The Gentlemen RaaS Surges with 320+ Victims, New Analysis Reveals Systemic Use of SystemBC Proxy Malware
Breaking: The Gentlemen Ransomware Operation Expands Rapidly, Tied to SystemBC Proxy Botnet
A new report from Check Point Research has uncovered a sharp increase in activity from the The Gentlemen ransomware-as-a-service (RaaS) operation, which has now claimed over 320 victims—with 240 of those attacks occurring in the first months of 2026 alone.
During an incident response engagement, an affiliate of The Gentlemen deployed SystemBC, a proxy malware that enables covert network tunneling and payload delivery, on a compromised host. Check Point’s telemetry from the associated command-and-control server revealed a botnet of over 1,570 victims, with infections strongly concentrated in corporate environments rather than random consumers.
“SystemBC acts as a secure SOCKS5 proxy within the victim’s network, allowing ransomware operators to move laterally and exfiltrate data without detection,” said a Check Point researcher.
The RaaS program, which emerged around mid-2025, now offers a broad locker portfolio written in Go for Windows, Linux, NAS, and BSD, plus an additional C-based locker for ESXi hypervisors. Affiliates also gain access to EDR-killing tools and multi-chain pivot infrastructure.
Background: The Gentlemen RaaS
Advertised on underground forums, The Gentlemen invites penetration testers and skilled actors to join as affiliates. The group operates a Tor leak site for victims who refuse to pay, but negotiations occur via Tox ID, a decentralized encrypted messaging protocol.
The group maintains a public Twitter/X account referenced in ransom notes, where operators post victim details to increase pressure. This tactic has likely contributed to the rapid growth in claimed victims.
What This Means for Enterprise Security
The combination of multi-platform lockers and SystemBC’s proxy capabilities makes The Gentlemen a formidable threat. “Organizations should not overlook the importance of early detection—SystemBC tunnels can allow attackers to dwell for weeks before deploying ransomware,” warned the Check Point researcher.
With over 320 public victims and a growing affiliate network, the operation signals a shift toward more professionalized, data-driven ransomware campaigns. Defenders must prioritize network segmentation, endpoint monitoring, and rapid incident response to counter this emerging threat.
Related Articles
- 10 Groundbreaking Revelations About Organic Remains in Dinosaur Fossils
- Exploring RNA Interactions: A Novel Database for MicroRNA and Messenger RNA Modeling
- From Broad Strokes to Fine Lines: Crafting a Granular Climate Resilience Strategy
- Where Do You Sense Your 'Self'? Exploring Head vs. Heart and the Power of Shifting
- Your Speech Patterns Could Be an Early Warning Sign for Dementia: What the Science Says
- Celestial Embrace: Venus and the Crescent Moon Light Up the Evening Sky
- 10 Surprising Facts About When Your Strength and Fitness Begin to Decline
- SpaceX Falcon Heavy Returns as Soyuz-5 Finally Launches; Pentagon Unveils $3.2B Golden Dome Interceptor Contracts