The Gentlemen RaaS Gang Surges to Second Place in Ransomware Claims, Targeting Corporate Networks with SystemBC and Cobalt Strike
The Gentlemen ransomware-as-a-service group has rapidly risen to prominence since mid-2025, claiming 202 attacks in Q1 2026 and deploying sophisticated tools like SystemBC and Cobalt Strike to compromise corporate environments at scale.
A ransomware-as-a-service (RaaS) operation known as "The Gentlemen" has rapidly ascended to become one of the most prolific cybercriminal groups in operation, claiming hundreds of victims in under a year. According to new research from Check Point, the group claimed 202 attacks in the first quarter of 2026 alone, placing it second only to the dominant Qilin ransomware operation. The gang's rapid growth and sophisticated tactics have drawn comparisons to the DragonForce group, but analysts note that The Gentlemen has achieved a scale and pace that took DragonForce years to reach.
The Gentlemen first emerged in mid-2025 and operates a classic double-extortion model, encrypting victim data and threatening to leak stolen files unless a ransom is paid. However, the group distinguishes itself through a complex infection chain that leverages multiple advanced tools. Check Point's analysis reveals that affiliates of The Gentlemen deploy the SystemBC proxy malware to establish covert SOCK5 covert SOCKS5 tunnels within victim networks, connecting to command-and-control (C2) servers that researchers observed managing a botnet of more than 1,570 compromised hosts. The infection profile strongly suggests a focus on corporate and organizational environments rather than opportunistic consumer targeting.
Once inside a network, The Gentlemen affiliates use Cobalt Strike for C2 communication and lateral movement. In one case detailed by Check Point, the researchers, the attackers gained administrative privileges on a domain controller, then used Active Directory Group Policy to deploy the ransomware simultaneously across every computer in the domain. This technique, which Check Point described as the most powerful and far-reaching deployment method in the ransomware's arsenal, allows the group to encrypt entire organizations in a single coordinated action. The ransomware itself is written in Go and is under continuous development, with variants targeting both Windows systems and VMware ESXi hypervisors.
The ESXi variant is particularly concerning: Check Point reports that it remains undetected by the majority of antivirus engines on VirusTotal. The locker performs a controlled shutdown of all ESXi virtual machines and disables automatic VM recovery, making it extremely difficult for organizations to restore operations without paying the ransom. The group also employs multiple persistence mechanisms, including disabling Windows Defender, Windows Firewall, and C-drive scanning and monitoring.
Despite its technical sophistication, security analysts point to several operational weaknesses that could limit the group's longevity. Jason Baker, managing security consultant at GuidePoint Security, notes that The Gentlemen's affiliates continue to use qTox or Session messaging apps for victim negotiations rather than dedicated chat portals, and maintain a presence on Twitter/X — behaviors typically associated with less mature operators. Baker also observes that the group's continued reliance on Cobalt Strike, an offensive security tool that has seen widespread detection improvements over the past two years, represents an unnecessary operational security risk.
NCC Group's Dillon Ashmore, however, argues that The Gentlemen shows all the hallmarks of a ransomware group with staying power. "DragonForce took almost two years to surpass 150 victims. In comparison, The Gentlemen passed that milestone in nine months," Ashmore told Dark Reading. "That gap speaks not just to a difference in pace and volume, but to the group's ability to sustain a high level of activity without experiencing the typical disruptions to a ransomware group's trajectory: affiliate defections, infrastructure seizures, or internal disputes."
The rapid rise of The Gentlemen underscores the evolving threat landscape in which new RaaS operations can scale with alarming speed, leveraging established tools and affiliate networks to achieve significant impact in a short timeframe. Organizations are advised to prioritize robust endpoint detection, network segmentation, and regular backup practices to defend against this emerging threat.