The landscape of ransomware-as-a-service (RaaS) continues to evolve, with new players rapidly gaining traction among cybercriminal affiliates. One such operation, The Gentlemen, emerged in mid-2025 and has since claimed over 320 victims—the bulk of which were compromised in early 2026. This article dissects the RaaS program’s affiliate model, multi-platform locker capabilities, and a specific incident where an affiliate deployed SystemBC, a proxy malware used for covert tunneling. We also examine Check Point Research’s telemetry from a SystemBC command-and-control server, revealing a botnet of more than 1,570 victims with a clear focus on corporate environments.
The Gentlemen RaaS Operation
Recruitment and Affiliate Model
The Gentlemen operators actively recruit on underground forums, inviting penetration testers and technically skilled actors to join as affiliates. The program promotes its ransomware platform and promises access to a suite of tools designed to maximize attack success. Verified partners receive EDR-killing utilities and a proprietary multi-chain pivot infrastructure (server and client components), enabling lateral movement and persistence within victim networks.
Multi-Platform Locker Portfolio
The RaaS provides affiliates with a versatile locker portfolio that covers the heterogeneous environments common in corporate settings. Lockers are written in Go for Windows, Linux, NAS, and BSD systems, while a separate C-based locker targets VMware ESXi hypervisors. This cross-platform support allows affiliates to encrypt a wide range of assets, from workstations and servers to virtual machines and storage appliances.
Leak Site and Communication
The group operates an onion site where it publishes stolen data from non-paying victims. However, negotiations do not occur on this portal. Instead, affiliates communicate with victims using their personal Tox ID. Tox is a decentralized, peer-to-peer instant messaging protocol that provides end-to-end encryption for voice, video, and text. Additionally, The Gentlemen maintain a public Twitter/X account referenced in ransom notes; the operators use this account to post about victims, increasing pressure to pay.
As of early 2026, the group has publicly claimed over 320 victims, with approximately 240 occurring in the first few months of the year—a rapid acceleration that indicates successful affiliate recruitment and operational maturity.
SystemBC Malware Deployment
Incident Response Findings
During a recent incident response engagement, a Gentlemen RaaS affiliate deployed SystemBC on a compromised host. SystemBC is a proxy malware that establishes SOCKS5 network tunnels within the victim’s environment, allowing attackers to route malicious traffic through the infected system while evading network defenses. This capability is especially valuable in human-operated ransomware operations, where stealthy command-and-control (C2) communication is critical for exfiltration and lateral movement.
Botnet Scale and Victim Profile
Check Point Research monitored telemetry from the relevant SystemBC C2 server and identified a botnet comprising over 1,570 victims. The infection profile strongly suggests that the operators are not targeting opportunistic consumers but rather corporate and organizational environments. The prevalence of SystemBC in this ransomware affiliate’s toolkit underscores the shift toward proxy-based C2 as a means to maintain persistent, low-visibility access during multi-stage attacks.
The combination of a rapidly expanding RaaS program and a proxy malware like SystemBC highlights the evolving tactics of cybercriminal groups. Affiliates leverage such tools to increase operational security and complicate incident response efforts, making it imperative for defenders to monitor for indicators of both the ransomware locker and the proxy infrastructure.