Breaking: The Gentlemen RaaS Surpasses 320 Victims as SystemBC Botnet Reveals Corporate Focus
urgent / breaking — The Gentlemen ransomware-as-a-service (RaaS) operation has publicly claimed more than 320 victims, with the overwhelming majority—over 240—recorded in the first months of 2026. This explosive growth signals a rapidly expanding affiliate program that is now attracting skilled cybercriminals at an alarming rate.
Security researchers at Check Point Research have uncovered a SystemBC command-and-control server linked to a The Gentlemen affiliate. The server has already tracked more than 1,570 victims, and telemetry strongly suggests the malware is being deployed primarily against corporate and organizational targets rather than individual consumers.
“The infection profile points to deliberate targeting of enterprise environments,” said a Check Point Research analyst. “This is not opportunistic—it’s human-operated ransomware with a focus on high-value networks.”
During a recent incident response engagement, a The Gentlemen affiliate was observed deploying SystemBC on a compromised host. SystemBC is a proxy malware that establishes SOCKS5 tunnels, enabling covert command-and-control communication and secure delivery of additional payloads such as ransomware.
Background: The Gentlemen RaaS Operation
The Gentlemen emerged around mid-2025, advertising its ransomware platform on multiple underground forums. The group actively recruits penetration testers and other technically skilled actors as affiliates, offering a comprehensive set of tools to maximize impact.
Affiliates gain access to a broad locker portfolio implemented in Go for Windows, Linux, NAS, and BSD, plus a dedicated C-based locker for ESXi. This multi-platform coverage allows operators to infect nearly every device in a typical corporate data center.
Verified partners also receive EDR-killing tools and a multi-chain pivot infrastructure (server and client components) designed to move laterally across networks without detection. The RaaS maintains an onion leak site where stolen data is published if ransoms are not paid.
Negotiations are handled via each affiliate’s Tox ID—a decentralized, peer-to-peer encrypted messaging protocol—adding a layer of anonymity. The group also runs a Twitter/X account referenced in ransom notes, publicly naming victims to increase pressure.
“The combination of multi-OS support, EDR evasion, and public shaming makes this a formidable RaaS,” commented a senior incident responder who requested anonymity. “We’re seeing a professionalization of the ransomware economy.”
What This Means for Corporate Security
The rapid rise of The Gentlemen RaaS, coupled with the use of SystemBC as a proxy malware, underscores a shift toward more sophisticated, affiliate-driven attacks. Corporate networks—especially those running mixed environments of Windows, Linux, NAS, and ESXi—are prime targets.
Organizations should assume that initial access may be followed by SystemBC deployment for persistent, stealthy tunneling. Traditional perimeter defenses are insufficient; network segmentation, endpoint detection, and monitoring for SOCKS5 traffic are critical.
“The presence of over 1,570 SystemBC victims from just one C2 server shows the scale of the problem,” the Check Point analyst added. “Security teams need to prioritize threat hunting for proxy malware before ransomware is deployed.”
Given that most infections occurred in early 2026, this trend is accelerating. The Gentlemen’s affiliate program appears to be expanding, and as more affiliates join, the number of attacks will likely increase. Immediate action—such as reviewing remote access controls, patching vulnerabilities, and deploying EDR with behavioral analysis—is essential.
Learn more about The Gentlemen RaaS | Implications for security teams