10 Key Insights into The Gentlemen RaaS and SystemBC Proxy Malware

In the ever-evolving landscape of ransomware, a new player has emerged with alarming speed. The Gentlemen ransomware-as-a-service (RaaS) program has captured attention by claiming over 320 victims, with the bulk of attacks occurring in early 2026. Beyond its locker portfolio, affiliates have been observed deploying SystemBC, a proxy malware that facilitates covert operations. This listicle unpacks the critical facts you need to understand this emerging threat.

1. The Rapid Rise of The Gentlemen RaaS

First appearing around mid-2025, The Gentlemen RaaS quickly gained traction in underground forums. Its operators actively recruit affiliates—especially penetration testers and technically skilled actors—by marketing a versatile platform. The group’s public victim count exceeds 320, with approximately 240 of those occurring in just the first months of 2026. This exponential growth indicates a well-organized affiliate program and effective monetization strategies.

2. Multi-Platform Locker Portfolio

Unlike many RaaS groups that focus solely on Windows, The Gentlemen offers lockers for Windows, Linux, NAS, and BSD—all written in Go. Additionally, a separate locker for ESXi hypervisors is coded in C. This broad coverage means attackers can target the diverse environments common in corporate networks, from servers to virtual machines. The flexibility attracts affiliates who need a one-stop-shop for different target systems.

3. Affiliate Tools Beyond Encryption

Successful affiliates receive more than just ransomware executables. The Gentlemen provides EDR-killing tools to disable endpoint detection. They also grant access to a proprietary multi-chain pivot infrastructure, including both server and client components. This infrastructure allows attackers to move laterally and maintain persistence, making compromise harder to detect and remediate.

4. Leak Site and Negotiation via Tox

The group operates a Tor onion site to publish stolen data from non-paying victims. However, negotiations are handled individually through each affiliate’s Tox ID. Tox is a free, decentralized, peer-to-peer instant messaging protocol with end-to-end encryption. This setup decentralizes negotiation responsibility, reducing the risk of law enforcement monitoring centralized communication channels.

5. Public Pressure via Social Media

The Gentlemen maintains a Twitter/X account referenced in their ransom notes. The operators publicly post about new victims, likely to shame companies and increase pressure to pay. This tactic, combined with data leaks, creates a double extortion threat. Public exposure can damage reputation, leading to faster ransom payments.

6. SystemBC Proxy Malware in Attacks

During an incident response case, an affiliate of The Gentlemen deployed SystemBC on a compromised host. SystemBC establishes SOCKS5 tunnels within the victim’s environment, allowing attackers to route traffic through the victim’s network. This proxy capability masks command-and-control (C2) communications and helps exfiltrate data stealthily before encryption.

7. SystemBC Botnet Scale

Check Point Research observed telemetry from a SystemBC C2 server used by The Gentlemen affiliate. The server controlled a botnet of over 1,570 victims. The infection profile suggests a focus on corporate and organizational environments rather than random consumers. This indicates that SystemBC is being deployed as part of targeted, human-operated ransomware campaigns.

8. Corporate Targeting Preference

The victims of SystemBC infections linked to The Gentlemen are predominantly businesses and institutions. Attackers gain footholds through phishing, remote desktop protocol (RDP) brute-forcing, or exploiting vulnerabilities. Once inside, they deploy SystemBC for persistent access, later staging ransomware attacks. The organizational focus means higher potential ransoms and more critical data at risk.

9. Covert Tunneling and Payload Delivery

SystemBC acts as a SOCKS5 proxy, enabling encrypted tunneling of attack traffic through the victim’s network. It can also fetch and execute additional payloads from remote servers. This dual functionality allows affiliates to maintain stealthy C2, deploy tools like Cobalt Strike, and eventually deliver the final ransomware locker without detection by network security appliances.

10. Recommendations for Defense

To defend against The Gentlemen and SystemBC, organizations should prioritize multi-factor authentication, restrict RDP access, and patch vulnerabilities promptly. Endpoint detection and response (EDR) tools should be tuned to flag anomalous process creation and network connections. Regular network segmentation can limit lateral movement. Monitoring for SOCKS5 proxy traffic and outbound connections to known malicious IPs can also help identify SystemBC infections before encryption occurs.

Conclusion

The Gentlemen RaaS represents a new wave of sophisticated, affiliate-driven ransomware operations. Its broad platform support, coupled with the use of SystemBC as a proxy, highlights the evolving tactics of cybercriminals. By understanding these 10 key insights, security teams can better prepare for and respond to these targeted attacks.