Gentlemen RaaS Attacks Windows, Linux, and ESXi With New C-Based Locker
Key Takeaways A new ransomware-as-a-service (RaaS) named “The Gentlemen” is actively targeting corporate networks across Windows, Linux, and ESXi environments. The group utilizes a...
Key Takeaways
- A new ransomware-as-a-service (RaaS) named “The Gentlemen” is actively targeting corporate networks across Windows, Linux, and ESXi environments.
- The group utilizes a sophisticated, multi-platform toolkit, including Go-based lockers for various operating systems and a dedicated C-based locker for VMware ESXi hypervisors.
- Since its emergence in mid-2025, The Gentlemen has claimed over 320 victims, demonstrating rapid expansion and a highly organized operational structure.
- Attacks involve extensive reconnaissance, lateral movement using stolen domain credentials, disabling security tools, and wiping forensic evidence before encrypting data.
The Gentlemen RaaS: A New Cross-Platform Threat Emerges
A formidable new ransomware-as-a-service (RaaS) operation, dubbed “The Gentlemen,” has surfaced, presenting a significant and adaptable threat to enterprise infrastructure. This sophisticated group distinguishes itself by deploying specialized ransomware variants designed to compromise Windows, Linux, and ESXi environments simultaneously, maximizing impact on targeted organizations.
Table Of Content
First observed in mid-2025, The Gentlemen RaaS quickly scaled its operations, publicly claiming more than 320 victims. A substantial portion of these attacks, over 240, occurred within the initial months of 2026 alone. This rapid expansion suggests robust affiliate recruitment and a highly capable leadership orchestrating the criminal enterprise.
Multi-Platform Ransomware Capabilities
The core strength of The Gentlemen lies in its diverse arsenal of ransomware tools, engineered for broad compatibility. The group provides its affiliates with lockers written in the Go programming language, capable of operating across Windows, Linux, Network Attached Storage (NAS), and BSD systems. Crucially, it also offers a distinct locker developed in C, specifically tailored to attack VMware ESXi hypervisors. This cross-platform approach enables affiliates to inflict widespread damage within a single campaign, impacting both traditional endpoints and critical virtualization infrastructure that many businesses rely upon, as detailed in a research report.
A Structured Criminal Enterprise
The Gentlemen operates with the structure of a professional business. Its operators actively recruit technically proficient individuals as affiliates through advertisements on underground forums. These verified partners gain access to advanced tools, including those designed to disable Endpoint Detection and Response (EDR) solutions, and a private pivot infrastructure.
Victim data is published on a dedicated dark web leak site if ransom demands are not met. Negotiations are conducted privately via Tox, an encrypted peer-to-peer messaging protocol. The group also maintains an active presence on Twitter/X, which is referenced in their ransom notes, publicly naming victims to escalate pressure for payment.
Check Point Research analysts first identified the malware during an incident response engagement. They observed an affiliate deploying SystemBC, a proxy malware, on a compromised host. Telemetry from the SystemBC command-and-control server revealed a botnet of over 1,570 victims worldwide. The United States accounts for the largest share of these victims, followed by the United Kingdom and Germany. This victim distribution strongly indicates a deliberate focus on organizational targets rather than individual users.
Infection Mechanism and Lateral Movement
Check Point’s analysis of an active incident provides insight into the meticulously planned intrusion flow. Initial activity indicated the attacker had already secured Domain Admin privileges on a Domain Controller. From this vantage point, Cobalt Strike payloads were deployed to remote systems via administrative shares, using randomly named executables. Early commands, such as systeminfo, whoami, and directory listings, confirmed the attacker’s methodical reconnaissance of the environment before expanding their reach.
For lateral movement, the ransomware leverages a built-in spread argument that accepts harvested domain credentials. It then enumerates all domain computers through Active Directory, pings each host to verify connectivity, and delivers the ransomware binary via six concurrent channels: PsExec, WMI, remote scheduled tasks, remote services, and PowerShell-based execution methods.
Before initiating encryption on each target, the attackers take several steps to disable defenses and hinder recovery. These include disabling Windows Defender, adding broad path exclusions for the entire C: drive, shutting down the firewall, and re-enabling SMB1. Shadow copies are deleted to prevent file restoration, and event logs are wiped to eliminate forensic evidence. For final deployment, the group exploits Group Policy Objects to push the ransomware to all domain-joined machines simultaneously.
The ESXi locker specifically targets virtualized environments. It first shuts down all virtual machines, releasing locks on virtual disk files, before commencing encryption. To maintain persistence, the locker copies itself to /bin/.vmware-authd, impersonating a legitimate VMware daemon.
What You Should Do
- Enforce Multi-Factor Authentication (MFA): Implement MFA for all administrative accounts, remote access endpoints, and critical systems.
- Implement Network Segmentation: Segment your network to limit an attacker’s lateral movement, even if domain-level access is compromised.
- Protect Security Tools: Configure Windows Defender and firewall policies with tamper-resistant settings to prevent attackers from disabling them.
- Isolate Backups: Ensure backup systems are offline or logically isolated from the primary network, as this ransomware actively targets and terminates backup-related services. Regularly test backup and recovery procedures.
- Monitor for Anomalous Activity: Watch for unusual scheduled task creation, lateral movement attempts via administrative shares, and PowerShell commands that disable real-time monitoring or modify Local Security Authority (LSA) registry settings.
- Principle of Least Privilege: Restrict user and service account permissions to the minimum necessary for their functions.
- Patch and Update: Keep all operating systems, applications, and hypervisors fully patched and updated to remediate known vulnerabilities.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.