In a significant escalation of cybercriminal activity, threat actors affiliated with The Gentlemen ransomware-as-a-service (RaaS) operation have been observed deploying SystemBC, a sophisticated proxy malware, as part of their expanding attack repertoire. This development, detailed in recent research by Check Point, has led to the discovery of a vast botnet comprising more than 1,570 compromised systems linked to SystemBC’s command-and-control (C2) infrastructure, indicating a far broader reach for the group than previously understood.
The Rise of The Gentlemen: A Prolific RaaS Operator
Emerging in July 2025, The Gentlemen ransomware group has rapidly ascended to prominence within the cyber underworld, distinguishing itself as one of the most active and successful RaaS operations. The group operates under the notorious double-extortion model, a tactic where not only are victims’ data encrypted, but their sensitive information is also exfiltrated and threatened to be leaked publicly if a ransom is not paid. This dual pressure significantly increases the likelihood of payment, making it a highly effective strategy for cybercriminals.
The Gentlemen’s operational sophistication is matched by its versatility, demonstrating the capability to target a wide array of systems, including Windows, Linux, network-attached storage (NAS) devices, and BSD environments. Their toolkit includes a custom Go-based locker for encryption, alongside the cunning deployment of legitimate drivers and bespoke malicious tools designed to bypass and subvert established security defenses. This multi-platform approach highlights a strategic intent to maximize potential victim pools and exploit vulnerabilities across diverse IT infrastructures.
According to data compiled by ZeroFox, The Gentlemen accounted for a significant 192 incidents in Q1 2026 alone, placing them among the top five most active ransomware groups globally, alongside Qilin (338 incidents), Akira (197 incidents), INC Ransom, and Cl0p. Notably, the group’s geographical targeting deviates from typical ransomware trends. While North America-based victims usually represent over 50 percent for many R&DE collectives, The Gentlemen’s attacks against North American entities stood at approximately 20 percent in Q3 2025, a mere 2 percent in Q4 2025, and 13 percent in Q1 2026, suggesting a more diversified global targeting strategy.
SystemBC: The Enabler of Stealth and Scale
The recent Check Point research sheds light on a critical component of The Gentlemen’s operations: the deployment of SystemBC. This proxy malware is designed to establish SOCKS5 network tunnels within a victim’s environment, creating a covert channel for communication with its C2 server using a custom RC4-encrypted protocol. This tunneling capability allows threat actors to route malicious traffic, obscure their origins, and bypass network security measures, making it challenging for defenders to detect and block their activities. Beyond its proxy functions, SystemBC is also capable of downloading and executing additional malware payloads, either by writing them to disk or injecting them directly into memory, serving as a versatile tool for further compromise.
While SystemBC has been a known entity in ransomware operations since at least 2020, its specific connection to The Gentlemen’s e-crime scheme remained somewhat ambiguous. Security researchers are still investigating whether it is a standard part of the group’s core attack playbook or if it is selectively deployed by specific affiliates for tasks such as data exfiltration and maintaining remote access. Regardless of the exact operational directive, its presence indicates a concerted effort to establish persistent access and facilitate subsequent stages of an attack. The C2 server associated with SystemBC has been found to be commandeering hundreds of victims across the globe, with identified compromised networks spanning major economies including the U.S., the U.K., Germany, Australia, and Romania. This geographical spread underscores the truly international nature of this cyber threat.
Intricate Attack Chains and Evasion Tactics
The initial access vector for The Gentlemen remains somewhat opaque, though evidence strongly suggests the exploitation of internet-facing services or the abuse of compromised credentials to gain an initial foothold. Once inside a target network, the threat actors engage in a methodical progression of activities:
- Discovery: Mapping the network, identifying critical assets, and understanding the environment.
- Lateral Movement: Spreading across the network, often using legitimate tools or stolen credentials.
- Payload Staging: Preparing and delivering subsequent malicious tools, including Cobalt Strike for command and control, SystemBC for persistent access, and ultimately, the encryptor.
- Defense Evasion: A critical phase where the group employs highly sophisticated tactics to neutralize security solutions.
A particularly alarming aspect of The Gentlemen’s tradecraft is their abuse of Group Policy Objects (GPOs) to achieve domain-wide compromise. GPOs are powerful features in Windows Server environments used to manage user and computer settings across an entire domain. By manipulating GPOs, the attackers can push malicious configurations or execute commands across all connected systems, rapidly facilitating lateral movement and ransomware deployment.
Furthermore, The Gentlemen have demonstrated a pronounced capability to blind security software. During lateral movement, the ransomware deploys a PowerShell script designed to disable Windows Defender’s real-time monitoring, add broad exclusions for its own processes and staging shares, shut down firewalls, re-enable older, less secure protocols like SMB1, and loosen Local Security Authority (LSA) anonymous access controls. These actions are all executed strategically before the ransomware binary is deployed, effectively crippling the victim’s defenses and ensuring the encryption process proceeds unhindered.
Eli Smadja, group manager at Check Point Research, emphasized the group’s distinct operational model. "Most ransomware groups make noise when they launch and then disappear. The Gentlemen are different," Smadja stated. "They’ve cracked the affiliate recruitment problem by offering a better deal than anyone else in the criminal ecosystem. When we got inside one of their operator’s servers, we found over 1,570 compromised corporate networks that hadn’t even made the news yet. The real scale of this operation is significantly larger than what’s publicly known, and it’s still growing." This statement underscores the business-like efficiency and competitive edge The Gentlemen possess in attracting and retaining skilled affiliates, a cornerstone of the RaaS model’s success.
Multi-Platform Attack Capabilities: Targeting ESXi and Beyond
The Gentlemen’s adaptability extends to targeting virtualized environments. Their ESXi variant, specifically designed for VMware infrastructures, incorporates functionalities to shut down virtual machines, enhancing the effectiveness of the attack by ensuring files are not in use during encryption. It also adds persistence via crontab – a task scheduler in Unix-like operating systems – and actively inhibits recovery mechanisms before the ransomware binary is deployed. This specialized approach to virtual environments highlights a deep understanding of enterprise IT infrastructure and a commitment to maximizing disruptive impact.
This specialization is a broader trend within the ransomware landscape. For instance, Rapid7 recently highlighted the inner workings of Kyber, another relatively new ransomware family that surfaced in September 2025. Kyber targets both Windows and VMware ESXi infrastructures, employing encryptors developed in Rust and C++ respectively. The ESXi variant of Kyber, like The Gentlemen’s, is built for VMware environments, featuring datastore encryption, optional virtual machine termination, and defacement of management interfaces. Its Windows variant, written in Rust, even includes an "experimental" feature for targeting Hyper-V. Rapid7 noted that "Kyber ransomware isn’t a masterpiece of complex code, but it is highly effective at causing destruction. It reflects a shift toward specialization over sophistication." This sentiment echoes the overall evolution of ransomware towards highly targeted and efficient, rather than overtly complex, attacks.
The Shifting Velocity of Ransomware Attacks: An Industrialized Ecosystem
The cybersecurity company Halcyon, in its 2025 Ransomware Evolution Report, characterized the modern ransomware threat as a "disciplined and business-driven criminal enterprise." The report highlighted several significant trends shaping the landscape:
- Impairing EDR Tools: A concerted effort by attackers to neutralize Endpoint Detection and Response (EDR) solutions, which are critical for early threat detection.
- Bring Your Own Vulnerable Driver (BYOVD): The exploitation of legitimate but vulnerable drivers to escalate privileges and disable security solutions, a technique used in 54 EDR killers to exploit 34 different drivers.
- Blurring Lines: The increasing overlap between nation-state and criminal ransomware campaigns, making attribution and response more complex.
- Expanded Targets: A growing focus on small and mid-sized organizations (SMEs) and operational technology (OT) environments, which often have fewer resources for robust cybersecurity defenses.
- Sector-Specific Attacks: Ransomware attacks targeting the automotive industry, for example, more than doubled in 2025, accounting for 44% of all cyber incidents in that sector.
Halcyon further elaborated that "Ransomware continued to grow as a durable, industrialized ecosystem built on specialization, shared infrastructure, and rapid regeneration rather than any single brand." Despite law enforcement pressures and infrastructure seizures disrupting major operations, these actions often lead to fragmentation, rebranding, and intensified competition, resulting in a more fluid and resilient threat landscape.
Perhaps one of the most alarming trends is the collapsing dwell time of ransomware attacks. What once took days, now often takes mere hours. Approximately 69% of observed attack attempts are deliberately staged during nights and weekends, leveraging times when IT staff might be less vigilant, to outpace defender response capabilities. The Akira ransomware group serves as a stark example, demonstrating an unusual swiftness, escalating from initial foothold to full encryption within an hour in some cases, often without detection. Halcyon warned that "Akira’s combination of rapid compromise capabilities, disciplined operational tempo, and investment in reliable decryption infrastructure sets it apart from many ransomware operators. Defenders should treat Akira not as an opportunistic threat, but as a capable, persistent adversary that will exploit every available weakness to reach its objective."
Implications and Future Outlook
The revelations surrounding The Gentlemen’s operations, particularly their deployment of SystemBC and the sheer scale of their botnet, underscore the urgent need for robust and adaptive cybersecurity strategies. The sophisticated evasion techniques, multi-platform targeting, and the business-driven model of modern ransomware groups like The Gentlemen present formidable challenges for organizations globally.
For businesses, the implications are profound. The potential for rapid, widespread compromise, coupled with the double-extortion model, means that a successful ransomware attack can lead to significant financial losses from ransom payments, operational disruption, data recovery costs, reputational damage, and potential regulatory fines. The targeting of critical infrastructure sectors and virtualized environments also raises concerns about broader economic and societal impacts.
To counter these evolving threats, organizations must move beyond reactive defenses. Proactive measures, including comprehensive endpoint detection and response (EDR) solutions, robust identity and access management (IAM), regular security awareness training for employees, diligent patching and vulnerability management, and immutable backup strategies, are more critical than ever. Furthermore, the ability to detect and respond to threats outside of normal business hours is becoming a necessity, given the observed shift in attack timing.
The ongoing cat-and-mouse game between cybercriminals and cybersecurity professionals continues to intensify. The Gentlemen’s success in affiliate recruitment and their sophisticated operational tactics serve as a stark reminder that the ransomware ecosystem is highly dynamic, constantly adapting to counter defenses and exploit new opportunities. As these groups become more specialized and efficient, the imperative for organizations to fortify their digital defenses and foster a culture of cybersecurity vigilance grows exponentially.