A new, highly organized ransomware-as-a-service (RaaS) operation known as “The Gentlemen” is rapidly expanding its reach, targeting corporate networks globally. Appearing around mid-2025, the group has publicly claimed over 320 victims, with a significant surge in attacks—more than 240—recorded in the early months of 2026. This rapid growth suggests effective affiliate recruitment and a sophisticated leadership team leveraging an array of multi-platform ransomware tools.
The Gentlemen’s most notable feature is its comprehensive attack suite, designed to compromise multiple operating systems simultaneously. The operation offers ransomware written in the Go programming language, capable of encrypting data across Windows, Linux, NAS, and BSD environments. Additionally, a separate locker developed in C specifically targets VMware ESXi hypervisors. This cross-platform capability allows affiliates to inflict widespread damage on both traditional endpoints and critical virtualization infrastructure within a single campaign.
The RaaS operation functions much like a legitimate business, with operators actively recruiting technically adept threat actors on underground forums. Verified affiliates gain access to advanced tools, including Endpoint Detection and Response (EDR)-killing capabilities and a private pivot infrastructure. If ransoms are not paid, victim data is published on a dark web leak site, while negotiations are conducted privately via the Tox messaging protocol. The Gentlemen also maintain an active presence on Twitter/X, publicly naming victims in their ransom notes to exert additional pressure for payment.
According to Check Point Research, the malware was identified during an active incident response engagement where an affiliate deployed SystemBC, a proxy malware, on a compromised host. Telemetry data from the SystemBC command-and-control server revealed a botnet comprising over 1,570 victims worldwide. The United States accounted for the largest share of these victims, followed by the United Kingdom and Germany. The profile of these victims indicates a deliberate targeting of organizations rather than individual users.
The Gentlemen RaaS: Infection Mechanism and Lateral Movement
The intrusion methodology observed by Check Point researchers indicates a meticulously planned attack progression. The earliest confirmed activity showed attackers already in possession of Domain Admin privileges on a Domain Controller. From this privileged position, Cobalt Strike payloads were deployed to remote systems using administrative shares and randomly named executables. Initial commands, such as systeminfo and whoami, were executed to methodically map the compromised environment before further lateral movement occurred.
For lateral movement, the ransomware employs a built-in spread argument that utilizes domain credentials previously harvested during the intrusion. Once activated, it enumerates all domain-joined computers via Active Directory. It then pings each host to verify reachability before attempting to deliver the ransomware binary through multiple parallel channels. These channels include PsExec, WMI, remote scheduled tasks, remote services, and various PowerShell-based execution methods.
Before initiating encryption on each target system, the attackers disable Windows Defender, implement broad path exclusions across the entire C: drive, shut down the firewall, and re-enable the SMB1 protocol. Shadow copies are systematically deleted to hinder file recovery attempts, and event logs are wiped to remove forensic evidence of their activities. For final deployment across the network, the group leverages Group Policy Objects (GPOs) to push the ransomware to all domain-joined machines simultaneously.
The specific ESXi locker operates by first shutting down all virtual machines, releasing locks on virtual disk files before commencing the encryption process. For persistence, it copies itself to the /bin/.vmware-authd directory, mimicking a legitimate VMware daemon.
Organizations are strongly advised to enforce multi-factor authentication on all administrative accounts and remote access endpoints. Implementing robust network segmentation is crucial to limit the potential reach of any attacker who gains domain-level access. Windows Defender and firewall policies should be protected through tamper-resistant configurations. Backup systems must remain offline or isolated, as the ransomware is known to actively terminate backup-related services. Security teams should also actively monitor for unusual scheduled task creation, lateral movement through administrative shares, and PowerShell commands that attempt to disable real-time monitoring or modify sensitive LSA registry settings.
The continued evolution and broad targeting capabilities of The Gentlemen RaaS operation underscore the ongoing threat posed by sophisticated cybercriminal groups. The group’s focus on both traditional endpoints and critical virtualization infrastructure signals a strategic shift, demanding enhanced vigilance from organizations across all sectors. Future efforts by law enforcement and cybersecurity firms will likely focus on disrupting the group’s affiliate recruitment and infrastructure, while organizations must prioritize robust defenses to mitigate the impact of such advanced ransomware attacks.