Full Report
Key Points The Gentlemen RaaS The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. The operators advertise their services across multiple underground forums, promoting their ransomware platform and inviting penetration testers (and other technically skilled actors) to join as affiliates. The RaaS provides affiliates with multi‑OS lockers for Windows, Linux, […] The post DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy appeared first on Check Point Research.
Analysis Summary
# Threat Actor: The Gentlemen
## Attribution & Identity
- **Actor Name:** The Gentlemen
- **Actor Type:** Ransomware-as-a-Service (RaaS) Provider
- **Known Associations:** Affiliates often leverage **SystemBC** for tunneling and payload delivery.
- **Identity Details:** A relatively new group that emerged in mid-2025. They operate via a decentralized model, utilizing **Tox ID** for negotiations and underground forums for affiliate recruitment.
## Activity Summary
The group transitioned from a developmental phase in mid-2025 to a high-velocity operation in early 2026. As of April 2026, the group has claimed over **320 victims**, with 240 of those occurring in the first few months of 2026. Recent operations involve the use of SystemBC to establish persistent proxies within corporate networks to facilitate the deployment of multi-platform ransomware lockers.
## Tactics, Techniques & Procedures
- **Multi-Platform Support:** Distribution of lockers written in **Go** (for Windows, Linux, NAS, and BSD) and **C** (specifically for ESXi environments).
- **Evasion & Defense Evasion:** Provision of "EDR-killing" tools to affiliates.
- **Encryption Method:** Uses **XChaCha20**; features high-speed modes (`--fast`, `--superfast`, `--ultrafast`) that encrypt only 1–9% of large files to increase speed.
- **Persistence & Proxying:** Deployment of **SystemBC** for SOCKS5 tunneling and RC4-encrypted C2 communication.
- **Double Extortion:** Pressure is applied via a dedicated Onion leak site and a public X (Twitter) account (`@TheGentlemen25`).
- **Inhibit System Recovery (T1490):** Deletion of shadow copies via `vssadmin` and `wmic`, and clearing of Windows Event Logs and Prefetch files.
- **Service Stop (T1489):** Disabling security and backup services (e.g., `mpssvc`) via `sc config`.
- **Internal Defacement (T1491.001):** Modifying desktop wallpaper to `gentlemen.bmp`.
## Targeting
- **Sectors:** Focus on corporate and organizational environments (Human-Operated Ransomware).
- **Geography:** Global, with primary concentrations in the **United States**, **United Kingdom**, and **Germany**.
- **Victims:** Over 320 claimed victims on their leak site; over 1,570 bots observed on associated SystemBC infrastructure.
## Tools & Infrastructure
- **Malware:**
- The Gentlemen Locker (Go/C variants)
- **SystemBC** (Proxy/Backdoor)
- **Communication:**
- **Tox** (P2P encrypted messaging for negotiations)
- **X/Twitter:** `TheGentlemen25`
- **Infrastructure:**
- **Leak Site:** `wp65rvnk4oobmzti2znn42i43bjdfd2prqqkad[.]onion`
- **Persistence:** Multi-chain pivot infrastructure (client/server components).
## Implications
The Gentlemen represent a sophisticated RaaS threat capable of impacting diverse IT environments (Windows, Linux, virtualized infrastructure). Their rapid growth in 2026 and the use of specialized ESXi lockers indicate a high-maturity operation targeting high-value enterprise targets. Their use of SystemBC suggests they rely on established "human-operated" methods rather than simple automated spreading.
## Mitigations
- **Network Segmenting:** Restrict egress traffic to prevent SystemBC SOCKS5 tunneling to unknown C2 IPs.
- **Service Protection:** Implement Tamper Protection on endpoint security products to prevent the "EDR-killing" tools and `sc stop` commands from disabling defenses.
- **Snapshot Security:** Protect backup integrity and shadow copies by using immutable backups or offline storage, as the actor actively targets `vssadmin`.
- **Credential Hygiene:** Monitor for unauthorized use of `wmic` and `vssadmin`, which are key indicators of the group's post-exploitation phase.