The Gentlemen RaaS and SystemBC: An Inside Look at a Growing Threat
Introduction
The ransomware landscape continues to evolve, with new players emerging and established tools being repurposed. One such emerging threat is The Gentlemen ransomware-as-a-service (RaaS) program, which has rapidly gained traction since mid-2025. Operating alongside this group, the SystemBC proxy malware has been observed facilitating covert operations. This article explores the characteristics of The Gentlemen RaaS and the role of SystemBC in modern cyberattacks.
The Gentlemen RaaS: A New Power in Ransomware
The Gentlemen RaaS first appeared around mid-2025 and has since become a significant player in the cybercrime ecosystem. The operators actively recruit affiliates through underground forums, offering a comprehensive suite of tools designed for maximum impact.
Multi-Platform Locker Portfolio
One of the key selling points of The Gentlemen RaaS is its versatility. Affiliates gain access to a broad locker portfolio implemented primarily in Go for Windows, Linux, NAS, and BSD platforms. Additionally, a separate locker written in C targets ESXi environments. This multi-platform support allows attackers to compromise the heterogeneous infrastructure common in corporate networks.
Affiliate Incentives and Support
To attract skilled affiliates, the group provides more than just encryption tools. Verified partners receive EDR-killing utilities and a proprietary multi-chain pivot infrastructure with both server and client components. These resources enable affiliates to bypass endpoint defenses and move laterally within victim networks.
Communication and Leak Site
The Gentlemen operates a Tor onion site where stolen data is publicly posted if ransoms are not paid. Interestingly, negotiations are conducted not through the leak portal but via the affiliate's individual Tox ID. Tox is a decentralized, peer-to-peer instant messaging protocol offering encrypted communication. The group also maintains a Twitter/X account, referenced in ransomware notes, where they publicly shame victims to increase pressure.
Victim Profile and Growth
As of early 2026, The Gentlemen has publicly claimed over 320 victims, with the majority (approx. 240) occurring in the first months of 2026. This rapid growth suggests the program has successfully recruited a significant number of affiliates. The focus appears to be on corporate and organizational targets rather than individual consumers.
SystemBC: The Proxy Malware Powering The Gentlemen
During an incident response engagement involving The Gentlemen, researchers observed an affiliate deploying SystemBC — a proxy malware commonly used in human-operated ransomware attacks. SystemBC establishes SOCKS5 tunnels within compromised environments, enabling covert communication and payload delivery.
Botnet Observations
Check Point Research monitored telemetry from a SystemBC command-and-control server linked to The Gentlemen affiliate. They identified a botnet comprising over 1,570 victims. The infection profile strongly indicates a focus on corporate networks rather than opportunistic targeting, aligning with The Gentlemen's victimology.
Role in Human-Operated Attacks
SystemBC is a staple in post-exploitation toolkits. It acts as a tunneling proxy, allowing attackers to maintain persistent, encrypted access to internal systems. This malware often precedes ransomware deployment, as it helps adversaries exfiltrate data and deploy additional payloads without detection.
Conclusion
The combination of The Gentlemen RaaS and SystemBC exemplifies the evolving sophistication of ransomware operations. With a multi-platform locker portfolio and a proven proxy tool, the group poses a serious threat to organizations worldwide. Defenders must stay vigilant, monitor for indicators of SystemBC activity, and prepare for ransomware attacks that leverage such proxies. Understanding these tools is the first step in building effective defenses.
For further reading on related topics, see our article on RaaS Evolution and Proxy Malware in Enterprise Environments.