The Gentlemen Ransomware Operation: Proxy Malware Deployment and Corporate Targeting

The Gentlemen ransomware-as-a-service (RaaS) operation has rapidly emerged as a significant threat, attracting numerous affiliates and claiming over 320 victims since its inception in mid-2025. A recent incident response engagement revealed that affiliates are leveraging SystemBC, a proxy malware used for covert tunneling and payload delivery, to enhance their capabilities. This article explores the operation's features, its growing victim base, and the role of SystemBC in its attack chain.

The Gentlemen RaaS Operation

Features and Tooling

The Gentlemen provides affiliates with a comprehensive locker portfolio targeting multiple platforms critical to corporate environments. Lockers are implemented in Go for Windows, Linux, NAS, and BSD, while an additional locker written in C targets ESXi hypervisors. This multi-platform approach enables attackers to encrypt data across vast networks, including virtualization infrastructure.

The Gentlemen Ransomware Operation: Proxy Malware Deployment and Corporate Targeting — Source: research.checkpoint.com

Beyond encryption tools, the RaaS grants verified partners access to EDR-killing tools and a proprietary multi-chain pivot infrastructure comprising server and client components. These capabilities help affiliates evade detection and move laterally within compromised networks.

Victim Leak and Negotiation

The group operates a Tor-based leak site where it publishes data stolen from victims who refuse to pay. However, negotiations are not conducted through this portal; instead, each affiliate uses a unique Tox ID. Tox is a decentralized, peer-to-peer instant messaging protocol that provides end-to-end encrypted communication, making it difficult for law enforcement to monitor discussions.

The Gentlemen also maintains a Twitter/X account, referenced in ransom notes. Publicly posting victim details likely increases pressure to settle, as brand reputation damage can exceed the financial impact of the ransom itself.

Growth and Statistics

Since mid-2025, The Gentlemen has publicly claimed over 320 victims, with the majority—about 240—occurring in the first months of 2026. This acceleration indicates a rapidly expanding affiliate network and successful recruitment campaigns on underground forums. The group actively advertises to penetration testers and technically skilled actors, promising a robust platform and support.

SystemBC: The Proxy Malware in Action

Incident Response Case

During a recent incident response engagement, analysts observed an affiliate of The Gentlemen deploying SystemBC on a compromised host. SystemBC is a proxy malware that establishes SOCKS5 network tunnels within the victim's environment. These tunnels allow attackers to route traffic covertly, bypassing network security controls and delivering additional payloads such as ransomware.

The use of SystemBC in conjunction with The Gentlemen's locker suite demonstrates a sophisticated attack chain where initial access leads to persistent tunneling, then file encryption and data exfiltration. The proxy component not only masks the attacker's identity but also enables command-and-control (C2) communication even after some defenses are triggered.

Botnet Scale and Targeting

Check Point Research monitored telemetry from the specific SystemBC C2 server used by the affiliate. The server revealed a botnet of over 1,570 victims, with infection patterns strongly suggesting a focus on corporate and organizational environments rather than opportunistic consumer targets. This aligns with The Gentlemen's emphasis on high-value enterprises that can afford substantial ransoms.

The scale of the botnet underscores the affiliate's reach and the effectiveness of SystemBC as a distribution mechanism. By maintaining a persistent proxy on many systems, the attacker can stage future attacks or sell access to other cybercriminal groups.

Conclusion

The combination of The Gentlemen RaaS and SystemBC represents a formidable threat to organizations. The operation's multi-platform lockers, EDR-bypass tools, and proxy tunneling capabilities provide affiliates with a complete toolkit for ransomware attacks. With a rapidly growing victim count and a botnet of over 1,500 systems, defenders must prioritize monitoring for signs of SystemBC deployment and prepare for targeted attention from The Gentlemen affiliates.

Tags: