A sophisticated cyber threat known as ‘The Gentlemen’ has emerged, posing significant risks to corporate networks worldwide. This ransomware-as-a-service (RaaS) operation began around mid-2025 and has quickly developed into a formidable criminal entity, claiming over 320 victims, with 240 attacks occurring in early 2026 alone.
Unique Cross-Platform Capabilities
The Gentlemen distinguishes itself by employing a variety of ransomware tools designed to attack several operating systems simultaneously. These tools include lockers written in Go that target Windows, Linux, NAS, and BSD environments, alongside a C-based locker specifically crafted for VMware ESXi hypervisors. This multi-platform approach allows affiliates to inflict widespread damage, affecting both traditional and virtualized infrastructures.
Operational Structure and Tactics
Functioning like a well-organized business, The Gentlemen recruits skilled affiliates through advertisements on underground forums. These affiliates gain access to tools that bypass endpoint detection and response (EDR) systems and utilize a private infrastructure for launching attacks. If ransom demands are unmet, victim data is exposed on a dark web site, with negotiations conducted via Tox, an encrypted messaging platform. The group also uses social media to apply pressure on victims.
Infection Strategy and Global Impact
Check Point Research identified the malware during an incident response, where SystemBC, a proxy malware, was deployed on a compromised system. Analysis revealed a botnet impacting over 1,570 victims globally, with the United States, United Kingdom, and Germany being the most affected. The attack strategy involves gaining domain admin privileges to deploy Cobalt Strike payloads and map the target environment.
The ransomware then propagates using domain credentials to execute across multiple systems using methods like PsExec, WMI, and PowerShell. Before executing the payload, Windows Defender is disabled, and firewalls and shadow copies are tampered with to prevent recovery and detection.
Preventive Measures and Recommendations
Organizations are advised to implement multi-factor authentication for all admin accounts and remote access points. Network segmentation can help limit the spread of an attack. Protecting Windows Defender and firewall settings from tampering is crucial, as is maintaining offline or isolated backups to prevent data loss. Security teams should vigilantly monitor for unusual activities such as the creation of scheduled tasks, lateral movement, and attempts to disable security features.
Stay informed by following us on Google News, LinkedIn, and X. Set CSN as your preferred source on Google for more updates.
