Inside The Gentlemen RaaS and SystemBC: A Q&A Breakdown

This Q&A explores the rising ransomware-as-a-service operation known as The Gentlemen and its association with the SystemBC proxy malware. Drawing on incident response findings and threat intelligence, we answer key questions about the group's tactics, victim profile, and technical infrastructure.

1. What is The Gentlemen RaaS and when did it emerge?

The Gentlemen is a ransomware-as-a-service (RaaS) program that first appeared around mid-2025. The operation actively recruits affiliates through underground forums, offering a comprehensive locker suite and additional tools to verified partners. Their platform includes multi-OS encryptors for Windows, Linux, NAS, and BSD (developed in Go) plus a dedicated ESXi locker written in C. This broad platform coverage allows affiliates to target diverse corporate environments. The group also provides access to EDR-killing utilities and a custom multi-chain pivot infrastructure (both server and client components). They maintain an onion site to publicize stolen data from non-paying victims, but all negotiations occur directly via the affiliate’s Tox ID—using the decentralized, encrypted Tox messaging protocol. A Twitter/X account is also referenced in ransomware notes, used to post victim details publicly, increasing pressure to pay.

Inside The Gentlemen RaaS and SystemBC: A Q&A Breakdown — Source: research.checkpoint.com

2. How many victims has The Gentlemen claimed and what platforms do its lockers cover?

As of early 2026, The Gentlemen has publicly claimed over 320 victims worldwide. The majority of these infections (approximately 240) occurred in just the first few months of 2026, indicating a rapid acceleration in affiliate activity. The RaaS provides a versatile locker portfolio: Go-based encryptors for Windows, Linux, NAS, and BSD, along with a C-based encryptor specifically for VMware ESXi hypervisors. This cross-platform capability enables affiliates to encrypt a wide range of devices commonly found in enterprise networks—from workstations and servers to storage appliances and virtualized infrastructure. The group's emphasis on diverse platform support is a key factor in its growing popularity among cybercriminals.

3. What additional tools does The Gentlemen offer to its affiliates?

Beyond the ransomware lockers, The Gentlemen provides verified partners with a suite of supplementary tools designed to enhance attack success. This includes EDR (Endpoint Detection and Response) killing utilities that help disable security software on compromised hosts, reducing the likelihood of early detection. The group also offers a custom multi-chain pivot infrastructure, which consists of both server and client components. This infrastructure allows affiliates to establish multi-hop proxy connections that obscure command-and-control traffic and enable stealthier lateral movement within victim networks. These extras, combined with the cross-platform lockers, make The Gentlemen an attractive proposition for penetration testers and other technically skilled actors looking to monetize access through ransomware deployment.

4. How does The Gentlemen communicate with victims and handle data leaks?

The Gentlemen operates an onion (Tor hidden service) site where it publishes data stolen from victims who refuse to pay the ransom. However, negotiations are not conducted through this leak portal. Instead, each affiliate is assigned a unique Tox ID—Tox is a free, decentralized, peer-to-peer messaging protocol with end-to-end encryption for voice, video, and text—which they include in the ransom note. This forces victims to contact the affiliate directly for payment discussions. Additionally, the group maintains a Twitter/X account that is referenced in the ransom note. Through this public social media channel, they post about new victims, likely to amplify reputational pressure and encourage compliance. This two-channel approach (leak site for shaming, direct encrypted chat for negotiation) is a common tactic in modern RaaS operations.

5. What role does SystemBC play in The Gentlemen attacks?

During an incident response engagement, an affiliate associated with The Gentlemen deployed SystemBC—a well-known proxy malware frequently used in human-operated ransomware campaigns—on compromised hosts. SystemBC establishes SOCKS5 network tunnels within the victim’s environment, creating covert communication channels that bypass traditional network defenses. These tunnels allow attackers to relay traffic, exfiltrate data, and deliver additional payloads while remaining hidden behind the proxy. In the context of The Gentlemen attacks, SystemBC serves as a stealthy pivot point, enabling the affiliate to move laterally, deploy the ransomware locker, and maintain persistent access without triggering alarms. This technique is especially effective in corporate networks where egress filtering may not catch traffic routed through legitimate-looking SOCKS connections.

6. What did Check Point Research discover about SystemBC infections?

Check Point Research analyzed telemetry from a SystemBC command-and-control server that was used by The Gentlemen affiliate. They observed an active botnet comprising over 1,570 victims. The infection profile strongly indicates a focus on corporate and organizational environments rather than random consumer machines. This aligns with the typical targeting strategy of ransomware affiliates, who prioritize high-value networks where the potential ransom payout is larger. The sheer size of this botnet underscores the scale of SystemBC’s deployment and its integration into the ransomware affiliate ecosystem. Check Point’s findings also highlight the importance of monitoring proxy malware activity as an early indicator of potential ransomware attacks, given that SystemBC often precedes locker deployment.

7. How does The Gentlemen attract affiliates and maintain operations?

The Gentlemen actively advertises its RaaS program across multiple underground forums, specifically targeting penetration testers and technically skilled actors. The operators promote their versatile locker portfolio and supplementary tools as key selling points. By granting verified partners access to EDR-killing tools and a custom multi-chain pivot infrastructure, they lower the technical barrier for affiliates while increasing the odds of successful encryption. The group’s recent growth—over 320 claimed victims, most in early 2026—suggests they have successfully recruited a significant number of affiliates. Additionally, maintaining a leak site and a social media presence (Twitter/X) for victim shaming helps sustain operational pressure and credibility. Their use of a decentralized communication protocol (Tox) for negotiations provides both anonymity and resilience against takedown attempts.

Tags: