Gentlemen Ransomware Grows Rapidly With New Affiliates
▼ Summary
– The ransomware group “The Gentlemen” has claimed over 320 victims, with most attacks occurring in early 2026.
– It operates as a Ransomware-as-a-Service (RaaS) model, recruiting skilled affiliates and providing them with cross-platform ransomware written in Go and C.
– The group’s toolkit enables large-scale enterprise attacks through features like automated lateral movement, Group Policy deployment, and disabling security defenses.
– Attackers use techniques like credential harvesting and persistence mechanisms, and they terminate processes related to backups and databases to hinder recovery.
– Researchers linked the operation to the SystemBC proxy malware and observed infections concentrated in the US, UK, and Germany, indicating a focus on organizations.
A new ransomware-as-a-service operation has quickly become a significant threat, claiming over 320 victims with a surge of activity in early 2026. Security analysts at Check Point report that this group, calling itself The Gentlemen, is attracting a growing number of affiliates and focusing its efforts on corporate networks. The operation employs a sophisticated, modular toolkit and cross-platform payloads to maximize its reach and impact.
First appearing in mid-2025, The Gentlemen actively recruits technically proficient partners through underground forums. The core of their service provides affiliates with powerful, Go-based ransomware capable of encrypting systems running Windows, Linux, NAS, and BSD. A separate encryptor, written in C, is designed specifically for VMware ESXi servers, highlighting the group’s intent to disrupt virtualized enterprise infrastructure.
The ransomware-as-a-service model is particularly dangerous due to its built-in features for efficient network-wide attacks. Affiliates are equipped with tools for automated lateral movement, often reusing stolen domain credentials. They can deploy the ransomware via Group Policy Objects, enabling near-simultaneous encryption across an entire Windows domain. In one documented intrusion, attackers first compromised a domain controller, then used administrative shares for remote execution, harvested credentials, and conducted extensive reconnaissance before triggering the encryption event.
To ensure their payloads run unimpeded, the toolkit includes routines to disable endpoint security and firewall protections. The ransomware also aggressively terminates processes associated with databases, backup software, and virtual machines to prevent data recovery. It deletes Volume Shadow Copies and clears event logs, deliberately obstructing both restoration efforts and forensic investigation.
Evidence from incident response points to a connection with a broader ecosystem of cybercrime tools. Researchers identified SystemBC malware in attacks linked to The Gentlemen. This proxy tool, common in human-operated ransomware campaigns, establishes SOCKS5 tunnels for stealthy command-and-control communication and can deliver additional payloads directly into a system’s memory. Telemetry from a related C2 server showed infections on more than 1,570 systems worldwide, with a heavy concentration in the United States, United Kingdom, and Germany. This geographic footprint strongly indicates a deliberate targeting of enterprises rather than random consumer attacks.
(Source: Infosecurity Magazine)
