The Gentlemen Ransomware Group Linked to Over 1,570 Corporate Victims via SystemBC Botnet

Threat actors associated with The Gentlemen ransomware-as-a-service operation have been linked to a command-and-control server controlling more than 1,570 compromised corporate networks worldwide. The discovery, made by researchers at Check Point, reveals the true scale of an operation that has already claimed over 320 victims on its public data leak site since the group emerged in July 2025. Victims span the United States, the United Kingdom, Germany, Australia, and Romania.

The group operates under a classic double-extortion model and employs a multi-platform encryptor written in Go, capable of targeting Windows, Linux, NAS, and BSD systems. During attacks, they abuse internet-facing services or compromised credentials to gain an initial foothold, then conduct discovery, lateral movement, and payload staging using tools such as Cobalt Strike, SystemBC proxy malware, and their custom encryptor. A notable aspect of their methodology is the abuse of Group Policy Objects to facilitate domain-wide compromise across victim environments.

Check Point found that an affiliate of The Gentlemen deployed SystemBC, a proxy malware that establishes SOCKS5 network tunnels within the victim environment and communicates with its C2 server using a custom RC4-encrypted protocol. The malware can also download and execute additional payloads, either written to disk or injected directly into memory. During lateral movement, the ransomware attempts to blind Windows Defender on each reachable host by deploying a PowerShell script that disables real-time monitoring, adds broad exclusions, shuts down the firewall, re-enables SMB1, and loosens LSA anonymous access controls before deploying the encryptor. The ESXi variant shuts down virtual machines, adds persistence via crontab, and inhibits recovery mechanisms.

The Gentlemen ransomware group is attributed to the criminal ecosystem rather than a nation-state actor. The group has demonstrated an acute awareness of its targets’ security environments, tailoring tactics against specific security vendors and engaging in in-depth reconnaissance and tool modification throughout operations. According to Eli Smadja of Check Point Research, the real scale of the operation is significantly larger than what is publicly known, and it is still growing.

This case illustrates how ransomware operations have evolved into disciplined, business-driven criminal enterprises. The Gentlemen have effectively solved the affiliate recruitment problem by offering terms superior to competitors in the criminal ecosystem. The abuse of legitimate tools such as Group Policy Objects and the systematic disabling of endpoint defences highlight the importance of robust monitoring, network segmentation, and regular security hygiene, particularly for organisations relying on legacy protocols such as SMB1.

Click here for the original article.