Check Point Research provides a detailed technical analysis of The Gentlemen, a ransomware-as-a-service (RaaS) operation that emerged around mid-2025 and has claimed over 320 victims. The report covers an incident response case where an affiliate deployed SystemBC proxy malware alongside Cobalt Strike for command-and-control, lateral movement via PsExec/WMI/scheduled tasks, and Group Policy-based mass ransomware deployment. The ransomware is written in Go (Windows/Linux/ESXi variants), uses X25519 key exchange with XChaCha20 encryption, supports partial-file encryption speed modes, and includes built-in spreading, Defender evasion, shadow copy deletion, and log wiping. The report includes full IOCs, YARA rules, and command-line flag documentation.
Table of contents
Key PointsThe Gentlemen RaaSSystemBC InfectionsDFIR Report – TimelineThe Gentlemen GO RansomwareThe Gentlemen ESXi VariantConclusionIndicators of CompromiseYara RuleRansomware Note – README-GENTLEMEN.txtMITRE ATT&CK MatrixSort: