The Gentlemen: A Threat Profile

Aliases 

  • No confirmed aliases at this time. The group operates exclusively under “The Gentlemen” branding across underground forums, its dark web leak site, and a public X/Twitter account. 

Get Threat Intel and Security Updates Delivered to Your Inbox.

 

Profiling 

Threat Actor Type: Ransomware-as-a-Service (RaaS) with a rapidly expanding affiliate network.

Structure: Core operators maintain the RaaS platform, tooling, and affiliate infrastructure. Verified partners are recruited from underground forums (specifically soliciting “penetration testers” and other technically skilled actors) and provided with a full locker portfolio, EDR-killing tools, and proprietary multi-chain pivot infrastructure.  

  • Administrator: The RaaS program is run by zeta88 (aka hastalamuerte), assessed as the core operator responsible for infrastructure, locker development, the RaaS panel, and payout management.
    • Leaked internal discussions indicate a coordinated operational network centered on the administrator zeta88/hastalamuerte, with defined roles for target sourcing, intrusion operations, tooling/EDR kill distribution, and negotiation/payout handling. Check Point identified 8 distinct affiliate TOX IDs across 29 discovered campaigns, and observed the administrator’s TOX ID appearing in multiple infections—suggesting the admin may directly participate in some intrusions rather than operating purely as platform owner

Zeta88 advertising The Gentlemen’s RaaS.

Expertise: Deliberate, purpose-built cross-platform coverage. The group provides separate encryptors optimized for each target environment: a Go-based locker for Windows, Linux, NAS, and BSD, and a dedicated C-based encryptor purpose-built for VMware ESXi hypervisors.  

  • The ESXi locker is engineered for speed and reliability — it executes a controlled VM shutdown sequence, optionally uses intermittent encryption on large files to accelerate attack timelines, and establishes persistence on the hypervisor by masquerading as a legitimate VMware process.  
  • Internal communications show affiliates actively exchanging techniques related to credential abuse, EDR evasion, and enterprise access pathways, reinforcing the group’s focus on operational execution over novel exploit development. 

The Gentlemen ransom note.

Motivations 

Financial gain via ransomware encryption and data extortion. 

 

Timeline & Victimology 

Mid-2025 – Emergence  

The Gentlemen RaaS launches, advertising across underground forums and recruiting affiliates with promises of cross-platform tooling, EDR-killing capabilities, and proprietary pivot infrastructure. The group targets corporate environments from the outset. 

Late 2025 – Early Victims & Escalation  

Attack cadence accelerates as affiliate recruitment gains traction. Notable confirmed incident: December 2025 — The Gentlemen compromise the Oltenia Energy Complex, one of Romania’s largest energy providers. 

Early 2026 – Explosive Growth  

More than 240 of the group’s 320+ claimed victims are recorded in the first months of 2026, indicating a significant expansion in active affiliates. The group’s dark web leak site, X/Twitter account, and Tox-based negotiation infrastructure are all operational and actively maintained. 

April 2026 – Check Point Research Exposure  

During an active incident response engagement, Check Point Research identifies a Gentlemen affiliate deploying SystemBC proxy malware — a tool commonly associated with human-operated ransomware operations for covert tunneling and payload staging. Analysis of the SystemBC C2 server reveals a botnet of over 1,570 compromised hosts, predominantly corporate and organizational victims across the United States, United Kingdom, and Germany. The Adaptavist Group publicly discloses a breach linked to The Gentlemen in the same period. 

May 2026 – Internal Breach Exposes Operations 

The Gentlemen ransomware group suffered a significant breach of its own internal systems, providing rare visibility into the inner workings of a modern ransomware-as-a-service (RaaS) operation.  Researchers from Check Point Research (CPR) gained access to backend infrastructure, affiliate activity, and victim management systems after the group’s internal database was compromised.  

The leaked data included internal chats and operational databases, revealing: 

  • Active discussions among affiliates on attack techniques and credential abuse 
  • Use of EDR-killing tools and enterprise access methods 
  • Coordination of victim management and ransomware deployment workflows  

The breach also confirmed that The Gentlemen’s true scale is significantly larger than publicly disclosed, with intelligence pointing to over 1,570 victims, far exceeding counts listed on its leak site. Despite this exposure, the group has remained operational and continues to expand—reportedly forming partnerships with underground platforms such as BreachForums to support ongoing activity 

 

Tactics & Techniques  

Initial Access  

  • Exploitation of internet-facing services or compromised credentials — precise vector unconfirmed in observed incidents (T1190 / T1078) 

Execution & Lateral Movement  

  • Cobalt Strike via admin shares (T1021.002), PsExec / WMI / remote scheduled tasks / PowerShell (T1047 / T1053 / T1059)  
  • Built-in –spread argument for AD-wide propagation (T1570) 
  • Mimikatz credential harvesting (T1003), GPO abuse for domain-wide simultaneous deployment (T1484.001) 

Command & Control  

  • Cobalt Strike C2 over 443/80 (T1071.001) 
  • SystemBC SOCKS5 proxy tunneling (T1090) 

Defense Evasion  

  • Defender disabled via PowerShell (T1562.001) 
  • RaaS-supplied EDR-killing tools (T1562) 
  • Randomized payload filenames (T1036) 
  • ESXi locker masquerades as /bin/.vmware-authd (T1036.005) 

Persistence  

  • AnyDesk with hardcoded password (T1219) 
  • RDP enabled via registry (T1021.001) 
  • ESXi process masquerading (T1036.005) 

Impact  

  • Encryption across Windows / Linux / NAS / BSD / ESXi (T1486) 
  • Shadow Copy deletion and backup service termination — Veeam and others (T1490) 
  • event log wiping (T1070.001) 
  • Double extortion via leak site and public X/Twitter naming (T1041) 

 

Defensive Recommendations Against The Gentlemen

The Gentlemen’s ESXi locker operates outside the visibility of Windows-centric endpoint tools. Key mitigations specific to the hypervisor: 

  • Monitor for unexpected VM power-off events, especially in bulk — this is the first step of the ESXi encryption chain. 
  • Alert on esxcli being invoked to enumerate or terminate VMs outside of change windows. 
  • Audit ESXi binaries in /bin/ for unexpected or recently modified files; the locker masquerades as /bin/.vmware-authd. 
  • Disable SSH on ESXi hosts when not actively needed, and enforce MFA on all remote ESXi access paths. 
  • Deploy runtime behavioral detection at the hypervisor layer capable of identifying VM enumeration, mass shutdown, and encryption patterns that bypass guest-level agents. 

 

References 

BleepingComputer. The Gentlemen Ransomware Now Uses SystemBC for Bot-Powered Attackshttps://www.bleepingcomputer.com/news/security/the-gentlemen-ransomware-now-uses-systembc-for-bot-powered-attacks/  

Check Point Research. DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxyhttps://research.checkpoint.com/2026/dfir-report-the-gentlemen/  

Cyber Security News. Gentlemen RaaS Attacking Windows, Linux With Additional Locker Written in C for ESXihttps://cybersecuritynews.com/gentlemen-raas-attacking-windows-linux/  

Cyberpress. Gentlemen RaaS Adds C-Based ESXi Locker to Cross-Platform Attackshttps://cyberpress.org/gentlemen-adds-esxi-locker/  

GBHackers. Gentlemen RaaS Hits Windows, Linux, and ESXi With New C-Based Lockerhttps://gbhackers.com/gentlemen-raas-hits-windows/  

Infosecurity Magazine. The Gentlemen Ransomware Expands With Rapid Affiliate Growthhttps://www.infosecurity-magazine.com/news/gentlemen-ransomware-rapid/  

Ransomware.live. The Gentlemen. https://www.ransomware.live/group/thegentlemen  

SC Media. Ransomware group ‘The Gentlemen’ suffers internal breach, exposing operations. Published May 18, 2026. Available at: https://www.scworld.com/brief/ransomware-group-the-gentlemen-suffers-internal-breach-exposing-operations 

The Hacker News. SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operationhttps://thehackernews.com/2026/04/systembc-c2-server-reveals-1570-victims.html