A new ransomware-as-a-service (RaaS) operation known as “The Gentlemen” has emerged as a serious threat to corporate networks worldwide.
Since appearing around mid-2025, this group has rapidly grown into a well-organized criminal platform, publicly claiming over 320 victims, with most attacks — more than 240 — recorded in the opening months of 2026.
The speed at which this group expanded points to strong affiliate recruitment and a technically capable leadership team.
What makes The Gentlemen stand out is its wide range of ransomware tools built to attack multiple operating systems at once.
The group offers lockers written in the Go programming language that work across Windows, Linux, NAS, and BSD environments, along with a separate locker written in C specifically designed to target VMware ESXi hypervisors.
This cross-platform capability allows affiliates to cause maximum damage in a single campaign, hitting both traditional endpoints and the virtualization infrastructure that many organizations depend on.
The operation runs like a structured business. Operators advertise on underground forums, recruiting technically skilled actors as affiliates.
The Gentlemen post on underground forums (Source – Check Point)
Verified partners receive access to EDR-killing tools and a private pivot infrastructure. Victim data is published on a dark web leak site if the ransom goes unpaid, while negotiations happen privately through Tox, a peer-to-peer encrypted messaging protocol.
The group also runs an active Twitter/X account, referenced in the ransom note, where they name victims publicly to increase payment pressure.
The Gentlemen RaaS X – Twitter account (Source – Check Point)
Check Point Research analysts identified the malware during an active incident response engagement, where an affiliate deployed SystemBC, a proxy malware, on a compromised host.
Top 15 infected countries (Source – Check Point)
Analysts observed telemetry from the SystemBC command-and-control server, uncovering a botnet of over 1,570 victims globally, with the United States accounting for the majority, followed by the United Kingdom and Germany.
The victim profile strongly suggests deliberate targeting of organizations rather than individuals.
Infection Mechanism and Lateral Movement
The intrusion flow observed by Check Point reveals a carefully staged attack. The earliest confirmed activity showed the attacker already on a Domain Controller with Domain Admin privileges.
A high-level timeline of the attack (Source – Check Point)
From there, Cobalt Strike payloads were pushed to remote systems through administrative shares using random-named executables.
Initial commands including systeminfo, whoami, and directory listings confirmed that the attacker was methodically mapping the environment before expanding further.
To move laterally, the ransomware uses a built-in spread argument that accepts domain credentials harvested during the intrusion.
Once active, it enumerates all domain computers through Active Directory, pings each host to confirm reachability, then delivers the ransomware binary through six parallel channels: PsExec, WMI, remote scheduled tasks, remote services, and PowerShell-based execution methods.
Before running the locker on each target, the attacker disables Windows Defender, adds broad path exclusions for the entire C: drive, shuts down the firewall, and re-enables SMB1.
Shadow copies are deleted to prevent file recovery, and event logs are wiped to remove forensic evidence.
For final deployment, the group abuses Group Policy Objects to push the ransomware to every domain-joined machine at once. The ESXi locker shuts down all virtual machines first, releasing locks on virtual disk files before encryption begins.
It then copies itself to /bin/.vmware-authd to mimic a legitimate VMware daemon for persistence.
Organizations should enforce multi-factor authentication on all administrative accounts and remote access endpoints. Network segmentation should limit the reach of any attacker gaining domain-level access.
Windows Defender and firewall policies must be protected through tamper-resistant configurations. Backup systems should remain offline or isolated, since the ransomware actively terminates backup-related services.
Security teams should also monitor for unusual scheduled task creation, lateral movement through admin shares, and PowerShell commands that attempt to disable real-time monitoring or modify LSA registry settings.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Gentlemen RaaS Attacking Windows, Linux With additional locker written in C for ESXi appeared first on Cyber Security News.
