When it comes to modern cyber threats, few are as fast-growing and technically sophisticated as the The Gentlemen ransomware‑as‑a‑service (RaaS) program. This operation has quickly attracted a swarm of affiliates, claiming over 320 victims since mid‑2025, with the bulk of infections occurring in early 2026. But what makes it truly dangerous is its use of complementary malware like SystemBC—a proxy tool that enables stealthy tunneling and payload delivery. In this article, we break down ten critical takeaways from the DFIR analysis of a real‑world incident involving The Gentlemen affiliate deploying SystemBC. From multi‑platform lockers to underground recruiting methods, here’s what defenders need to know.
1. The Gentlemen RaaS: A Rising Star on Underground Forums
Launched around mid‑2025, The Gentlemen RaaS quickly gained traction by advertising on multiple underground forums. The operators actively recruit penetration testers and skilled hackers as affiliates, offering a lucrative revenue‑sharing model. This aggressive recruitment strategy has fueled the group's rapid expansion, with over 240 victims reported in just the first few months of 2026. The public posting of victim data on their onion site serves as both a negotiation tactic and a credibility booster, pressuring targeted organizations to pay the ransom. For defenders, recognizing the group’s forum presence is key to early threat intelligence.
2. Multi‑Platform Lockers Built in Go and C
One of the most distinctive features of The Gentlemen RaaS is its broad locker portfolio. Affiliates receive encryptors written in Go for Windows, Linux, NAS, and BSD systems, plus a dedicated locker in C for VMware ESXi hypervisors. This multi‑OS coverage ensures the ransomware can cripple nearly any corporate environment—from workstation endpoints to virtualized servers. The choice of Go also makes cross‑platform compilation easier, reducing development overhead. Such versatility is a hallmark of professional RaaS operations and complicates defense strategies that rely on OS‑specific protections.
3. EDR‑Killing Tools and Custom Pivot Infrastructure
Beyond the encryptors, The Gentlemen provides verified partners with a suite of EDR‑killing tools designed to disable endpoint detection and response systems before encryption begins. Additionally, the group supplies its own multi‑chain pivot infrastructure—both server and client components—allowing affiliates to move laterally across networks while avoiding detection. This turnkey approach lowers the barrier for less sophisticated actors, enabling them to execute complex intrusions that would otherwise require advanced skills. For incident responders, understanding these ancillary tools is critical to containment.
4. Negotiation Exclusively via Tox ID
While The Gentlemen maintain a public onion site for leaking stolen data, ransom negotiations never take place on that platform. Instead, each affiliate uses a unique Tox ID—a peer‑to‑peer, end‑to‑end encrypted messaging protocol. This decentralized approach makes it extremely difficult for law enforcement to intercept or monitor communications. Victims are directed to contact the affiliate directly through Tox, which also helps the RaaS operator maintain plausible deniability. The use of Tox highlights how ransomware groups are adopting privacy‑focused tools to evade tracking.
5. Public Shaming via Twitter/X
The group operates a verified Twitter/X account that is referenced in the ransomware note. Through this channel, the operators publicly announce victims and sometimes post screenshots of stolen data. The goal is to increase psychological pressure on the target organization to pay quickly, fearing reputational damage and disclosure of sensitive information. This dual‑layer extortion—encryption plus public shaming—has become a standard tactic in modern ransomware operations. Monitoring these social media accounts can provide early warning of an impending leak.
6. Victim Count and Rapid Growth in 2026
As of the latest public claims, The Gentlemen has listed over 320 victims on its leak site, with approximately 240 occurring in just the first few months of 2026. This rapid uptick suggests the program has successfully attracted a significant number of affiliates, each conducting their own campaigns. The growth trajectory is concerning: if it continues at this pace, The Gentlemen could soon rival established RaaS operations. Security teams should treat any indicator of The Gentlemen as a high‑priority alert.
7. SystemBC: The Proxy Malware of Choice
During an incident response case, an affiliate of The Gentlemen deployed SystemBC on a compromised host. This proxy malware establishes SOCKS5 tunnels within the victim’s environment, allowing the attacker to route traffic covertly through infected machines. SystemBC is a known tool in human‑operated ransomware operations, providing a stable command‑and‑control channel that evades network‑based detection. Its use by this affiliate underscores the trend of RaaS operators integrating commodity malware into their toolkits for maximum stealth.
8. SOCKS5 Tunneling and C2 Communication
SystemBC operates by creating a SOCKS5 proxy on the compromised system, then connecting back to the attacker’s command‑and‑control (C2) server. This tunnel can be used to relay commands, exfiltrate data, or download additional payloads such as the ransomware locker. Because SOCKS5 traffic often blends with normal web traffic, it is notoriously hard to detect without deep packet inspection. Affiliates leverage this to maintain persistent access while preparing for the final encryption phase. Firewall rules and anomaly detection are essential to spotting such tunnels.
9. Botnet Statistics: Over 1,570 Victims Globally
Check Point Research analyzed telemetry from the SystemBC C2 server linked to this affiliate, revealing a botnet of more than 1,570 victims. The infection profile shows a clear preference for corporate and organizational environments rather than opportunistic consumer targeting. This suggests the affiliate is systematically compromising business networks, likely using initial access brokers or purchased credentials. The scale of the botnet demonstrates how one affiliate can cause widespread damage, and why tracking C2 infrastructure is vital for disrupting campaigns.
10. Corporate Targeting: A Deliberate Strategy
The victim profile from SystemBC telemetry confirms that corporate and organizational environments are the primary targets. This contrasts with some ransomware operations that spray and pray across consumer systems. Instead, The Gentlemen affiliates appear to conduct reconnaissance to identify high‑value organizations—those with deep pockets and critical data. By focusing on enterprises, they maximize ransom potential and increase the likelihood of payment. For defenders, this means hardening network segments, implementing least privilege, and conducting regular red‑team exercises to identify weaknesses before attackers do.
The combination of a versatile RaaS platform, ancillary tools like SystemBC, and aggressive recruitment has turned The Gentlemen into a formidable threat. This case study reinforces the importance of multi‑layer defense, thorough logging, and timely threat intelligence sharing. For organizations of all sizes, staying ahead of groups like The Gentlemen means not only patching technical vulnerabilities but also understanding the human and operational aspects of the attackers. Stay vigilant, and consider this analysis a blueprint for hardening your defenses against the next wave of ransomware.