A recent report from Check Point has revealed that over 1,570 victims have been compromised by The Gentlemen ransomware operation, one of the most prolific and successful ransomware groups to date. This article provides an in-depth examination of this operation, exploring its tactics, techniques, and procedures (TTPs), as well as providing insights into the broader ransomware ecosystem.
The Gentlemen ransomware operation has demonstrated a sophisticated command-and-control (C2) server linked to a proxy malware called SystemBC, which has been instrumental in coordinating the deployment of SystemBC on compromised hosts. The group's tactics include leveraging legitimate drivers and custom tools to subvert defenses, as well as utilizing Group Policy Objects (GPOs) to facilitate domain-wide compromise.
The findings from Check Point provide valuable insights into the growing trend of ransomware attacks, with attackers increasingly adopting more refined strategies and tactics. This article aims to shed light on The Gentlemen operation and its broader implications for cybersecurity professionals worldwide.
The cybercrime landscape has witnessed numerous developments in recent years, with ransomware operations emerging as a significant threat to individuals, organizations, and governments worldwide. The latest findings from Check Point have shed light on a particularly notable operation, dubbed "The Gentlemen," which has left over 1,570 victims across the globe. This article aims to delve into the intricacies of this operation, exploring its tactics, techniques, and procedures (TTPs), as well as providing insights into the broader ransomware ecosystem.
At the heart of The Gentlemen operation lies a sophisticated command-and-control (C2) server linked to a proxy malware called SystemBC. This C2 server has been instrumental in coordinating the deployment of SystemBC on compromised hosts, resulting in the exploitation of numerous victims across diverse regions. According to Check Point, SystemBC establishes SOCKS5 network tunnels within the victim's environment and connects to its C2 server using a custom RC4-encrypted protocol. Furthermore, this malware can download and execute additional payloads, including malicious tools written in Go, which are designed to evade security solutions.
The Gentlemen ransomware operation has demonstrated an unusual level of sophistication, with attackers leveraging legitimate drivers and custom tools to subvert defenses. This approach has allowed the group to target a wide range of systems, including Windows, Linux, NAS, and BSD environments. The use of Group Policy Objects (GPOs) has also been identified as a key tactic in facilitating domain-wide compromise.
The operation's success can be attributed, in part, to its ability to tailor tactics against specific security vendors. Trend Micro noted that "By tailoring their tactics against specific security vendors, The Gentlemen have demonstrated an acute awareness of their targets' environments and a willingness to engage in in-depth reconnaissance and tool modification throughout the course of their operation." This level of sophistication is reminiscent of more established ransomware groups, such as REvil and GandCrab.
The findings from Check Point provide valuable insights into the tactics employed by The Gentlemen. According to Eli Smadja, group manager at Check Point Research, "Most ransomware groups make noise when they launch and then disappear. The Gentlemen are different." He further highlighted that the group has cracked the affiliate recruitment problem by offering a better deal than anyone else in the criminal ecosystem.
The operation's scope is equally impressive, with an estimated 1,570 compromised corporate networks identified. This number represents a significant increase from previous reports, which often focused on smaller-scale operations. The Gentlemen ransomware operation is undoubtedly one of the most prolific and successful ransomware groups to date.
The broader ransomware ecosystem has also witnessed significant developments in recent months. Rapid7 recently published its findings on another relatively new ransomware family called Kyber, which targets Windows and VMware ESXi infrastructures using encryptors developed in Rust and C++. This highlights a growing trend towards specialization over sophistication among ransomware groups.
Cybersecurity company Halcyon noted that "The threat continues to mature into something more disciplined and a business-driven criminal enterprise, even as ransomware attacks targeting the automotive industry more than doubled in 2025." This observation underscores the evolving nature of the ransomware landscape, with attackers increasingly adopting more refined strategies and tactics.
The growing prevalence of ransomware attacks has significant implications for individuals, organizations, and governments worldwide. The average time to detect a ransomware attack is now mere hours, down from days in previous years. Furthermore, the rise of "akai" - an unusual type of ransomware attack that uses a combination of exploits and custom tools to quickly compromise systems - poses a significant threat to cybersecurity professionals.
The findings from Check Point provide valuable insights into the tactics employed by The Gentlemen operation, as well as broader trends in the ransomware ecosystem. As attackers continue to refine their strategies and tactics, it is essential for organizations to remain vigilant and proactive in defending against these threats.
Related Information: