DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

Key Points The Gentlemen RaaS The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. The operators advertise their services across multiple underground forums, promoting their ransomware platform and inviting penetration testers (and other technically skilled actors) to join as affiliates. The RaaS provides affiliates with multi‑OS lockers for Windows, Linux, […] The post DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy appeared first on Check Point Research .

Key Points The Gentlemen RaaS The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. The operators advertise their services across multiple underground forums, promoting their ransomware platform and inviting penetration testers (and other technically skilled actors) to join as affiliates. The RaaS provides affiliates with multi‑OS lockers for Windows, Linux, […] The post DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy appeared first on Check Point Research . Key Points The Gentlemen ransomware‑as‑a‑service ( RaaS ) program is rapidly gaining popularity, attracting numerous affiliates and publicly claiming over 320 victims , with the majority of attacks ( 240 ) occurring in the first months of 2026. The service provides a broad locker portfolio implemented in Go for Windows , Linux , NAS , and BSD , plus an additional locker written in C for ESXi , enabling coverage of the multiple platforms commonly found in corporate environments. During an incident response engagement, an affiliate associated with The Gentlemen attempted to deploy SystemBC , a proxy malware frequently leveraged in human‑operated ransomware operations for covert tunneling and payload delivery. Check Point Research observed victim telemetry from the relevant SystemBC command‑and‑control server, revealing a botnet of over 1,570 victims , with the infection profile strongly suggesting a focus on corporate and organizational environments rather than opportunistic consumer targeting. The Gentlemen RaaS The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. The operators advertise their services across multiple underground forums, promoting their ransomware platform and inviting penetration testers (and other technically skilled actors) to join as affiliates. Figure 1 — The Gentlemen post on underground forums. The RaaS provides affiliates with multi‑OS lockers for Windows, Linux, NAS, BSD implemented in Go, and an additional locker for ESXi implemented in C. The group also grants verified partners access to EDR‑killing tools and its own multi‑chain pivot infrastructure (server and client components). The group maintains an onion site where it publishes data stolen from victims who refuse to pay. Negotiations, however, are not conducted through this leak portal but via the individual affiliate’s Tox ID. Tox is a free, decentralized, peer‑to‑peer (P2P) instant messaging protocol that provides end‑to‑end encrypted voice, video, and text communication. The group also appears to maintain a Twitter/X account, which is referenced in the ransomware note. Through this account, the operators publicly post about victims, likely to increase pressure on them to pay. Figure 2 — The Gentlemen RaaS X/Twitter account. To date, the group has publicly claimed a little over 320 victims, with the majority of infections occurring in 2026. This growth in activity suggests that The Gentlemen RaaS program has managed to attract a significant number of affiliates over the last few months. SystemBC Infections During an incident response case, an affiliate of The Gentlemen Ransomware‑as‑a‑Service (RaaS) deployed SystemBC , a proxy malware, on the compromised host. SystemBC establishes SOCKS5 network tunnels within the victim’s environment and connects to its C&C server using a custom RC4‑encrypted protocol. It can also download and execute additional malware, with payloads either written to disk or injected directly into memory. The specific Command and Control server that was used for the communication had infected a large number of victims across the globe. It is likely that the majority of those victims are companies and organizations, given that SystemBC is typically deployed as part of human‑operated intrusion workflows rather than massive targeting. Figure 3 — SystemBC global accesses. There are over 1,570 victims, with the majority located in the United States, followed by the United Kingdom and Germany. Figure 4 — Top 15 Infected countries. Whether SystemBC is directly integrated into The Gentlemen ransomware ecosystem or is simply a tool leveraged by this particular affiliate for exfiltration and remote access remains unclear. At this time, Check Point Research has no evidence to determine the exact nature of this relationship. Figure 5 — SystemBC infections panel. DFIR Report – Timeline Figure 6 – A high-level timeline of the attack Initial Access and Establishment of Domain Control The precise initial access vector could not be conclusively determined. The earliest stage of adversary activity that can be established with confidence is the attacker’s presence on a Domain Controller with Domain Admin–level privileges. From that position, the attacker appears to have performed systematic credential validation and host accessibility testing across the environment, as reflected in an initial pattern of failed network logons...