THE DFIR Report from Check Point Research outlines how The Gentlemen, a Go‑based ransomware‑as‑a‑service, has attracted affiliates with multi‑platform lockers for Windows, Linux, NAS, BSD, and an ESXi variant, and has publicly claimed over 320 victims with most infections occurring in 2026.
It notes that during an incident response, an affiliate attempted to deploy SystemBC, a proxy malware, as part of covert tunnelling and payload delivery, while telemetry from the relevant SystemBC command‑and‑control server revealed a botnet of more than 1,570 victims, predominantly corporate environments.
The operation is described as centrally controlled and highly automated, employing Group Policy deployment, remote execution via PsExec/WMI/RPC, and extensive defence‑evasion such as disabling Defender, altering firewall rules, and purging logs. The report also highlights the ESXi variant, which encrypts across Linux/ESXi, and stores ephemeral keys and markers in encrypted files, with a footer containing an eph key and a Gentlemens marker.
Overall, according to Check Point Research, The Gentlemen represents a modular, enterprise‑scale intrusion ecosystem that blends initial access, post‑exploitation, and encryption capabilities for rapid, universal reach.