Gentlemen RaaS Attacks Windows, Linux, ESXi with Attacking

A new ransomware-as-a-service (RaaS) operation, dubbed “The Gentlemen,” has emerged as a significant threat to corporate networks, demonstrating cross-platform capabilities. This sophisticated RaaS targets Windows, Linux, and ESXi environments, utilizing distinct lockers for each. Notably, it employs an additional locker written in C specifically designed for ESXi systems, as detailed in <

Since appearing around mid-2025, this group has rapidly grown into a well-organized criminal platform, publicly claiming over 320 victims, with most attacks — more than 240 — recorded in the opening months of 2026.

The speed at which this group expanded points to strong affiliate recruitment and a technically capable leadership team.

What makes The Gentlemen stand out is its wide range of ransomware tools built to attack multiple operating systems at once.

The group offers lockers written in the Go programming language that work across Windows, Linux, NAS, and BSD environments, along with a separate locker written in C specifically designed to target VMware ESXi hypervisors.

This cross-platform capability allows affiliates to cause maximum damage in a single campaign, hitting both traditional endpoints and the virtualization infrastructure that many organizations depend on.

The operation runs like a structured business. Operators advertise on underground forums, recruiting technically skilled actors as affiliates.

Verified partners receive access to EDR-killing tools and a private pivot infrastructure. Victim data is published on a dark web leak site if the ransom goes unpaid, while negotiations happen privately through Tox, a peer-to-peer encrypted messaging protocol.

The group also runs an active Twitter/X account, referenced in the ransom note, where they name victims publicly to increase payment pressure.

Check Point Research analysts identified the malware during an active incident response engagement, where an affiliate deployed SystemBC, a proxy malware, on a compromised host.

Analysts observed telemetry from the SystemBC command-and-control server, uncovering a botnet of over 1,570 victims globally, with the United States accounting for the majority, followed by the United Kingdom and Germany.

The victim profile strongly suggests deliberate targeting of organizations rather than individuals.

Infection Mechanism and Lateral Movement

The intrusion flow observed by Check Point reveals a carefully staged attack. The earliest confirmed activity showed the attacker already on a Domain Controller with Domain Admin privileges.

From there, Cobalt Strike payloads were pushed to remote systems through administrative shares using random-named executables.

Initial commands including systeminfo, whoami, and directory listings confirmed that the attacker was methodically mapping the environment before expanding further.

To move laterally, the ransomware uses a built-in spread argument that accepts domain credentials harvested during the intrusion.

Once active, it enumerates all domain computers through Active Directory, pings each host to confirm reachability, then delivers the ransomware binary through six parallel channels: PsExec, WMI, remote scheduled tasks, remote services, and PowerShell-based execution methods.

Before running the locker on each target, the attacker disables Windows Defender, adds broad path exclusions for the entire C: drive, shuts down the firewall, and re-enables SMB1.

Shadow copies are deleted to prevent file recovery, and event logs are wiped to remove forensic evidence.

For final deployment, the group abuses Group Policy Objects to push the ransomware to every domain-joined machine at once. The ESXi locker shuts down all virtual machines first, releasing locks on virtual disk files before encryption begins.

It then copies itself to /bin/.vmware-authd to mimic a legitimate VMware daemon for persistence.

Organizations should enforce multi-factor authentication on all administrative accounts and remote access endpoints. Network segmentation should limit the reach of any attacker gaining domain-level access.

Windows Defender and firewall policies must be protected through tamper-resistant configurations. Backup systems should remain offline or isolated, since the ransomware actively terminates backup-related services.

Security teams should also monitor for unusual scheduled task creation, lateral movement through admin shares, and PowerShell commands that attempt to disable real-time monitoring or modify LSA registry settings.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.