Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical CVE-2024-XXXXX in GCP Dialogflow Lets Attackers Inject Malicious Code
July 7, 2026
Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries
July 7, 2026
VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft
July 7, 2026
Home/Threats/Gentlemen RaaS Attacks Windows, Linux, and ESXi With New C-Based Locker
Threats

Gentlemen RaaS Attacks Windows, Linux, and ESXi With New C-Based Locker

Key Takeaways A new ransomware-as-a-service (RaaS) named “The Gentlemen” is actively targeting corporate networks across Windows, Linux, and ESXi environments. The group utilizes a...

David kimber
David kimber
April 21, 2026 4 Min Read
34 0

Key Takeaways

  • A new ransomware-as-a-service (RaaS) named “The Gentlemen” is actively targeting corporate networks across Windows, Linux, and ESXi environments.
  • The group utilizes a sophisticated, multi-platform toolkit, including Go-based lockers for various operating systems and a dedicated C-based locker for VMware ESXi hypervisors.
  • Since its emergence in mid-2025, The Gentlemen has claimed over 320 victims, demonstrating rapid expansion and a highly organized operational structure.
  • Attacks involve extensive reconnaissance, lateral movement using stolen domain credentials, disabling security tools, and wiping forensic evidence before encrypting data.

The Gentlemen RaaS: A New Cross-Platform Threat Emerges

A formidable new ransomware-as-a-service (RaaS) operation, dubbed “The Gentlemen,” has surfaced, presenting a significant and adaptable threat to enterprise infrastructure. This sophisticated group distinguishes itself by deploying specialized ransomware variants designed to compromise Windows, Linux, and ESXi environments simultaneously, maximizing impact on targeted organizations.

Table Of Content

  • Key Takeaways
  • The Gentlemen RaaS: A New Cross-Platform Threat Emerges
  • Multi-Platform Ransomware Capabilities
  • A Structured Criminal Enterprise
  • Infection Mechanism and Lateral Movement
  • What You Should Do

First observed in mid-2025, The Gentlemen RaaS quickly scaled its operations, publicly claiming more than 320 victims. A substantial portion of these attacks, over 240, occurred within the initial months of 2026 alone. This rapid expansion suggests robust affiliate recruitment and a highly capable leadership orchestrating the criminal enterprise.

Multi-Platform Ransomware Capabilities

The core strength of The Gentlemen lies in its diverse arsenal of ransomware tools, engineered for broad compatibility. The group provides its affiliates with lockers written in the Go programming language, capable of operating across Windows, Linux, Network Attached Storage (NAS), and BSD systems. Crucially, it also offers a distinct locker developed in C, specifically tailored to attack VMware ESXi hypervisors. This cross-platform approach enables affiliates to inflict widespread damage within a single campaign, impacting both traditional endpoints and critical virtualization infrastructure that many businesses rely upon, as detailed in a research report.

A Structured Criminal Enterprise

The Gentlemen operates with the structure of a professional business. Its operators actively recruit technically proficient individuals as affiliates through advertisements on underground forums. These verified partners gain access to advanced tools, including those designed to disable Endpoint Detection and Response (EDR) solutions, and a private pivot infrastructure.

Victim data is published on a dedicated dark web leak site if ransom demands are not met. Negotiations are conducted privately via Tox, an encrypted peer-to-peer messaging protocol. The group also maintains an active presence on Twitter/X, which is referenced in their ransom notes, publicly naming victims to escalate pressure for payment.

Check Point Research analysts first identified the malware during an incident response engagement. They observed an affiliate deploying SystemBC, a proxy malware, on a compromised host. Telemetry from the SystemBC command-and-control server revealed a botnet of over 1,570 victims worldwide. The United States accounts for the largest share of these victims, followed by the United Kingdom and Germany. This victim distribution strongly indicates a deliberate focus on organizational targets rather than individual users.

Infection Mechanism and Lateral Movement

Check Point’s analysis of an active incident provides insight into the meticulously planned intrusion flow. Initial activity indicated the attacker had already secured Domain Admin privileges on a Domain Controller. From this vantage point, Cobalt Strike payloads were deployed to remote systems via administrative shares, using randomly named executables. Early commands, such as systeminfo, whoami, and directory listings, confirmed the attacker’s methodical reconnaissance of the environment before expanding their reach.

For lateral movement, the ransomware leverages a built-in spread argument that accepts harvested domain credentials. It then enumerates all domain computers through Active Directory, pings each host to verify connectivity, and delivers the ransomware binary via six concurrent channels: PsExec, WMI, remote scheduled tasks, remote services, and PowerShell-based execution methods.

Before initiating encryption on each target, the attackers take several steps to disable defenses and hinder recovery. These include disabling Windows Defender, adding broad path exclusions for the entire C: drive, shutting down the firewall, and re-enabling SMB1. Shadow copies are deleted to prevent file restoration, and event logs are wiped to eliminate forensic evidence. For final deployment, the group exploits Group Policy Objects to push the ransomware to all domain-joined machines simultaneously.

The ESXi locker specifically targets virtualized environments. It first shuts down all virtual machines, releasing locks on virtual disk files, before commencing encryption. To maintain persistence, the locker copies itself to /bin/.vmware-authd, impersonating a legitimate VMware daemon.

What You Should Do

  • Enforce Multi-Factor Authentication (MFA): Implement MFA for all administrative accounts, remote access endpoints, and critical systems.
  • Implement Network Segmentation: Segment your network to limit an attacker’s lateral movement, even if domain-level access is compromised.
  • Protect Security Tools: Configure Windows Defender and firewall policies with tamper-resistant settings to prevent attackers from disabling them.
  • Isolate Backups: Ensure backup systems are offline or logically isolated from the primary network, as this ransomware actively targets and terminates backup-related services. Regularly test backup and recovery procedures.
  • Monitor for Anomalous Activity: Watch for unusual scheduled task creation, lateral movement attempts via administrative shares, and PowerShell commands that disable real-time monitoring or modify Local Security Authority (LSA) registry settings.
  • Principle of Least Privilege: Restrict user and service account permissions to the minimum necessary for their functions.
  • Patch and Update: Keep all operating systems, applications, and hypervisors fully patched and updated to remediate known vulnerabilities.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareransomwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

AI Exploitation Narrows Patch Window, Posing New Threat to Defenders

Next Post

Critical FortiGate SSL VPN Vulnerability (CVE-2022-42475) Exploited in Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AnyDesk Phishing Attack Uses Scheduled Tasks for Persistence, Evades Detection
July 7, 2026
Ubiquiti Discloses 25 UniFi Vulnerabilities, 2 Critical
July 7, 2026
STOCKSTAY Backdoor Targets Ukraine with Malicious RDP Files and WinRAR Exploit
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us