A ransomware gang known as “The Gentlemen” has made a name for itself, claiming hundreds of victims in a matter of months.
The Gentlemen is a ransomware-as-a-service (RaaS) outfit that first popped up in mid-2025. While it operates fairly typical double extortion attacks (using both encryption and data leaking as extortion levers), The Gentlemen is known for sophisticated tactics, techniques, and procedures (TTPs), such as antivirus killers and complex infection chains.
Check Point Research this week published its latest findings concerning the gang, noting that it has claimed hundreds of victims and uses malware including something called SystemBC, which researchers described as “a proxy malware frequently leveraged in human‑operated ransomware operations for covert tunneling and payload delivery.”
Check Point observed victim telemetry connected to SystemBC’s command and control (C2) server, revealing a botnet of more than 1,570 victims. According to researchers, the infection profile strongly suggests “a focus on corporate and organizational environments rather than opportunistic consumer targeting.” CPR’s research primarily tracks this incident.
For such a new gang, The Gentlemen has been nothing short of prolific. Comparitech researchers said the group claimed 202 attacks last quarter, second only to Qilin’s 353 claims. Meanwhile NCC Group found The Gentlemen was responsible for 34 attacks in January and 67 in February; while not quite first place, it tracked comfortably alongside more established actors like Cl0p and Akira.
In The Gentlemen there are echoes of DragonForce, a RaaS gang that landed on the scene in 2023 and quickly made a name for itself, in this case for its cartel setup and ransomware “white labeling” business model.
Dillon Ashmore, cyber threat intelligence analyst at NCC Group, tells Dark Reading that The Gentlemen shows “all the hallmarks of cementing itself as a mainstay in the ransomware ecosystem, comparable to DragonForce, but emerging at a much greater scale and sophistication than DragonForce demonstrated at that same stage.”
“DragonForce took almost two years to surpass 150 victims. In comparison, The Gentlemen passed that milestone in nine months,” Ashmore says. “That gap speaks not just to a difference in pace and volume, but to the group’s ability to sustain a high level of activity without experiencing the typical disruptions to a ransomware group’s trajectory: affiliate defections, infrastructure seizures, or internal disputes.”
How The Gentlemen Breaks In
In the attack covered, The Gentlemen affiliate gained initial access (Check Point could not determine an exact vector) and then deployed the SystemBC proxy malware on the compromised host. This deployed SOCK5 network tunnels within the victim environment and connected to C2 servers, positioning itself to download and execute additional malware payloads.
The C2 server used in the attack, as mentioned, leverages a botnet of more than 1,500 victims, though Check Point was unable to say whether these 1,500 victims are affiliate-specific victims or just part of a botnet the affiliate is leveraging.
The earliest confirmed activity showed attacker presence on a domain controller with admin privileges. They used this foothold to validate access and conduct network reconnaissance, deployed various payloads to facilitate lateral movement, dropped a PowerShell command to disable Windows, and ultimately used SystemBC and Cobalt Strike as C2 to stage the ransomware.
The domain controller piece is due to The Gentlemen’s capability of leveraging Active Directory’s own Group Policy infrastructure to “detonate the ransomware simultaneously on every computer in the domain.” Researchers called this the most powerful and far-reaching deployment method in the binary.
The Gentlemen ransomware is written in GO and under continuous development. In addition to ransomware encryption and exfiltration, as well as mechanisms like RDP and AnyDesk, the ransomware used multiple commands to maintain persistence, such as disabling Windows Defender, Windows Firewall, and C-drive scanning and monitoring.
Check Point’s writeup also includes a technical analysis of a variant to The Gentlemen ransomware intended specifically for VMware ESXi hosts, a variant that “remains undetected by the majority of the antivirus systems as seems in VirusTotal.” This appears to be partially due to certain staging actions, such as the locker performing a controlled shutdown of all ESXi virtual machines and disabling automatic VM recovery.
While The Gentlemen is largely sophisticated in its ability to compromise large organizations, Jason Baker, managing security consultant of threat intelligence at GuidePoint Security, says there are some hallmarks of a ransomware organization with staying power that The Gentlemen is currently missing.
“The Gentlemen’s affiliates or negotiators continue to engage with victims over qTox or Session applications rather than a dedicated chat side, and their presence on Twitter/X is the kind of behavior we typically ascribe to less mature operators as an unnecessary OPSEC risk,” he says. “Some excellent reporting from Check Point also suggests that in at least some cases, the group’s affiliates continue to use Cobalt Strike, an offensive security tool that we have seen largely fade into irrelevance over the past one to two years as detection mechanisms have become widely available.”
While it does have some hallmarks of a mainstay, such as continued quarterly growth, Baker adds a rapid fall from prominence is always possible, whether because of law enforcement disruption, infighting, or external conflicts with other cybercrime outfits.
Attack of The Gentlemen
Potential for demise aside, what’s most concerning about The Gentlemen is that this new entity has managed to spin up the capacity to compromise hundreds of large organizations in a matter of months.
“The activity surrounding The Gentlemen RaaS underscores how quickly a well‑designed affiliate program can evolve from newcomer to a high‑impact ecosystem player,” Check Point’s blog read. “By combining a versatile, multi‑platform locker set with built‑in lateral movement, group policy–based mass deployment, and strong defense‑evasion capabilities, the operation enables even moderately skilled affiliates to execute enterprise‑scale intrusions with ransomware detonation as the final stage.”
Rebecca Moody, head of data research at Comparitech, tells Dark Reading that The Gentlemen “is one of the biggest groups to watch out for this year.” She says that based on the group’s victimology, it’s “a key threat to government entities, educational providers, healthcare companies, and manufacturers globally.”
Eli Smadja, group manager, products R&D at Check Point Software, says in an email that The Gentlemen pays 90% of extortion proceeds to affiliates, giving many incentives to move to other RaaS providers. “The Gentlemen is likely to remain one of the more attractive ransomware options for affiliates,” Smadja says.
For defenders, Smadja notes that one observed attack involved exploiting an Internet-facing device followed by rapid access to the domain controller.
“Closely monitoring Internet-facing assets and enforcing strong network segmentation are key measures to help prevent such attacks,” he says. “In addition, standard best practices remain critical, including keeping operating systems and software up to date, maintaining strong security awareness programs, and ensuring continuous network monitoring.”
Check Point’s blog post also contains indicators of compromise.
