
The Gentlemen
RaaS operation offering affiliates 90% revenue share; second-most-active globally as of May 2026.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Is The Gentlemen about to overtake the world's most active ransomware group?
Timeline for The Gentlemen
KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief
Cybersecurity: Threats and DefencesHow many victims does The Gentlemen ransomware group have?
Why is The Gentlemen ransomware growing so fast?
What is SystemBC and how does The Gentlemen use it?
Background
The Gentlemen is a ransomware-as-a-service (RaaS) operation that emerged in July–August 2025, distinguished by an unusually affiliate-friendly revenue model offering 90% of ransom receipts to partners — compared with the industry standard of 60–80%. By 6 May 2026, the group had become the second-most-active ransomware operation globally, according to Check Point Research.
Check Point Research gained visibility into the group's operations after identifying and monitoring a SystemBC command-and-control server, surfacing data on 1,570 confirmed victims across multiple sectors and geographies. SystemBC is a proxy malware commonly used by ransomware operators to tunnel C2 traffic and evade network detection. The group's initial access methods are varied; DragonForce and similar affiliates have used RMM tool vulnerabilities as entry points, and The Gentlemen's high revenue share makes it attractive to experienced access brokers.
The combination of aggressive affiliate terms, rapid victim accumulation, and professional C2 infrastructure signals The Gentlemen as one of the higher operational-tempo threats currently active. Its growth from launch to global second-place in under a year follows the pattern of LockBit and ALPHV in their early phases.