Rising Threat: The Operations of The Gentlemen Ransomware Group
A concerning trend in cybercrime has emerged with the rise of a ransomware-as-a-service (RaaS) operation known as "The Gentlemen," which has reportedly affected over 320 victims. The bulk of these attacks has occurred in early 2026, marking a significant escalation in the operation’s activities. Check Point researchers have provided detailed insights into this operation, highlighting a sophisticated model that capitalizes on both technical expertise and targeted strategies.
The Gentlemen, first identified in mid-2025, have established a foothold in underground forums, promoting their services effectively and recruiting technically skilled affiliates. This group has managed to gain traction by leveraging a range of ransomware variants that are notably written in the Go programming language. This code is compatible with multiple operating systems, including Windows, Linux, NAS, and BSD systems. Additionally, these affiliates are equipped with a dedicated ESXi encryptor developed in C, demonstrating a commitment to versatility and broader system infiltration.
Multi-Platform Tooling Amplifies Impact on Enterprises
One of the most striking features of The Gentlemen’s ransomware toolkit is its capacity for large-scale intrusions. The toolset is designed to streamline operations significantly, allowing affiliates to take advantage of built-in lateral movement capabilities, credential reuse, and Group Policy-based deployment. This combination facilitates a coordinated attack that can result in simultaneous encryption across domain environments—a tactic that has brought many organizations to their knees.
In a notable incident observed by security experts, attackers successfully accessed a domain controller. This breach allowed them to deploy payloads across multiple systems, employing a range of sophisticated tactics such as credential harvesting, remote execution through administrative shares, and extensive reconnaissance operations. This level of sophistication has significant implications for enterprise-level security.
Moreover, the attackers have shown remarkable skill in evading defenses, employing various methods to disable endpoint protections. Their strategies included modifying scheduled tasks, altering services, and changing registry entries to maintain long-term access to compromised systems. Key capabilities observed in these attacks include:
-
Cross-platform encryption: The ransomware can encrypt endpoints, servers, and virtualized environments, reducing the chance of recovery for the victim.
-
Automated lateral movement: By leveraging stolen domain credentials, attackers can move through networks with ease.
-
Group Policy deployment: This feature allows for rapid execution of attacks across entire domains.
- Defense evasion tactics: The attackers disable antivirus and firewall protections to create a more favorable environment for their operations.
In addition to these alarming techniques, the ransomware also systematically terminates processes related to databases, backup tools, and virtual machines. Such measures are designed to maximize the operational impact while simultaneously deleting shadow copies and logs, which complicates recovery efforts and forensic investigations.
SystemBC: A Component of a Larger Intrusion Ecosystem
During their incident response investigations, Check Point researchers identified the use of SystemBC, a proxy malware that has become commonly associated with human-operated ransomware campaigns. This tool facilitates covert communication through SOCKS5 tunnels and can deliver additional payloads directly into memory. The telemetry from a related command-and-control (C2) server indicated over 1,570 infected systems across the globe, with a concentration in the United States, the United Kingdom, and Germany. This statistics point to a focused strategy targeting organizations rather than opportunistic consumer infections.
However, the precise relationship between SystemBC and The Gentlemen’s ecosystem remains unclear. Some experts suggest that it may not be fully integrated within the operation but rather utilized by specific affiliates. The presence of SystemBC alongside tools such as Cobalt Strike points to a modular attack framework, allowing attackers to mix and match resources to create a bespoke malicious toolkit.
Adaptability is another hallmark of this operation. When deployment of SystemBC was blocked, the attackers displayed remarkable flexibility, pivoting to alternative C2 channels while establishing persistence through remote desktop protocols and other remote access software.
Check Point researchers have underscored the heightened threat posed by The Gentlemen operation due to its scalable model of affiliate recruitment, enterprise-focused tooling, and integration with established post-exploitation frameworks. The combination of these factors results in a formidable adversary in the ongoing battle against cybercrime, making it imperative for organizations to bolster their defenses against such sophisticated ransomware threats.