The Gentlemen first emerged on the cyberthreat scene a year ago with a reputation for running ransomware and extortion campaigns that included highly advanced capabilities like custom antivirus tools, encrypted exfiltration channels, and Group Policy Object (GPO) manipulation.

In the months since Trend Micro called attention to it, the threat group has quickly became a popular ransomware-as-a-service (RaaS) program, with Check Point researchers last month writing that it was bringing in numerous affiliates and claiming more than 320 victims, with 240 of those coming in the first few months of this year.

Other cybersecurity firms are taking notice of the group, with BlackFog noting in its first-quarter ransomware report The Gentlemen’s rapid rise. GuidePoint Security echoed the point in its Q1 report, and analysts with BlackPoint Cyber, Cybereason, and AttackIQ also have investigated the RaaS actor.

The momentum has continued, with NCC Group reporting this week that in April, The Gentlemen were the second most active ransomware operation – second only behind the prolific Qilin group – accounting for 10% of victim listings. By claiming 73 victims, The Gentlemen has now racked up 231 conquests, according to the threat intelligence firm.

“The Gentlemen has quickly shifted from an emerging group to running frequent, high-paced operations, expanding its affiliate network and reach,” NCC Group researchers wrote. “Despite first observed activity in July 2025, The Gentlemen has demonstrated technical maturity typically associated with more established ransomware groups, leading researchers to assess that the group consists of experienced actors with potential ties to other ransomware ecosystems.”

The group uses a double-extortion model and targets a broad range of platforms, including Windows, Linux, NAS, BSD, and VMware ESXi, with the ransomware itself using XChaCha20 and Curve25519 encryption, which enables fast and large-scale encryption and secure key generation. Because of complexity, the encryption types are often used by more mature and established groups, which is a nod to the sophisticated tools The Gentlemen leverage, the researchers wrote.

The SystemBC Link

The researchers noted that at least one affiliate is using SystemBC in their operations. The multi-platform malware and remote access trojan (RAT) turns infected computers into proxies, and in this case, infected systems were used as SOCKS5 proxies to allow the attackers to route their traffic through compromised hosts. This made it more difficult to trace command-and-control (C2) activity and to block and attribute the activity. It also improved the bad actor’s lateral movement and ability to pivot.

“The combination of RaaS scale and proxy tooling reflects a shift from one-off attacks to repeatable, industrialized intrusions that affiliates with varying skill levels can execute,” they wrote, adding that the affiliate used a botnet comprising more than 1,500 victims and that its use of SystemBC illustrates the “increasingly interconnected ransomware ecosystem, where threat actors leverage shared tooling, established access mechanisms, and repeatable intrusion methodologies.”

A Troubling Trend

The link between The Gentlemen and SystemBC is troubling, they wrote. It can change the dynamics of an attack by increasing its stealth and resilience and raises the chances of greater compromise before encryption occurs, such as credential harvesting. It also creates a gap in visibility, with enterprise networks compromised but not yet encrypted or still in the staging process, and could mean that it’s part of the affiliate’s post-exploitation work.

In addition, the use of SystemBC by at least one affiliate of The Gentlemen indicates that the risk of ransomware now rises from entire ecosystems that include affiliates, shared tools, and repeatable attack methods rather than simply individual ransomware attacks, the researchers wrote.

The growing popularity of the RaaS model established this, but what’s been found with The Gentlemen shows a jump forward in scale and operational maturity, they wrote. Given the group’s rapid growth in the first quarter of this year and the use of advanced proxy tools should alert security teams that more frequent and faster attacks on they way, and that the point where they should be stopped comes before the encryption starts.

Most of the SystemBC-infected organizations were in the United States, the UK, and Germany.

A Shift for Defenders

The Gentlemen attacks typically start with initial access through vulnerable internet-facing services or stolen credentials, then run through discovery, lateral movement, payload setup, defense evasion, and then ransomware deployment, many times using GPOs to scale.

That said, the group has shown the ability to adapt its tactics in the midst of an attack. This includes manipulating GPOs to speed up attacks, compromising privileged accounts, and using custom ways to bypass endpoint protections.

The tactics and capabilities shown by The Gentlemen and its affiliates change the equation for defenders.

“What’s most notable is not just the technical skills, like GPO abuse, custom evasion, and hidden tunnelling, but also the attackers’ objective to maintain persistence, work quickly and use speed and scale to their advantage,” the researchers wrote. “This shifts the main defensive question from ’Can we stop ransomware?’ to ‘Can we reliably spot and disrupt the steps that lead to ransomware?’”

Recent Articles By Author

• France to Stop Certifying Products Without Quantum-Safe Encryption in 2027
• Malwarebytes Finds Ad Scams Hidden in 40+ World Cup Streaming Sites
• Google Sues Chinese Threat Group Using Gemini AI in Phishing Scams

More from Jeffrey Burt