The ransomware landscape is witnessing a new wave of sophisticated operations, and the The Gentlemen ransomware-as-a-service (RaaS) program stands out as a rapidly expanding threat. With over 320 publicly claimed victims—240 of which occurred in early 2026—this group has attracted a growing number of affiliates. Their arsenal includes multi-platform lockers written in Go and a dedicated ESXi locker in C, enabling attacks across diverse corporate environments. During a recent incident response, an affiliate deployed SystemBC, a proxy malware that adds covert tunneling capabilities to the attack chain. Telemetry from Check Point Research further reveals a botnet of over 1,570 victims, underscoring the program’s scale and corporate focus.
The Rise of The Gentlemen RaaS
Emerging around mid-2025, The Gentlemen RaaS quickly gained traction on underground forums. The operators actively recruit affiliates—often described as penetration testers or technically skilled actors—by promoting their platform and offering lucrative terms. This affiliate model allows the group to scale attacks rapidly while maintaining a decentralized structure. As noted in the SystemBC deployment case, affiliates have significant autonomy in choosing their tools and tactics.
Multi-Platform Locker Portfolio
A key feature of The Gentlemen RaaS is its broad locker support. The primary lockers are written in Go and target Windows, Linux, NAS, and BSD. In addition, a separate locker written in C targets ESXi hypervisors. This coverage enables affiliates to compromise the full range of systems commonly found in enterprise networks—from endpoints to virtualized servers and storage appliances. The cross-platform capability is a significant differentiator and likely contributes to the program’s popularity.
Leak Site and Communication Channels
The Gentlemen operates an onion-based leak site where data from non-paying victims is published. However, negotiations occur not on the portal but through the affiliate’s Tox ID. Tox is a decentralized, encrypted messaging protocol, providing a degree of anonymity for both parties. Additionally, the group maintains a Twitter/X account referenced in the ransomware note, publicly shaming victims to pressure them into payment. This combination of leak site and social media exposure amplifies the impact of attacks.
Attack Statistics and Victim Profile
According to public claims, The Gentlemen has listed over 320 victims since its inception. The majority—approximately 240—were recorded in the first months of 2026, indicating a sharp acceleration in affiliate activity. The victims span multiple industries, with a clear emphasis on corporate and organizational targets. Check Point’s telemetry from a related SystemBC command-and-control server confirms this: the botnet of 1,570 infections was heavily skewed toward enterprise environments rather than opportunistic consumer targets.
SystemBC: The Proxy Malware in Action
During a forensic investigation of a The Gentlemen affiliate’s activity, analysts discovered SystemBC deployed on the compromised host. This proxy malware establishes SOCKS5 tunnels within the victim’s network, allowing the attacker to route traffic through infected systems. SystemBC is commonly used in human-operated ransomware operations for covert command-and-control, data exfiltration, and deployment of additional payloads. Its integration into The Gentlemen’s toolkit highlights the sophistication of the affiliates involved.
Check Point Telemetry and Botnet Size
Check Point Research monitored the relevant SystemBC command-and-control server and observed over 1,570 unique victims. The infection pattern strongly suggests that the affiliates are systematically targeting corporate networks rather than random home users. This aligns with the overall victim profile of The Gentlemen and reinforces the need for robust defense strategies in enterprise environments. The coupling of a versatile RaaS locker with a proven proxy malware like SystemBC creates a dangerous combination that demands attention.
Implications for Defenders
The rapid growth of The Gentlemen RaaS and its use of SystemBC underscore several trends: the shift toward multi-platform ransomware, the role of proxy malware in lateral movement, and the importance of early detection of tunneling activity. Security teams should monitor for unusual SOCKS proxy traffic, employ endpoint detection rules for Go-based binaries, and prioritize patching of ESXi systems. Understanding the affiliate model and tools like SystemBC can help organizations tailor their defenses against this emerging threat.
This article provides a comprehensive overview based on incident response findings and threat intelligence. For ongoing updates, refer to the Check Point Research blog and DFIR reports.