The Gentlemen RaaS and SystemBC: A Deep Dive into a Growing Ransomware Threat

By

Overview

The ransomware landscape continues to evolve, with relatively new players quickly making their mark. One such group is The Gentlemen, a ransomware-as-a-service (RaaS) operation that has rapidly gained traction since its emergence in mid-2025. Alongside its own locker arsenal, affiliates have been observed deploying SystemBC, a proxy malware commonly used for covert communication and tunneling in human-operated attacks. This article explores the capabilities of The Gentlemen RaaS, the role of SystemBC in its operations, and what this means for defenders.

The Gentlemen RaaS Program: Capabilities and Growth

The Gentlemen operators actively recruit affiliates on underground forums, offering a comprehensive suite of tools and infrastructure. The program boasts an impressive victim count—over 320 publicly claimed victims, with the majority (approximately 240) occurring in the first months of 2026. This surge highlights the program's growing popularity among cybercriminals.

Multi-Platform Locker Portfolio

A standout feature of The Gentlemen RaaS is its broad locker portfolio, covering multiple operating systems commonly found in enterprise environments:

• Windows, Linux, NAS, and BSD – lockers written in Go
• ESXi – a dedicated locker written in C

This multi-OS support allows affiliates to target diverse corporate networks, from desktops and servers to virtualized environments and storage appliances. The use of Go and C brings platform-specific performance and evasion advantages.

Affiliate Recruitment and Infrastructure

The group operates through a private onion site where stolen data is published for non-paying victims. However, negotiations occur outside this portal, using the affiliate's individual Tox ID—a decentralized, end-to-end encrypted messaging protocol. This approach enhances anonymity and reduces the risk of law enforcement infiltration.

Verified partners also gain access to EDR-killing tools and a custom multi-chain pivot infrastructure (server and client components), enabling lateral movement and persistence within compromised networks.

Victim Shaming and Negotiation

The Gentlemen maintain a presence on Twitter/X, referenced in their ransom notes. The account is used to publicly name victims, increasing pressure to pay. This dual-pressure tactic—leaking data on the dark web and public shaming on social media—has been effective for other ransomware groups and appears to be part of The Gentlemen's strategy.

SystemBC: The Proxy Malware in Action

During an incident response engagement, researchers observed a The Gentlemen affiliate deploying SystemBC on a compromised host. SystemBC is a proxy malware that establishes SOCKS5 tunnels, allowing attackers to route traffic through the victim's network while evading detection. It is frequently used in ransomware operations for command-and-control (C2) communication and payload delivery.

Deployment by The Gentlemen Affiliates

The affiliate used SystemBC to create a covert channel, likely for maintaining persistent access and staging further attacks. This aligns with the typical playbook of human-operated ransomware: initial compromise, privilege escalation, lateral movement, and finally ransomware deployment—all while maintaining stealth through tools like SystemBC.

Botnet Scale and Victim Profile

Analysis from Check Point Research of the SystemBC C2 server used by this affiliate revealed a botnet of over 1,570 victims. The infection profile strongly suggests a focus on corporate and organizational environments rather than opportunistic home users. This indicates that The Gentlemen affiliates are deliberately targeting high-value networks where payoffs can be larger.

Implications for Defenders

The combination of a versatile RaaS program and proxy malware like SystemBC poses significant challenges for cybersecurity teams. Organizations should prioritize:

• Monitoring for unusual proxy or tunneling activity, especially SOCKS5 traffic
• Implementing endpoint detection and response (EDR) solutions capable of identifying locker binaries across multiple OS platforms
• Hardening virtualized environments (ESXi) and NAS appliances, which are often overlooked in security postures

As The Gentlemen continues to grow, understanding their tools and tactics—including the use of SystemBC—is essential for proactive defense.

Related Articles

• Turning Plastic Waste Into Clean Hydrogen: Old Car Batteries Power a Circular Solution
• BREAKING: Qdrant Architect Reveals Critical Differences Between Semantic Search and Traditional Text Search
• Tesla's $573 Million Boost from Musk’s Other Ventures Signals a Deeper AI Bet
• The Hidden Cost of AI Efficiency: How Automating 'Bugs' Erodes Team Bonds
• 10 Key Takeaways from xAI's Recent Moves: A High-Profile Departure and a $60 Billion Deal
• The Problem Solver Behind NASA's Artemis Launches: Anton Kiriwas
• Mexico City's Sinking Crisis: How Groundwater Extraction Causes 14 Inches of Subsidence Annually
• NASA's Artemis 3 Moon Landing Delayed to 2027; 2028 Goal in Doubt as SpaceX and Blue Origin Falter