Behind the Proxy: What the Gentlemen RaaS and SystemBC Reveal About Modern Ransomware Attacks
This article explores the inner workings of The Gentlemen ransomware-as-a-service (RaaS) operation and the use of SystemBC proxy malware in a recent incident. The Gentlemen, which emerged in mid-2025, has quickly attracted affiliates and claimed over 320 victims, with most attacks occurring in early 2026. During an incident response case, an affiliate deployed SystemBC to establish covert tunnels. Check Point Research later observed a SystemBC botnet with over 1,570 victims, primarily targeting corporate environments. Below, we answer key questions about these threats.
What is The Gentlemen RaaS and when did it emerge?
The Gentlemen is a ransomware-as-a-service (RaaS) operation that first appeared around mid-2025. The group actively recruits affiliates on underground forums, advertising its ransomware platform and seeking penetration testers and other technically skilled actors to join. Once accepted, affiliates gain access to a suite of tools including multi-platform lockers, EDR-killing utilities, and a custom multi-chain pivot infrastructure for stealthy network traversal. The RaaS operates a dedicated onion site to publish stolen data from non-paying victims, but negotiations are handled directly via each affiliate's Tox ID—a decentralized, encrypted communication protocol. The group also maintains a Twitter/X account, referenced in ransom notes, to publicly pressure victims. As of early 2026, The Gentlemen has claimed over 320 victims, with the bulk of infections occurring in the first few months of that year, signaling a rapid rise in affiliate activity.
What platforms does The Gentlemen RaaS target?
The Gentlemen provides affiliates with a broad locker portfolio designed to cover the diverse operating systems commonly found in corporate networks. For Windows, Linux, NAS devices, and BSD, the ransomware is written in Go, offering cross-platform compatibility and ease of deployment. Additionally, a separate locker written in C targets VMware ESXi hypervisors. This dual-language approach ensures the group can encrypt data across physical servers, virtual machines, and network-attached storage. The inclusion of ESXi is particularly notable as it allows attackers to cripple entire virtualized environments. Affiliates also receive EDR-killing tools to evade detection, along with server and client components for a multi-chain pivot infrastructure that helps them move laterally within compromised networks. This wide platform coverage makes The Gentlemen a versatile threat for organizations with heterogeneous IT environments.
How does The Gentlemen handle victim data leaks and negotiations?
The Gentlemen RaaS operates a dedicated onion site—accessible only via the Tor browser—where it publishes data stolen from victims who refuse to pay the ransom. However, unlike many ransomware groups that conduct negotiations directly on their leak portal, The Gentlemen uses a decentralized approach. Each affiliate is assigned a unique Tox ID, and all ransom discussions occur through Tox, a peer-to-peer instant messaging protocol that offers end-to-end encryption for text, voice, and video. This design helps both the affiliates and the core group maintain anonymity by avoiding centralized chat servers. The group also maintains a public Twitter/X account, which is listed in the ransom notes left on victim systems. Through this account, they post about new victims and applied pressure, potentially increasing the likelihood of payment. The combination of a leak site, private Tox negotiations, and public social media shaming creates a multi-pronged extortion strategy.
How many victims has The Gentlemen claimed to date?
As of the latest reports, The Gentlemen RaaS has publicly claimed a little over 320 victims on its leak site and social media channels. Notably, the majority of these infections—approximately 240—occurred in the first few months of 2026, indicating a significant acceleration in affiliate recruitment and attack tempo. This rapid growth suggests that the group's RaaS model is successfully attracting a substantial number of affiliates who are actively deploying the locker and supporting tools. Compared to older RaaS operations, The Gentlemen has achieved a high victim count in a relatively short time, making it a rising concern for cybersecurity teams. The surge also aligns with the group's aggressive advertising on underground forums and the appeal of its multi-platform locker support and built-in evasion utilities.
What is SystemBC and how was it used in this incident?
SystemBC is a proxy malware commonly used in human-operated ransomware attacks. It establishes SOCKS5 tunnels within a victim's network, allowing the attacker to route traffic through the compromised host and maintain covert communication with command-and-control (C2) servers. In the incident covered by this DFIR report, an affiliate of The Gentlemen RaaS deployed SystemBC on a compromised corporate host. The malware facilitated stealthy tunneling for payload delivery and data exfiltration, helping the attacker bypass network defenses. By using SystemBC, the affiliate could securely relay additional tools, such as the ransomware locker itself, without directly exposing the C2 infrastructure. This technique is typical of sophisticated ransomware operations where persistence and evasion are critical. The deployment of SystemBC alongside The Gentlemen locker underscores the affiliate's focus on blending in with normal traffic and delaying detection.
What did Check Point Research observe about SystemBC's botnet?
Check Point Research analyzed telemetry from a SystemBC command-and-control server associated with The Gentlemen affiliate and discovered a botnet of over 1,570 victims. The infection profile strongly suggested a focus on corporate and organizational environments rather than opportunistic consumer targeting. This means the botnet likely included many enterprise networks, making it a significant threat for data theft and ransomware deployment. The large number of victims indicates that the SystemBC proxy malware is widely distributed, possibly through multiple affiliates or campaigns. The telemetry also revealed how the C2 server managed connections, allowing the researchers to map out the scale of the operation. Such botnets serve as a foundation for ransomware attacks, providing attackers with persistent access and a platform for deploying additional payloads like The Gentlemen locker. The findings highlight the importance of monitoring for SystemBC indicators in corporate networks.