The Gentlemen RaaS and SystemBC: A Deep Dive into a Growing Cyber Threat
Introduction
The cybersecurity landscape continues to evolve with the emergence of new ransomware-as-a-service (RaaS) operations. Among the recent entrants is The Gentlemen, a RaaS program that gained significant traction in 2026. This article explores the operation's structure, affiliate ecosystem, and its association with the SystemBC proxy malware, based on findings from an incident response engagement and telemetry analysis.
The Gentlemen Ransomware-as-a-Service
Emergence and Affiliate Recruitment
First observed around mid-2025, The Gentlemen RaaS quickly established itself on underground forums. Its operators actively recruit affiliates—often described as penetration testers or technically skilled actors—by promoting a comprehensive ransomware platform. The program offers not only encryption tools but also supplementary resources such as EDR-killing utilities and a custom multi-chain pivot infrastructure. This infrastructure includes both server and client components, enabling sophisticated lateral movement and persistence within compromised environments.
Multi-Platform Locker Portfolio
A key differentiator for The Gentlemen is its broad locker support. Affiliates gain access to lockers written in Go for Windows, Linux, NAS, and BSD systems, plus a separate locker implemented in C specifically for ESXi hypervisors. This cross-platform coverage allows attackers to target the diverse operating systems commonly found in corporate data centers and virtualized environments.
Leak Site and Negotiation Process
The group operates an onion (Tor) site to publish data stolen from victims who refuse to pay. However, negotiations are not handled through this portal. Instead, each affiliate uses a personal Tox ID—Tox being a decentralized, peer-to-peer encrypted messaging protocol—to communicate with victims directly. Additionally, The Gentlemen maintain a presence on Twitter/X, as referenced in their ransomware notes. The account publicly posts about victims, likely as pressure tactics to compel payment.
Victim Statistics and Growth
As of early 2026, The Gentlemen publicly claims over 320 victims, with the majority (approximately 240) occurring in the first months of that year. This rapid growth indicates a successful affiliate recruitment strategy and an expanding operational footprint. The victimology suggests a focus on mid-to-large enterprises rather than individual consumers.
SystemBC Proxy Malware Deployment
Incident Response Case
During a recent incident response engagement, researchers observed an affiliate of The Gentlemen deploying SystemBC on a compromised host. SystemBC is a proxy malware that establishes SOCKS5 tunnels within the victim's network, allowing the attacker to route traffic covertly and deliver additional payloads. In this case, the affiliate used SystemBC as a persistent backdoor to maintain access and exfiltrate data before encrypting systems.
Check Point Research analyzed telemetry from the SystemBC command-and-control server involved in the incident. They identified a botnet of over 1,570 victims linked to that server, with the infection profile strongly indicating a focus on corporate and organizational environments. The use of SystemBC aligns with the operational patterns of human-operated ransomware groups, where stealth and resilience are critical during the lateral movement and exfiltration phases.
Botnet Scale and Targeting
The scale of the SystemBC botnet—more than 1,500 victims from a single C2 server—illustrates the broader threat landscape. Unlike opportunistic consumer infections, the majority of these victims belong to businesses or institutions, suggesting that affiliates of RaaS programs like The Gentlemen are deliberately targeting high-value networks. The proxy component enables attackers to bypass network defenses, maintain long-term access, and coordinate multi-stage attacks without detection.
Combined Threat Implications
The combination of a rapidly scaling RaaS program like The Gentlemen and a versatile proxy malware like SystemBC represents a significant risk to organizations. The RaaS provides easy access to cross-platform encryption tools, while SystemBC offers the covert communication channel needed to execute complex intrusions. Security teams should prioritize monitoring for SOCKS5 proxy traffic, unusual outbound connections, and the presence of Tox IDs in network communications. Additionally, given the group's public victim shaming on social media, organizations should prepare incident response plans that account for potential reputational damage.