The Gentlemen ransomware‑as‑a‑service (RaaS) program is rapidly gaining popularity, attracting numerous affiliates and publicly claiming over 320 victims, with the majority of attacks (240) occurring in the first months of 2026.
The service provides a broad locker portfolio implemented in Go for Windows, Linux, NAS, and BSD, plus an additional locker written in C for ESXi, enabling coverage of the multiple platforms commonly found in corporate environments.
During an incident response engagement, an affiliate associated with The Gentlemen attempted to deploy SystemBC, a proxy malware frequently leveraged in human‑operated ransomware operations for covert tunneling and payload delivery.
Check Point Research observed victim telemetry from the relevant SystemBC command‑and‑control server, revealing a botnet of over 1,570 victims, with the infection profile strongly suggesting a focus on corporate and organizational environments rather than opportunistic consumer targeting.
This is a useful report, and the SystemBC detail is especially notable.
Why it stands out
If Check Point’s telemetry is accurate, this suggests The Gentlemen is not just another small leak-site operation but a growing RaaS ecosystem with active affiliate recruitment.
The cross-platform locker lineup is also important. Support for Windows, Linux, NAS, BSD, and ESXi aligns with how many enterprise environments are actually built, which increases operational flexibility for affiliates.
The attempted use of SystemBC fits a broader pattern seen in human-operated ransomware intrusions, where proxy/tunneling malware is used to maintain access, relay traffic, and stage follow-on payloads more quietly.
A few points of caution
Public victim counts from ransomware groups should always be treated carefully. Leak-site claims can include recycled names, inflated numbers, or victims listed before full verification.
Telemetry from one C2 server can be valuable, but it still represents only part of the picture. It helps show scale and targeting trends, but it should not automatically be taken as a complete map of the botnet or the RaaS operation.
Attribution between a specific affiliate, SystemBC activity, and the broader RaaS brand should be handled carefully unless supported by stronger technical indicators in the full report.
What this likely means in practice
Organizations should pay attention to proxy malware and tunneling activity, not just the final ransomware payload.
Detection opportunities may appear earlier in the intrusion chain, for example:
unexpected outbound connections,
suspicious proxy behavior,
new persistence tied to remote access tooling,
lateral movement preceding encryption.
Defenders with Linux, NAS, virtualization, and mixed-platform estates should not assume ransomware preparedness is only a Windows problem.
Bottom line
This report appears to reinforce two trends: modern RaaS groups are becoming more operationally flexible across platforms, and support malware such as SystemBC can be just as important to detect as the encryptor itself. The main takeaway is to treat the claimed scale cautiously, but to take the tradecraft seriously.
