The Gentlemen ransomware group claimed 73 victims in April, becoming the second most active ransomware operation during that month. This swift ascent, observed by firms like NCC Group, is driven by a sophisticated ransomware-as-a-service (RaaS) program, aggressive affiliate recruitment, and the deployment of advanced tooling. RaaS ecosystems are maturing, allowing new entrants to scale quickly and pose an immediate, significant threat.
What Happened
The Gentlemen ransomware group transitioned from an emerging threat to a major player within approximately one year, quickly establishing themselves as the second most prolific RaaS operation. In April, the group claimed responsibility for 10% of all victim listings, with 73 unique organizations appearing on their leak sites, as reported by BleepingComputer. The group claims to have been linked to 231 successful attacks since their inception, BleepingComputer states. Check Point researchers observed a higher figure, with the group claiming over 320 victims, including 240 in the early months of 2026. No affected organization has confirmed the total number of victims claimed by either source.
Their operational success stems from a sophisticated RaaS program that offers advanced capabilities to a growing network of affiliates. These capabilities include custom antivirus evasion tools, encrypted exfiltration channels, and Group Policy Object (GPO) manipulation for deployment and persistence. At least one affiliate has been observed deploying SystemBC, a multi-platform malware and remote access trojan (RAT), SecurityWeek reports. SystemBC turns infected machines into SOCKS5 proxies, making command-and-control (C2) tracing far more complex and hindering attribution efforts. The rapid growth, coupled with the adoption of shared tools and repeatable attack methods, indicates a substantial increase in the scale and maturity of the ransomware ecosystem, as noted by NCC Group researchers.
Why It Matters
The Gentlemen’s rapid ascent demonstrates the critical threat posed by highly efficient ransomware-as-a-service programs. When a group can onboard affiliates and equip them with sophisticated tools like SystemBC and custom AV evasion, the potential for widespread damage scales exponentially. This is an entire ecosystem integrating shared tools and consistent methodologies, increasing the overall risk dramatically. Attribution becomes a significant challenge when attackers route traffic through SOCKS5 proxies provided by infected machines, complicating incident response and intelligence gathering.
Organizations like BlackFog, GuidePoint Security, BlackPoint Cyber, Cybereason, and AttackIQ have all investigated this RaaS actor, SecurityWeek states, underscoring the broad impact and concern within the security community. The ease with which affiliates can access advanced capabilities lowers the bar for entry into ransomware operations, meaning more frequent and potentially more damaging attacks. This trend shifts the focus from individual vulnerability exploits to a broader defense against a well-oiled, distributed attack machine.
Affected Scope & Remediation
The Gentlemen's attacks leverage common network misconfigurations, unpatched systems, and weak credential hygiene. Organizations are primarily exposed through typical initial access vectors, often followed by the group’s use of GPO manipulation and sophisticated tools. Your perimeter defenses need to be watertight. Deploy endpoint detection and response (EDR) solutions, like CrowdStrike Falcon or SentinelOne, that detect and prevent file encryption, GPO changes, and unusual process behavior, not just known malware signatures.
Patch systems proactively, especially those facing the internet. Implement network segmentation to contain potential lateral movement. Regularly audit and enforce least privilege across all user accounts, particularly for domain administrators, to prevent GPO manipulation. Deploy multi-factor authentication (MFA) everywhere possible, specifically for remote access and critical systems. Since they claim to use encrypted exfiltration, continuous monitoring of outbound network traffic for anomalies is critical. Your team should prioritize IR-4 Incident Handling readiness, conducting regular tabletop exercises for ransomware scenarios.
Backup and recovery strategies are your last line of defense. Ensure critical data is backed up offsite and offline, following the 3-2-1 rule. Solutions like Veeam or Acronis can help manage these backups effectively, but recovery testing is paramount. Attackers want to inhibit system recovery, so verify your backups are immutable and isolated from your production network. Continuously monitor for unauthorized changes to Group Policy and enforce CM-6 Configuration Settings to block unapproved policy deployment. This is about hardening your entire attack surface.
Technical Breakdown
The Gentlemen operates as a classic ransomware-as-a-service, providing a fully developed ransomware payload, exfiltration tools, and a C2 infrastructure to its affiliates. Affiliates handle initial compromise, often through common means like phishing or exploiting public-facing applications. Once inside, they deploy custom antivirus evasion tools to disable endpoint protection, then use techniques like T1078 Valid Accounts to gain higher privileges for domain-wide impact. Their GPO manipulation allows them to push the ransomware payload or establish persistence through T1053 Scheduled Task/Job across the network.
A key component observed is SystemBC, a remote access trojan (RAT) delivered via T1105 Ingress Tool Transfer. SystemBC's primary function is to convert infected machines into SOCKS5 proxies. The attacker's C2 traffic gets routed through multiple innocent-looking compromised machines, making it difficult to pinpoint the true origin or destination of the T1041 Exfiltration Over C2 Channel or subsequent ransomware commands. This obfuscation makes attribution difficult and greatly enhances the attacker's ability to conduct T1219 Remote Access Software operations without detection.
The sophisticated use of proxies, combined with encrypted exfiltration claims, demonstrates a well-architected attack chain. For defense, consider the SI-3 Malicious Code Protection control. Your antivirus and EDR should not only detect known malware but also behavioral anomalies that signify the deployment of proxy software or suspicious network connections that utilize T1071 Application Layer Protocol (SOCKS5).
Historical Context
The Gentlemen's rapid ascent and sophisticated RaaS model echo the operational prowess of groups like LockBit, which dominated the ransomware landscape for several years until a major law enforcement takedown in early 2024. LockBit also operated a highly successful RaaS program, attracting numerous affiliates by offering an effective platform, advanced tools, and a generous revenue share. Both groups relied heavily on a distributed network of attackers to maximize their reach and impact.
Similar to LockBit, The Gentlemen prioritize speed and volume, demonstrating the effectiveness of industrializing ransomware. However, The Gentlemen's explicit use of SystemBC to build proxy networks for C2 and exfiltration feels like an evolution, adding a significant layer of obfuscation that even some of the older, larger RaaS groups didn't consistently employ. While LockBit was certainly adept at avoiding detection, the integrated, proxy-based C2 infrastructure from the outset for The Gentlemen points to a design choice aimed at enhancing operational security and making their operations even harder to trace. The consistent high volume of attacks is a shared trait, but the specific technical implementation for evasion marks a difference.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| Victims claimed (April) | 73 organizations | BleepingComputer |
| Victims claimed (cumulative) | 231 organizations | BleepingComputer |
| Victims claimed (Check Point) | 320 organizations | Check Point |
| Percentage of total activity (April) | 10% | BleepingComputer |
| Group activity duration | 1 year | SecurityWeek |
Our Take
We're seeing a clear trajectory in ransomware operations: highly specialized, distributed, and defensively-minded. The Gentlemen epitomize this by baking advanced evasion and C2 obfuscation, like SystemBC proxies, directly into their RaaS offering. This is an optimized business model for cybercrime that makes it easier for less sophisticated affiliates to execute high-impact attacks. Relying solely on signature-based detection or reactive patching won't cut it. Your focus needs to be on proactive threat hunting, behavioral anomaly detection, and hardening your environment against lateral movement and privilege escalation, even when the initial vector isn't a zero-day.
The CVEDaily Take
The Gentlemen's rapid rise shows RaaS maturity is reducing friction for new attackers. This isn't a group exploiting novel vulnerabilities, but rather expertly weaponizing common attack paths with sophisticated C2. We need to shift our defensive posture to account for highly obfuscated, distributed operations.
Beyond standard perimeter defenses, how frequently are you auditing internal network traffic for unusual proxy usage or unauthorized Group Policy modifications?
FAQ
Q: What is The Gentlemen ransomware group?
A: The Gentlemen is a ransomware-as-a-service (RaaS) operation that has quickly become the second most active ransomware group based on their claims. They provide affiliates with ransomware payloads, custom tools like antivirus evasion, and a sophisticated infrastructure, including the SystemBC malware for C2 obfuscation.
Q: What makes The Gentlemen unique or particularly effective?
A: Their effectiveness comes from a mature RaaS program that quickly recruits and enables affiliates with advanced, repeatable attack methods. The integration of SystemBC to create SOCKS5 proxy networks for command-and-control traffic and exfiltration claims significantly hinders attribution and makes their operations harder to detect and trace.
Q: How can organizations defend against The Gentlemen's tactics?
A: Defending against The Gentlemen requires a multi-layered approach: strong EDR solutions (SentinelOne, CrowdStrike Falcon) to detect behavioral anomalies, network segmentation, proactive patching, strict least privilege enforcement, MFA across all services, and continuous monitoring of GPO settings and internal network traffic for suspicious proxy activity. Immutable, offline backups (Veeam, Acronis) are also critical for recovery.
