Analysis: 'The Gentlemen' RaaS Operation Climbs to Top of Ransomware Threat Landscape in 2026

Executive Summary

A relatively new ransomware group, The Gentlemen, has rapidly established itself as a major player in the cybercrime ecosystem. Since its emergence in mid-2025, the group has demonstrated significant technical sophistication and operational maturity. By April 2026, NCC Group ranked them as the second most active ransomware operation, responsible for 73 attacks, or 10% of the global total for that month. The group operates a Ransomware-as-a-Service (RaaS) model, providing its affiliates with advanced malware capable of targeting Windows, Linux, and VMware ESXi systems. Their tactics include double extortion and the use of the SystemBC remote access trojan (RAT) to maintain persistence and obfuscate C2 communications. The group's leadership is believed to include experienced actors from other established ransomware ecosystems, contributing to their rapid rise.

Threat Overview

• Threat Actor: The Gentlemen
• Aliases: Led by 'hastalamuerte' / 'zeta88', a Russian-speaking actor reportedly with past ties to the Qilin ransomware program.
• Modus Operandi: Ransomware-as-a-Service (RaaS) using a double-extortion model (data encryption + data leak threat).
• Activity: Over 320 victims claimed in 2026, accounting for 10% of all global ransomware incidents.
• Victimology: The group targets a wide range of industries, demonstrating a financially motivated, opportunistic approach.

Technical Analysis

The Gentlemen's operation showcases a high degree of technical capability and structured execution.

• Malware: The core ransomware payload supports multiple operating systems, including Windows, Linux, BSD, and VMware ESXi. It uses a modern and efficient encryption scheme with XChaCha20 and Curve25519 for fast encryption and secure key handling.
• Initial Access: While not detailed, RaaS affiliates typically use a variety of methods, including phishing (T1566), exploitation of public-facing applications (T1190), and stolen credentials (T1078).
• Execution & Persistence: Affiliates have been observed deploying SystemBC. This malware functions as a RAT and turns the infected host into a SOCKS5 proxy. This allows the attackers to route their traffic through the compromised machine, effectively hiding their C2 infrastructure (T1090 - Proxy).
• Lateral Movement: The use of SystemBC facilitates lateral movement within the victim network by allowing attackers to tunnel tools like RDP through the proxy.
• Impact: The group performs double extortion (T1486 - Data Encrypted for Impact and T1041 - Exfiltration Over C2 Channel). They exfiltrate sensitive data before encrypting files, then threaten to publish the data on their leak site to pressure victims into paying the ransom.

Impact Assessment

The Gentlemen represents a significant threat due to its combination of technical prowess and operational discipline. Their business-like approach, featuring controlled communications and selective targeting, suggests a focus on maximizing financial returns. The attack on a UK software consultancy, followed by an attack on its client, demonstrates a sophisticated understanding of pressure tactics and supply chain dynamics. The group's ability to compromise and extort over 320 organizations in a single year indicates a highly effective and scalable operation. The leak of their own internal communications in May 2026, while embarrassing for the group, provided valuable intelligence to researchers but is unlikely to halt their operations permanently.

IOCs — Directly from Articles

No specific technical indicators of compromise (IPs, domains, hashes) were mentioned in the source articles.

Cyber Observables — Hunting Hints

The following patterns could indicate related activity: Security teams may want to hunt for:

Detection & Response

• Detecting SystemBC: Monitor for the creation of new services or scheduled tasks for persistence. Analyze network traffic for connections on non-standard ports or traffic patterns consistent with SOCKS proxying. D3FEND's Network Traffic Analysis is critical here.
• Ransomware Detection: Use EDR and FIM solutions to detect ransomware behavior, such as rapid file modification/encryption and the deletion of volume shadow copies. D3FEND's File Analysis can identify these patterns.
• Incident Response: If an infection is suspected, immediately isolate the affected hosts from the network to prevent lateral movement. Preserve forensic evidence and activate the incident response plan. Do not reboot encrypted systems, as this may destroy volatile evidence.

Mitigation

1. Backup and Recovery (M1053 - Data Backup): Maintain regular, tested, and offline backups. This is the most critical defense against ransomware impact.
2. Restrict Web-Based Content (M1021 - Restrict Web-Based Content): Filter network traffic to block connections to known malicious domains and Tor nodes used by malware like SystemBC.
3. Execution Prevention (M1038 - Execution Prevention): Use application control policies to prevent the execution of unauthorized software, including RATs like SystemBC.
4. Update Software (M1051 - Update Software): Patch all systems, especially public-facing applications, to prevent exploitation as an initial access vector.
5. Multi-factor Authentication (M1032 - Multi-factor Authentication): Enforce MFA on all remote access services (VPN, RDP) and critical accounts to prevent credential abuse.