The Gentlemen & SystemBC: Inside a Fast-Growing Ransomware Operation Built for Enterprise-Scale Intrusions
The Gentlemen is not yet as famous as some of the older ransomware brands, but that may not last long. According to Check Point Research, the ransomware-as-a-service operation has rapidly expanded its footprint, publicly claiming more than 320 victims, with roughly 240 of those attacks surfacing in the first months of 2026 alone. That kind of acceleration usually means one thing: the affiliate model is working, and it is attracting operators who know how to move fast inside enterprise networks.
What makes the new Check Point DFIR report especially useful is that it does not stop at branding, leak-site drama, or victim counts. It shows how one affiliate actually operated inside a compromised environment, what tools were staged, how access was maintained, and how ransomware deployment was turned into a controlled, domain-wide event. It also adds a more unsettling layer: the affiliate attempted to use SystemBC, and telemetry from the linked command-and-control infrastructure pointed to a much wider victim set of more than 1,570 systems globally. Credit for the underlying research belongs to Check Point Research.
A RaaS Program Growing Fast
Check Point describes The Gentlemen as a relatively new ransomware service that emerged around mid-2025. Its operators advertise on underground forums, recruit technically capable affiliates, and offer a broad locker portfolio covering Windows, Linux, NAS, BSD, and ESXi. The cross-platform design matters because it aligns closely with how modern organizations actually run infrastructure. A threat actor no longer needs separate playbooks for every environment if the ransomware service already gives them one.
That flexibility is one reason the group looks more serious than a short-lived copycat. The report says the main locker family is written in Go for multiple operating systems, while the ESXi encryptor is written in C. The operators also advertise extras for trusted partners, including EDR-killing tools and multi-chain pivot infrastructure. In other words, this is not just an encryptor being rented out. It is a broader intrusion toolkit wrapped in a ransomware business model. Credit: Check Point Research.
Why SystemBC Matters in This Case
The report’s most interesting detail may be the attempted use of SystemBC. Long associated with human-operated ransomware workflows, SystemBC is not the headline-grabbing final payload. It is the kind of quiet enabler operators like because it creates SOCKS5 tunnels, supports covert communication, and can deliver or run follow-on malware. It is the kind of tool that helps attackers stay flexible after initial access and before the final detonation.
In this specific case, the affiliate staged a SystemBC variant named socks.exe, which attempted to communicate with 45.86.230[.]112. Endpoint controls blocked that stage, but the important takeaway is not that one attempt failed. It is that the attacker adapted immediately, shifting to alternative command-and-control infrastructure and continuing the intrusion. Check Point says it could not determine whether SystemBC is formally integrated into The Gentlemen ecosystem or simply used by this affiliate as part of a familiar post-exploitation toolkit. That uncertainty is itself telling. Mature ransomware intrusions are increasingly modular, with affiliates mixing and matching components as needed. Credit: Check Point Research.
A Wider SystemBC Footprint Than the Single Incident Suggests
Check Point’s telemetry goes beyond the one victim environment. The researchers say the SystemBC server involved in the case was linked to more than 1,570 victims globally, with the highest concentrations in the United States, followed by the United Kingdom and Germany. The report notes that the infection profile strongly suggests organizational targeting rather than broad consumer opportunism.
That point deserves attention. When you see proxy malware like SystemBC tied to a large, globally distributed botnet with a likely enterprise skew, you are not looking at random commodity noise. You are looking at infrastructure that can support repeated human-led intrusions, internal pivoting, and follow-on operations at scale. That gives the Gentlemen case a broader meaning. It is not only about one affiliate or one ransomware family. It is a glimpse into a reusable attack ecosystem.
What the Intrusion Looked Like
Check Point says the precise initial access vector could not be conclusively established, but the earliest confirmed stage of the intrusion placed the attacker on a Domain Controller with Domain Admin-level privileges. That is already a dangerous starting point. From there, the operator validated credentials, tested host accessibility, and began expanding outward in a measured way.
The report shows a familiar but effective chain: remote execution through administrative shares and RPC, deployment of Cobalt Strike payloads, reconnaissance commands such as systeminfo and whoami, and use of environment-specific internal documentation. This was not blind automation. The operator appeared to combine standardized tooling with knowledge of the victim environment, which usually makes the intrusion harder to disrupt and easier to scale across many systems.
Once execution spread, the attack moved into a more aggressive phase. PowerShell was used to download the ransomware payload from an internal staging server on the Domain Controller and execute it with a hardcoded password and built-in propagation credentials. That transition matters because it shows the line between staging and detonation had already narrowed. The operator was not just preparing for impact. They were actively laying down the logic for wide internal spread. Credit: Check Point Research.
Adaptation After Security Controls Interfered
One of the clearest signals of operator maturity in this case is how quickly the affiliate adapted when one access method was blocked. After the SystemBC attempt was stopped, the attacker still achieved outbound command-and-control through another path. Check Point observed rundll32.exe communicating with a Cobalt Strike server at 91.107.247[.]163 over ports 443 and later 80, indicating that alternative infrastructure was already available or rapidly introduced.
This kind of redundancy is what makes modern ransomware incidents so difficult to contain once the operator has deep internal access. Blocking one tunnel or one payload does not necessarily remove the adversary. It just forces them to use the next lane they already prepared.
Persistence, Defense Evasion, and Practical Control
The report reads like a checklist of what a ransomware affiliate wants before encryption begins. Windows Defender real-time monitoring was disabled. The same payload was pushed under multiple filenames across the environment. Remote Desktop was enabled. AnyDesk was installed and configured with a preset password. Credential material, including Mimikatz-recovered secrets, was harvested. Domain trust relationships and privileged groups were enumerated.
None of those steps is flashy on its own. Together, they tell a more important story. The operator was building durable access, not just rushing to encrypt. If one path failed, another remained. If the affiliate needed to come back later, remote access channels were ready. If incident responders started cleaning up one host, domain knowledge and multiple access mechanisms increased the odds that the operator could stay in control somewhere else.
Group Policy as the Detonation Mechanism
The final impact stage is one of the more striking technical details in Check Point’s write-up. The Gentlemen payload was distributed through Group Policy, with the ransomware binary configured to execute on domain-joined systems during policy refresh. That kind of deployment turns Active Directory itself into the attacker’s distribution channel.
There is a reason this matters so much in enterprise incidents. Group Policy is trusted. It is central. It is designed to push coordinated changes quickly and broadly. When attackers have enough control to weaponize GPO, encryption can become near-simultaneous across the environment. At that point, the incident is no longer a scattered infection problem. It becomes centrally orchestrated business disruption.
What the Ransomware Itself Reveals
Check Point’s malware analysis shows The Gentlemen is feature-rich and clearly built for affiliate usability. Operators can choose modes for local-only encryption, network share encryption, full two-phase encryption, delayed execution, silent mode, free-space wiping, and several speed settings that encrypt only portions of large files. The binary also supports built-in propagation through the --spread option and domain-wide deployment through --gpo.
That matters because it lowers the technical burden on affiliates. A service that ships with lateral movement, staged execution options, speed tuning, and GPO abuse built in allows affiliates to focus less on building tooling and more on operating the intrusion. That tends to increase the number of actors who can run effective attacks and shortens the time from access to impact.
The ESXi variant adds another layer of enterprise realism. According to Check Point, it can enumerate virtual machines, power them off gracefully or forcefully, increase write buffer settings, disable auto-start, and then encrypt the storage backing those systems. In practical terms, that means the operators are not only targeting endpoints and file shares. They are targeting the virtualization layer that keeps businesses running.
Why This Case Matters Beyond One Ransomware Family
The deeper value of the report is that it shows how modular enterprise ransomware has become. The affiliate used familiar post-exploitation building blocks such as Cobalt Strike, credential theft, remote administration, and proxy tooling, then paired them with a ransomware family designed for Windows, Linux, and ESXi. This is less an isolated malware story than a view into a reusable intrusion model.
That model is efficient for attackers. Initial access can vary. Tooling can change. One covert channel can fail. Another can replace it. The encryption stage can be tuned for speed or stealth. Deployment can be local, share-based, or domain-wide through Group Policy. The operators do not need every step to be novel. They need the chain to be reliable, and Check Point’s case study suggests The Gentlemen affiliates are getting closer to that kind of repeatable reliability.
Defender Takeaways
There are a few hard lessons here for enterprise defenders. First, by the time ransomware appears, the real battle was often lost much earlier, at the point where domain-level control, credential harvesting, and management-channel abuse took hold. Second, blocking a single tool such as SystemBC is valuable, but it does not guarantee the intrusion is contained if alternative channels already exist. Third, trust-heavy enterprise mechanisms such as admin shares, scheduled tasks, WinRM, remote services, and Group Policy remain some of the most dangerous assets to lose.
The case also reinforces why organizations should treat remote access tooling, credential stores, and Active Directory administration paths as part of the critical security perimeter. These are not just infrastructure conveniences. In the hands of an affiliate, they are force multipliers.
NeuraCyb's Assessment
The Gentlemen may still be a relatively new name, but Check Point Research’s DFIR report suggests it is growing into something defenders should take seriously. The operation combines a flexible multi-platform locker set with enterprise-grade deployment logic and affiliate-friendly options that make large-scale attacks easier to run. Add in the attempted use of SystemBC and the wider botnet telemetry tied to the same infrastructure, and the picture becomes clearer: this is not just a ransomware brand. It is part of a broader, modular intrusion ecosystem that can be reused, adapted, and scaled.
That is why the most important message from this report is not simply that another ransomware family exists. It is that the path from covert access to wide encryption is getting more operationally streamlined for attackers. And when that streamlining is paired with domain control, proxy malware, Cobalt Strike, AnyDesk, and Group Policy abuse, the difference between intrusion and enterprise-wide impact can become very small, very quickly.
References
