'The Gentlemen' Rapidly Rises to Ransomware Prominence

THREAT INTELLIGENCE CYBER RISK VULNERABILITIES & THREATS CYBERATTACKS & DATA BREACHES NEWS 'The Gentlemen' Rapidly Rises to Ransomware Prominence Not nearly as polite as the name suggests, the ransomware gang has impressed researchers with its speed in scaling up operations — and its sophistication. Alexander Culafi,Senior News Writer,Dark Reading April 22, 2026 6 Min Read SOURCE: DAVID MORPHEW VIA ALAMY STOCK PHOTO A ransomware gang known as "The Gentlemen" has made a name for itself, claiming hundreds of victims in a matter of months. The Gentlemen is a ransomware-as-a-service (RaaS) outfit that first popped up in mid-2025. While it operates fairly typical double extortion attacks (using both encryption and data leaking as extortion levers), The Gentlemen is known for sophisticated tactics, techniques, and procedures (TTPs), such as antivirus killers and complex infection chains. Check Point Research this week published its latest findings concerning the gang, noting that it has claimed hundreds of victims and uses malware including something called SystemBC, which researchers described as "a proxy malware frequently leveraged in human‑operated ransomware operations for covert tunneling and payload delivery." Check Point observed victim telemetry connected to SystemBC's command and control (C2) server, revealing a botnet of more than 1,570 victims. According to researchers, the infection profile strongly suggests "a focus on corporate and organizational environments rather than opportunistic consumer targeting." CPR's research primarily tracks this incident. Related:How NIST's Cutback of CVE Handling Impacts Cyber Teams For such a new gang, The Gentlemen has been nothing short of prolific. Comparitech researchers said the group claimed 202 attacks last quarter, second only to Qilin's 353 claims. Meanwhile NCC Group found The Gentlemen was responsible for 34 attacks in January and 67 in February; while not quite first place, it tracked comfortably alongside more established actors like Cl0p and Akira. In The Gentlemen there are echoes of DragonForce, a RaaS gang that landed on the scene in 2023 and quickly made a name for itself, in this case for its cartel setup and ransomware "white labeling" business model. LOADING... Dillon Ashmore, cyber threat intelligence analyst at NCC Group, tells Dark Reading that The Gentlemen shows "all the hallmarks of cementing itself as a mainstay in the ransomware ecosystem, comparable to DragonForce, but emerging at a much greater scale and sophistication than DragonForce demonstrated at that same stage." "DragonForce took almost two years to surpass 150 victims. In comparison, The Gentlemen passed that milestone in nine months," Ashmore says. "That gap speaks not just to a difference in pace and volume, but to the group's ability to sustain a high level of activity without experiencing the typical disruptions to a ransomware group's trajectory: affiliate defections, infrastructure seizures, or internal disputes." Related:Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing How The Gentlemen Breaks In In the attack covered, The Gentlemen affiliate gained initial access (Check Point could not determine an exact vector) and then deployed the SystemBC proxy malware on the compromised host. This deployed SOCK5 network tunnels within the victim environment and connected to C2 servers, positioning itself to download and execute additional malware payloads. The C2 server used in the attack, as mentioned, leverages a botnet of more than 1,500 victims, though Check Point was unable to say whether these 1,500 victims are affiliate-specific victims or just part of a botnet the affiliate is leveraging. The earliest confirmed activity showed attacker presence on a domain controller with admin privileges. They used this foothold to validate access and conduct network reconnaissance, deployed various payloads to facilitate lateral movement, dropped a PowerShell command to disable Windows, and ultimately used SystemBC and Cobalt Strike as C2 to stage the ransomware.  The domain controller piece is due to The Gentlemen's capability of leveraging Active Directory's own Group Policy infrastructure to "detonate the ransomware simultaneously on every computer in the domain." Researchers called this the most powerful and far-reaching deployment method in the binary. Related:FINRA Launches Financial Intelligence Fusion Center to Combat Cybersecurity and Fraud Threats The Gentlemen ransomware is written in GO and under continuous development. In addition to ransomware encryption and exfiltration, as well as mechanisms like RDP and AnyDesk, the ransomware used multiple commands to maintain persistence, such as disabling Windows Defender, Windows Firewall, and C-drive scanning and monitoring. Check Point's writeup also includes a technical analysis of a variant to The Gentlemen ransomware intended specifically for VMware ESXi hosts, a variant that "remains undetected by the majority of the antivirus systems as seems in VirusTotal." This appears to be partially due to certain staging actions, such as the locker performing a controlled shutdown of all ESXi virtual machines and disabling automatic VM recovery. While The Gentlemen is largely sophisticated in its ability to compromise large organizations, Jason Baker, managing security consultant of threat intelligence at GuidePoint Security, says there are some hallmarks of a ransomware organization with staying power that The Gentlemen is currently missing.  "The Gentlemen's affiliates or negotiators continue to engage with victims over qTox or Session applications rather than a dedicated chat side, and their presence on Twitter/X is the kind of behavior we typically ascribe to less mature operators as an unnecessary OPSEC risk," he says. "Some excellent reporting from Check Point also suggests that in at least some cases, the group's affiliates continue to use Cobalt Strike, an offensive security tool that we have seen largely fade into irrelevance over the past one to two years as detection mechanisms have become widely available." While it does have some hallmarks of a mainstay, such as continued quarterly growth, Baker adds a rapid fall from prominence is always possible, whether because of law enforcement disruption, infighting, or external conflicts with other cybercrime outfits. Attack of The Gentlemen Potential for demise aside, what's most concerning about The Gentlemen is that this new entity has managed to spin up the capacity to compromise hundreds of large organizations in a matter of months.  "The activity surrounding The Gentlemen RaaS underscores how quickly a well‑designed affiliate program can evolve from newcomer to a high‑impact ecosystem player," Check Point's blog read. "By combining a versatile, multi‑platform locker set with built‑in lateral movement, group policy–based mass deployment, and strong defense‑evasion capabilities, the operation enables even moderately skilled affiliates to execute enterprise‑scale intrusions with ransomware detonation as the final stage." Rebecca Moody, head of data research at Comparitech, tells Dark Reading that The Gentlemen "is one of the biggest groups to watch out for this year." She says that based on the group's victimology, it's "a key threat to government entities, educational providers, healthcare companies, and manufacturers globally." Eli Smadja, group manager, products R&D at Check Point Software, says in an email that The Gentlemen pays 90% of extortion proceeds to affiliates, giving many incentives to move to other RaaS providers. "The Gentlemen is likely to remain one of the more attractive ransomware options for affiliates," Smadja says.  For defenders, Smadja notes that one observed attack involved exploiting an Internet-facing device followed by rapid access to the domain controller. "Closely monitoring Internet-facing assets and enforcing strong network segmentation are key measures to help prevent such attacks," he says. "In addition, standard best practices remain critical, including keeping operating systems and software up to date, maintaining strong security awareness programs, and ensuring continuous network monitoring." Check Point's blog post also contains indicators of compromise. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection LOADING... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Building a Robust SOC in a Post-AI World Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE