The "Gentlemen", a ransomware gang, has established themselves in a relatively short period of time and claims to have impacted hundreds of victims.
The "Gentlemen" is considered a ransomware-as-a-service (RaaS) outlet that started in mid-2025. Although they appear to operate similarly to your average RaaS, using a combination of encryption and data leakage to extort money from victims, the "Gentlemen" use advanced tactics, techniques and procedures (TTPs). The TTPs include things like AV killers and complex infection chains.
Check Point Research recently published its latest findings regarding the "Gentlemen". According to Check Point Research, the "Gentlemen" have claimed hundreds of victims. The "Gentlemen" are reported to have utilised several forms of malicious code during the attacks, including something called SystemBC. As stated in Check Point's blog post, "SystemBC is a proxy malware that is commonly used in human-operated ransomware attacks to create covert channels for payload delivery and tunneling".
According to Check Point Research, when reviewing victim telemetry associated with the SystemBC command and control (C2) server, there were over 1,570 victims that had been infected by the ransomware. Based on the infection profile of the victims, Check Point Research believes that the "Gentlemen" tend to target corporate and organisational victims rather than opportunistic or consumer targets. Check Point Research's analysis primarily focused on this activity.
In terms of productivity, the "Gentlemen" seem to be very prolific given how long they have been active. Comparitech reports that the group conducted 202 attacks in the last quarter and was ranked second behind Qilin, who conducted 353 attacks. NCC Group also reported that in January the "Gentlemen" were responsible for 34 attacks and 67 attacks in February. Those numbers may not place them at number one in terms of frequency, but they are clearly on par with some of the older and more experienced gangs like Cl0p and Akira.
There are similarities between the "Gentlemen" and another RaaS group called DragonForce. DragonForce emerged in 2023 and made headlines for its "cartel" style structure and its white label ransomware business model.
Dillon Ashmore, cyber threat intelligence analyst at NCC Group, told Unsurfaced.com that "the 'Gentlemen' show signs of establishing itself as a staple in the ransomware community similar to DragonForce, but at a larger scope and speed than DragonForce ever achieved at that point in time."
Ashmore added that "DragonForce took nearly two years to reach 150 victims whereas the 'Gentlemen' reached that milestone in approximately nine months." He explained that the difference is not just a result of quantity versus quality, but the "Gentlemen's" ability to keep producing a significant amount of output per month without suffering through common issues affecting many ransomware groups, such as defectors among affiliates, takedowns of infrastructure or infighting among members.
How the "Gentlemen" get inside
As for exactly how the "Gentlemen" gain entry into an organisation, Check Point could not determine what vector was initially used. However, after gaining access, the SystemBC proxy malware was installed on the compromised host. Once SystemBC was installed, it created SOCKS5 network tunnels within the victim's system, allowing it to connect back to C2 servers so it could pull down and run other malicious payloads.
The C2 server used by attackers in the previous example utilises a botnet of more than 1,500 victims, although Check Point was not able to determine whether those 1,500-plus victims belonged to a specific affiliate or affiliates, or whether they are simply part of a larger botnet that the affiliate is utilising.
Check Point's report states the earliest evidence of attacker activity indicates an attacker had already gained administrative access to a domain controller and was using that access to verify connection and perform network discovery. Afterward, the attackers deployed additional payloads on each host, allowing them to move laterally across the network. Prior to deploying the actual ransomware, they disabled Windows Defender via PowerShell. Finally, they utilised SystemBC and Cobalt Strike as their C2 tools to deliver the ransomware.
Because of their ability to utilise Active Directory's Group Policy feature, the Gentlemen can detonate the ransomware simultaneously on every machine in the domain. The researchers described this as the most powerful method of delivering a ransomware payload seen to date.
The Gentlemen ransomware is written in Go and is continuously being updated. Alongside ransomware encryption and exfiltration, they also offer features like RDP and AnyDesk, along with numerous methods for maintaining persistence on hosts such as disabling Windows Defender and Windows Firewall, C-drive scanning and monitoring, and more.
Also included in Check Point's write-up is an analysis of a specific version of the Gentlemen ransomware designed specifically for VMware ESXi hosts. This version remains undetectable by the vast majority of antivirus systems, as shown by VirusTotal. This is believed to be due in part to certain actions taken by the locker prior to executing the encryption process, such as shutting down all virtual machines running on ESXi automatically and preventing automatic recovery.
Although the Gentlemen are significantly proficient at compromising organisations of sizeable stature, Jason Baker, Managing Security Consultant for Threat Intelligence at GuidePoint Security, noted there are some characteristics that define a ransomware organisation capable of sustaining itself that the Gentlemen currently lack.
Baker stated that "the Gentlemen's affiliates and negotiators still communicate with victims via qTox and Session apps instead of having their own designated chat application, and they actively participate on X (formerly Twitter), which is usually indicative of less mature operators creating unnecessary operational security risks."
He added that "some excellent reporting from Check Point also indicates that in at least some instances the Gentlemen's affiliates continue to employ Cobalt Strike, an offensive security tool, which has for the most part phased out of relevance for roughly the past 12 to 18 months due to increased detection mechanisms."
Baker did note, however, that although the Gentlemen demonstrate attributes consistent with becoming a fixture in the ransomware ecosystem, rapid decline from prominence is always possible, whether due to law enforcement intervention, internal conflict or external competition from other cybercrime groups.
Attack of the Gentlemen
Perhaps most disturbing about the Gentlemen is their ability to establish enough capacity to impact hundreds of large organisations within a few months.
"The activity surrounding the Gentlemen RaaS exemplifies how rapidly an effectively designed affiliate program can advance from an outsider to an influential contributor in the ecosystem," according to Check Point's blog post. By offering a flexible, platform-based locker with native lateral movement and mass deployment via Group Policy-based detonation, along with effective defence evasion techniques, the Gentlemen allow even moderately skilled affiliates to accomplish enterprise-scale intrusions with ransomware detonation as the final stage.
Rebecca Moody, Head of Data Research at Comparitech, stated that she feels the Gentlemen are "one of the largest groups you should be watching out for this year." She added that based on their victimology, she believes the Gentlemen pose a major threat to government agencies, educational providers, healthcare companies and manufacturers around the world.
Eli Smadja, Group Manager of Products R&D at Check Point Software, wrote in an email that the Gentlemen pay their affiliates 90% of profits generated through extortion efforts, providing strong incentives for affiliates to switch to this RaaS provider. Smadja further stated that he believes the Gentlemen will remain one of the more appealing options for affiliates seeking a reputable RaaS provider.
Smadja provided some recommendations for defenders who wish to avoid being targeted by the Gentlemen. He noted an observed attack in which an internet-facing device was exploited and immediate access to the domain controller was achieved. He recommends defenders monitor their internet-facing devices closely and enforce strong network segregation practices.
Smadja emphasised that standard best practices remain essential, including ensuring that operating systems and software remain current and up to date, promoting robust security awareness programmes within an organisation, and conducting continuous network monitoring.
