The Gentlemen RaaS and SystemBC: A Deep Dive into a Growing Ransomware Operation and Its Proxy Malware

The Gentlemen Ransomware-as-a-Service Operation

The cybercrime landscape has seen the rise of a new ransomware-as-a-service (RaaS) program called The Gentlemen. Emerging around mid-2025, this operation has quickly gained traction among threat actors. Its operators actively recruit affiliates through underground forums, specifically targeting penetration testers and other technically proficient individuals. The program's appeal lies in its robust toolkit and multi-platform support, enabling affiliates to target diverse corporate environments.

Emergence and Recruitment

According to intelligence from Check Point Research, The Gentlemen RaaS was first advertised on multiple underground forums (see Figure 1 in the original report). The operators promote a comprehensive ransomware platform that includes not only encryption capabilities but also EDR-killing tools and a multi-chain pivot infrastructure. Affiliates must be verified before gaining access to these resources, a common practice in RaaS operations to ensure a baseline of trust and operational security.

Multi-Platform Locker Capabilities

One of the key selling points of The Gentlemen RaaS is its broad portfolio of lockers. Affiliates receive encryptors written in Go for Windows, Linux, NAS, and BSD systems. Additionally, a dedicated locker for ESXi hypervisors is written in C. This wide coverage allows affiliates to infect virtually any server or workstation commonly found in corporate networks, from file servers to virtualized environments.

Leak Site and Negotiation Tactics

The Gentlemen maintain an onion site on the Tor network where stolen data from non-paying victims is published. However, negotiations are not handled through this portal. Instead, each affiliate uses their own Tox ID—a decentralized, end-to-end encrypted messaging protocol (supporting voice, video, and text). This compartmentalization reduces operational risk for the group. The operators also run a Twitter/X account (linked in the ransomware note) to publicly shame victims and increase pressure to pay.

Victimology and Growth

As of early 2026, The Gentlemen have publicly claimed over 320 victims. Alarmingly, the majority of these—approximately 240—occurred in just the first few months of 2026, indicating rapid growth. This surge likely reflects a successful recruitment drive and the attractiveness of the RaaS offering among affiliates.

SystemBC: The Proxy Malware in Action

During an incident response engagement, researchers observed an affiliate of The Gentlemen deploying a proxy malware called SystemBC on a compromised host. SystemBC is a well-known tool in human-operated ransomware operations, used to establish covert tunnels for remote access and payload delivery.

Incident Response Observation

In the specific case, the affiliate used SystemBC to set up SOCKS5 network tunnels within the victim's environment. These tunnels allow the attacker to route traffic through the infected machine, enabling stealthy command-and-control (C2) communication and lateral movement. SystemBC's proxy capabilities are particularly valuable for bypassing network defenses and maintaining persistence.

Scale of the Botnet

Check Point Research analyzed victim telemetry from the SystemBC C2 server used by this affiliate. The data revealed a botnet of over 1,570 victims. The infection profile strongly suggests a focus on corporate and organizational targets rather than opportunistic home users. This aligns with the typical modus operandi of ransomware affiliates, who prioritize high-value networks for maximum financial gain.

In summary, The Gentlemen RaaS is a rapidly expanding threat, offering affiliates a powerful multi-platform locker suite and supporting tools like SystemBC. The combination of a growing affiliate network and proven proxy malware creates a significant risk for enterprises worldwide.