Breaking: The Gentlemen Ransomware Operation Expands Rapidly, Tied to SystemBC Proxy Botnet
A new report from Check Point Research has uncovered a sharp increase in activity from the The Gentlemen ransomware-as-a-service (RaaS) operation, which has now claimed over 320 victims—with 240 of those attacks occurring in the first months of 2026 alone.
During an incident response engagement, an affiliate of The Gentlemen deployed SystemBC, a proxy malware that enables covert network tunneling and payload delivery, on a compromised host. Check Point’s telemetry from the associated command-and-control server revealed a botnet of over 1,570 victims, with infections strongly concentrated in corporate environments rather than random consumers.
“SystemBC acts as a secure SOCKS5 proxy within the victim’s network, allowing ransomware operators to move laterally and exfiltrate data without detection,” said a Check Point researcher.
The RaaS program, which emerged around mid-2025, now offers a broad locker portfolio written in Go for Windows, Linux, NAS, and BSD, plus an additional C-based locker for ESXi hypervisors. Affiliates also gain access to EDR-killing tools and multi-chain pivot infrastructure.
Background: The Gentlemen RaaS
Advertised on underground forums, The Gentlemen invites penetration testers and skilled actors to join as affiliates. The group operates a Tor leak site for victims who refuse to pay, but negotiations occur via Tox ID, a decentralized encrypted messaging protocol.
The group maintains a public Twitter/X account referenced in ransom notes, where operators post victim details to increase pressure. This tactic has likely contributed to the rapid growth in claimed victims.
What This Means for Enterprise Security
The combination of multi-platform lockers and SystemBC’s proxy capabilities makes The Gentlemen a formidable threat. “Organizations should not overlook the importance of early detection—SystemBC tunnels can allow attackers to dwell for weeks before deploying ransomware,” warned the Check Point researcher.
With over 320 public victims and a growing affiliate network, the operation signals a shift toward more professionalized, data-driven ransomware campaigns. Defenders must prioritize network segmentation, endpoint monitoring, and rapid incident response to counter this emerging threat.