The Gentlemen ransomware targets Windows, Linux, NAS, BSD, and ESXi systems
8 min. read 
Published on
The Gentlemen ransomware operation has quickly become one of the most active cybercriminal groups of 2026, with attacks spanning Windows, Linux, NAS, BSD, and VMware ESXi environments.
The group uses a ransomware-as-a-service model, giving affiliates tools to break into networks, steal data, disable recovery options, and encrypt systems across mixed enterprise infrastructure.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Security researchers say the operation is not entirely new. It appears to build on earlier ransomware affiliate activity linked to the Qilin ecosystem and a Russian-speaking actor known as hastalamuerte.
Why The Gentlemen is drawing attention
The Gentlemen emerged publicly in the second half of 2025 and scaled fast. By May 10, 2026, LevelBlue said the group had publicly claimed 352 attacks during the incomplete first part of the year.
That volume places the group among the most active ransomware operations globally in 2026. Check Point also described it as one of the top ransomware-as-a-service programs based on victims listed during the first five months of the year.
The group’s reach is notable because it does not focus on a single platform. It offers lockers for common business systems, including servers, workstations, NAS devices, BSD systems, and ESXi hypervisors.
| Area | What researchers reported |
|---|---|
| Operation type | Ransomware-as-a-service |
| Public emergence | Second half of 2025 |
| Claimed victims in 2026 | 352 by May 10, 2026, according to LevelBlue |
| Target platforms | Windows, Linux, NAS, BSD, and VMware ESXi |
| Extortion model | Data theft plus file encryption |
| Known infrastructure abuse | SystemBC, Cobalt Strike, remote access tools, and admin utilities |
The group hits multiple operating systems
The Gentlemen’s platform coverage makes it dangerous for modern enterprise networks. A single company may run Windows endpoints, Linux servers, NAS appliances, and ESXi hosts in the same environment.
Check Point says the group offers Go-based lockers for Windows, Linux, NAS, and BSD, along with a C-based locker for ESXi. This gives affiliates a way to encrypt broad infrastructure rather than only user workstations.
ESXi attacks can be especially disruptive because one compromised hypervisor can affect many virtual machines at once. That can take down core business services, databases, file servers, and application workloads in minutes.
How The Gentlemen attacks unfold
The group follows a familiar human-operated ransomware workflow. Affiliates seek initial access through exposed remote services, stolen credentials, vulnerable edge devices, or access already available through criminal markets.
Once inside, they move through the network, escalate privileges, scan internal systems, deploy remote access tools, and stage stolen data for exfiltration.
Encryption usually comes late in the attack. By that point, the attackers may already have disabled security tools, stopped backup services, copied data, and prepared a domain-wide ransomware deployment.
- Initial access through stolen credentials or exposed remote infrastructure.
- Internal discovery with tools such as Nmap or Advanced IP Scanner.
- Remote access through tools such as AnyDesk or SystemBC.
- Lateral movement with PsExec, WMI, SMB shares, and remote services.
- Security tool disruption using kill tools and privilege abuse.
- Data theft before encryption.
- Final encryption across workstations, servers, NAS, and ESXi hosts.
Data theft increases pressure on victims
The Gentlemen does not rely only on file encryption. The group also steals sensitive data and threatens to publish it on a leak site if victims refuse to pay.
This double-extortion model can keep pressure on organizations even when backups work. A company may restore systems but still face leaked customer files, contracts, employee records, financial documents, or internal communications.
LevelBlue’s victim data shows activity across roughly 70 countries. APAC, Europe, Latin America, and the United States and Canada all appear in the dataset, with the United States listed as the most frequent country at the country level.
| Sector | Reported share in LevelBlue dataset |
|---|---|
| Professional services | 18.80% |
| Manufacturing | 17.90% |
| Technology | 11.60% |
| Healthcare | 8.80% |
| Transportation and logistics | 6.50% |
| Agriculture and food | 6.00% |
SystemBC appears in related intrusions
Check Point found SystemBC activity during an incident response case involving a Gentlemen affiliate. SystemBC is proxy malware that can create SOCKS5 tunnels, support covert access, and help deliver additional payloads.
The specific SystemBC command-and-control server observed by Check Point showed more than 1,570 victims. Researchers said the profile suggested corporate and organizational environments rather than ordinary consumer infections.
Check Point also cautioned that it remains unclear whether SystemBC is formally integrated into The Gentlemen ecosystem or simply used by one affiliate. Either way, defenders should treat the group as more than a final-stage encryptor.
The alleged internal leak adds another layer
Researchers have also tracked claims that someone tried to sell data allegedly taken from The Gentlemen’s own internal systems. The reported price was $10,000 in Bitcoin.
Check Point said the group’s administrator acknowledged an internal backend leak on an underground forum on May 4, 2026. The leaked material reportedly included account details, infrastructure information, internal chats, victim data, and negotiation content.
LevelBlue treated similar claims as an intelligence lead requiring further validation. That distinction matters because underground leak claims can contain partial, stale, manipulated, or falsely attributed data.
Ransomware behavior and artifacts
LevelBlue says the Windows locker has been reported as Go-based and requires a password parameter during execution. That can help affiliates control when the ransomware detonates and may reduce accidental sandbox execution.
The ransomware has been associated with the ransom note README-GENTLEMEN.txt. Encrypted files may receive six-character extensions, including examples such as .7mtzhh and .ojuopo.
The encryption strategy is designed for speed. Smaller files may be fully encrypted, while larger files may be encrypted in chunks. That allows the ransomware to damage large file stores faster while still making recovery difficult without backups or decryptors.
| Artifact or behavior | Reported detail |
|---|---|
| Ransom note | README-GENTLEMEN.txt |
| Example extensions | .7mtzhh and .ojuopo |
| Windows locker | Go-based and password-gated |
| Linux locker | Observed in public reporting |
| ESXi locker | C-based locker reported by Check Point |
| Pre-encryption activity | Stops database, backup, virtualization, remote access, and enterprise application services |
Indicators defenders can hunt for
Security teams should not wait for the ransom note to appear. The strongest detection opportunities usually happen earlier, during reconnaissance, credential abuse, remote access, and lateral movement.
LevelBlue recommends hunting for unusual administrative logins, scanning tools, AnyDesk, WinSCP, PsExec, WMI, Group Policy changes, mass service shutdowns, and suspicious outbound proxy behavior.
Known infrastructure indicators include the following SystemBC-related addresses. They are defanged to avoid accidental access.
| Type | Indicator | Description |
|---|---|---|
| IP address | 91[.]107[.]247[.]163 | SystemBC C2 server |
| IP address | 45[.]86[.]230[.]112 | SystemBC C2 server |
| File name | gentlemen.bmp | Ransomware wallpaper or artifact |
| Ransom note | README-GENTLEMEN.txt | Ransom note associated with the locker |
Selected malware hashes
The following hashes were reported in the source material and can support threat hunting, endpoint triage, and retrospective searches.
| SHA-256 | Description |
|---|---|
| 992c951f4af57ca7cd8396f5ed69c2199fd6fd4ae5e93726da3e198e78bec0a5 | The Gentlemen Windows ransomware |
| 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a | The Gentlemen Windows ransomware |
| 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 | The Gentlemen Windows ransomware |
| fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68 | The Gentlemen Linux ransomware |
| 5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca | Initial KillAV tool |
| 7a311b584497e8133cd85950fec6132904dd5b02388a9feed3f5e057fb891d09 | PowerRun utility |
How organizations should respond
Organizations should prioritize exposed remote access, identity security, backup isolation, and ESXi protection. The Gentlemen’s playbook depends on broad access before encryption begins.
Every internet-facing VPN, firewall, remote desktop portal, and admin service should have multi-factor authentication. Credentials exposed in prior breaches or stolen by infostealers should be rotated.
Backup systems should sit outside the main domain where possible. Security teams should test recovery regularly and confirm that attackers cannot erase backup repositories with normal domain admin access.
- Review all internet-facing remote access services.
- Enforce multi-factor authentication for privileged accounts.
- Disable stale accounts and rotate exposed credentials.
- Hunt for AnyDesk, WinSCP, PsExec, WMI, Nmap, and Advanced IP Scanner misuse.
- Monitor Group Policy changes and mass service shutdowns.
- Isolate backup infrastructure from the main domain.
- Patch and harden ESXi, NAS, and Linux servers.
- Review outbound traffic for SystemBC-style proxy behavior.
Why The Gentlemen matters now
The Gentlemen shows how quickly a ransomware brand can scale when it combines affiliate recruitment, cross-platform lockers, stolen data pressure, and mature intrusion tooling.
The group’s platform support makes it dangerous for companies with mixed infrastructure. Even strong Windows controls may not help if attackers can encrypt Linux servers, NAS shares, or ESXi hosts.
Defenders should treat The Gentlemen as a full intrusion lifecycle threat. The goal is not only to detect ransomware execution, but to catch the access, reconnaissance, tunneling, data theft, and deployment activity that comes before it.
FAQ
The Gentlemen is a ransomware-as-a-service operation that emerged publicly in the second half of 2025 and rapidly scaled in 2026. Researchers link it to prior ransomware affiliate activity and the Qilin ecosystem.
The group has lockers for Windows, Linux, NAS, BSD, and VMware ESXi environments. This allows affiliates to attack mixed enterprise networks and virtualization infrastructure.
LevelBlue reported that The Gentlemen publicly claimed 352 attacks by May 10, 2026, during the incomplete first part of the year.
Organizations should secure remote access, enforce multi-factor authentication, rotate exposed credentials, isolate backups, harden ESXi and NAS systems, and hunt for early intrusion activity such as AnyDesk, WinSCP, PsExec, WMI, Nmap, Advanced IP Scanner, and SystemBC traffic.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages