound traffic to unapproved cloud storage providers. If a malicious actor cannot exfiltrate hundreds of gigabytes of corporate data, their leverage drops significantly.
Third, enforce strict application control. Do not allow unknown executables or unapproved administrative scripts to run on production endpoints. If the affiliate cannot execute their custom credential dumpers or discovery tools, their attack chain breaks completely.
The financial reality of the underground market means the threat will get worse before it gets better. Groups like The Gentlemen are proving that cybercrime follows the same economic laws as any legal industry. When payouts climb, talent follows. The only way to protect your organization is to raise the operational cost for the attacker until the 90% cut is no longer worth the effort. Eliminate the easy visibility, lock down the internal pathways, and force the intruders to work for every single inch of your network.
