Skip to content
Briefings are running a touch slower this week while we rebuild the foundations.See roadmap
The Gentlemen
OrganisationZZ

The Gentlemen

RaaS operation offering affiliates 90% revenue share; second-most-active globally as of May 2026.

Last refreshed: 8 May 2026 · Appears in 1 active topic

Key Question

Is The Gentlemen about to overtake the world's most active ransomware group?

Timeline for The Gentlemen

#319 Apr

KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

Cybersecurity: Threats and Defences
View full timeline →
Follow Cybersecurity: Threats and Defences
Common Questions
How many victims does The Gentlemen ransomware group have?
Check Point Research identified at least 1,570 confirmed victims after gaining visibility into a SystemBC C2 server used by The Gentlemen, as of May 2026.Source: Check Point Research
Why is The Gentlemen ransomware growing so fast?
The group offers affiliates 90% of ransom receipts — significantly above the 60–80% industry norm — attracting experienced ransomware operators and access brokers quickly.Source: Check Point Research
What is SystemBC and how does The Gentlemen use it?
SystemBC is proxy malware that tunnels C2 traffic to evade network detection. The Gentlemen uses it to maintain persistent access to victim networks and coordinate ransomware deployment.Source: Check Point Research
Who is behind The Gentlemen ransomware group?
The group's operators have not been publicly identified or attributed to a nation-state. It operates as a RaaS with anonymous affiliates accessing the platform in exchange for sharing ransom proceeds.

Background

The Gentlemen is a ransomware-as-a-service (RaaS) operation that emerged in July–August 2025, distinguished by an unusually affiliate-friendly revenue model offering 90% of ransom receipts to partners — compared with the industry standard of 60–80%. By 6 May 2026, the group had become the second-most-active ransomware operation globally, according to Check Point Research.

Check Point Research gained visibility into the group's operations after identifying and monitoring a SystemBC command-and-control server, surfacing data on 1,570 confirmed victims across multiple sectors and geographies. SystemBC is a proxy malware commonly used by ransomware operators to tunnel C2 traffic and evade network detection. The group's initial access methods are varied; DragonForce and similar affiliates have used RMM tool vulnerabilities as entry points, and The Gentlemen's high revenue share makes it attractive to experienced access brokers.

The combination of aggressive affiliate terms, rapid victim accumulation, and professional C2 infrastructure signals The Gentlemen as one of the higher operational-tempo threats currently active. Its growth from launch to global second-place in under a year follows the pattern of LockBit and ALPHV in their early phases.

Source Material
Check Point Research