The Gentlemen Ransomware Expands With Rapid Affiliate Growth: What You Need to Know

The The Gentlemen ransomware operation is making headlines as a rapidly expanding ransomware-as-a-service (RaaS) group that has already claimed more than 320 victims. According to researchers at Check Point, the bulk of these attacks occurred in early 2026, signaling a sharp escalation in its activity.

First identified in mid-2025, this group has gained significant traction among affiliates by promoting its services on underground forums and recruiting technically skilled partners. But what sets The Gentlemen apart? Its modular tooling and cross-platform payloads are designed specifically for enterprise environments, making it a formidable threat.

How The Gentlemen Ransomware Recruits Affiliates

The success of The Gentlemen ransomware hinges on its affiliate model. The operation provides partners with ransomware variants written in the Go programming language, which support Windows, Linux, NAS, and BSD systems. Additionally, a separate ESXi encryptor developed in C is available for virtualized environments.

Affiliates are drawn to the platform because of its robust toolkit. This includes built-in lateral movement capabilities, credential reuse, and Group Policy-based deployment. These features allow attackers to trigger simultaneous encryption across domain environments with minimal effort.

Enterprise Impact: Multi-Platform Tooling in Action

In one observed case, attackers achieved domain controller access before deploying payloads across multiple systems. The activity included credential harvesting, remote execution via administrative shares, and widespread reconnaissance. The attackers also disabled endpoint protections and used scheduled tasks, services, and registry changes to maintain persistence.

Key capabilities observed in The Gentlemen attacks include:

• Cross-platform encryption covering endpoints, servers, and virtualized environments
• Automated lateral movement using stolen domain credentials
• Group Policy deployment for rapid, domain-wide execution
• Defense evasion through disabling antivirus and firewall protections

Furthermore, the ransomware terminates processes linked to databases, backup tools, and virtual machines to maximize impact. It also deletes shadow copies and logs to hinder recovery and forensic analysis.

SystemBC Use Suggests Broader Intrusion Ecosystem

During incident response, Check Point researchers identified the use of SystemBC, a proxy malware commonly associated with human-operated ransomware campaigns. This tool enables covert communication via SOCKS5 tunnels and can deliver additional payloads directly into memory.

Telemetry from a related command-and-control (C2) server revealed more than 1,570 infected systems globally. The distribution, heavily concentrated in the US, UK, and Germany, suggests a focus on organizational targets rather than opportunistic consumer infections.

However, it remains unclear whether SystemBC is fully integrated into The Gentlemen ecosystem or simply used by certain affiliates. Its presence alongside tools such as Cobalt Strike suggests a modular attack chain that can adapt to defenses.

When SystemBC deployment was blocked, attackers shifted to alternative C2 channels and established persistence using remote desktop and remote access software. This adaptability underscores the group’s sophistication.

What This Means for Cybersecurity Teams

The combination of scalable affiliate recruitment, enterprise-focused tooling, and integration with established post-exploitation frameworks increases the threat level significantly. Cybersecurity teams should prioritize monitoring for lateral movement indicators and Group Policy abuse.

For more insights, check out our guide on ransomware prevention strategies and learn about incident response planning. Additionally, stay updated on the latest cyber threats through threat intelligence reports.

In conclusion, The Gentlemen ransomware represents a new wave of RaaS operations that are more agile and dangerous than ever. Organizations must remain vigilant and invest in robust security measures to defend against these evolving threats.