A rapidly expanding ransomware-as-a-service (RaaS) program known as The Gentlemen has claimed more than 320 victims since mid-2025, with 240 attacks recorded in the first months of 2026, according to new incident response findings. During a recent compromise, an affiliate of the group deployed SystemBC, a proxy malware that creates covert SOCKS5 tunnels, enabling persistent remote access and data exfiltration.
Check Point Research observed telemetry from the SystemBC command-and-control server, revealing a botnet of over 1,570 victims. The infection profile strongly suggests a focus on corporate and organizational environments rather than opportunistic consumer targeting.
“The combination of a versatile RaaS platform with a dedicated proxy tool like SystemBC marks a dangerous escalation in human-operated ransomware tactics,” said a senior threat intelligence analyst at Check Point. “Affiliates now have a stealthy, multi-platform arsenal to breach and pivot within enterprise networks.”
The Gentlemen RaaS provides affiliates with a broad locker portfolio implemented in Go for Windows, Linux, NAS, and BSD, plus an additional locker written in C for ESXi. This coverage spans the multiple platforms commonly found in corporate environments.
Background
The Gentlemen emerged around mid-2025, advertising their ransomware platform on underground forums and inviting penetration testers and technically skilled actors to join as affiliates. The group grants verified partners access to EDR-killing tools and its own multi-chain pivot infrastructure, including server and client components.
The operators maintain an onion site for publishing stolen data from non-paying victims, but negotiations occur directly via the affiliate’s Tox ID — a decentralized, peer-to-peer encrypted messaging protocol. The group also uses a Twitter/X account, referenced in the ransom note, to publicly name victims and increase pressure to pay.
“The explicit use of social media to shame victims is a coercive tactic we’re seeing more frequently,” noted an incident response lead at a major cybersecurity firm. “It adds a public relations dimension to the ransom negotiation.”
What This Means
The growing popularity of The Gentlemen RaaS and its integration with SystemBC signals a shift toward more organized, multi-stage ransomware campaigns. Affiliates can now leverage a modular proxy malware to establish persistent tunnels, bypass network defenses, and exfiltrate data before triggering the locker.
Security teams should prioritize network segmentation, monitor for unusual SOCKS5 traffic, and deploy endpoint detection rules specific to SystemBC’s tunneling behavior. Regular threat intelligence feeds from sources like Check Point can help identify emerging command-and-control infrastructure.
“This is not a matter of if but when an organization will encounter these tools,” the Check Point analyst added. “Proactive threat hunting and rapid incident response are no longer optional — they are essential.”