CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Cross-Platform Enterprise Encryption by The Gentlemen Ransomware Operation

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A rapidly expanding ransomware-as-a-service operation named The Gentlemen has compromised over 320 organizations primarily in early 2026, leveraging modular cross-platform payloads and affiliate-driven intrusion techniques. The group targets enterprise environments across Windows, Linux, NAS, BSD and ESXi systems using ransomware variants written in Go and C, with affiliates provided with lateral movement, credential harvesting and Group Policy-based deployment capabilities. Impact includes domain-wide encryption, process termination to prevent recovery, shadow copy deletion, and use of SystemBC proxy malware for covert command-and-control, with over 1,570 infected systems detected globally, concentrated in the US, UK and Germany.

Timeline

  1. 21.04.2026 17:00 1 articles · 1h ago

    The Gentlemen Ransomware RaaS Expands with Cross-Platform Enterprise Tooling

    The operation, first identified in mid-2025, has grown to claim over 320 victims primarily in early 2026. Affiliates are equipped with Go-based ransomware for multiple platforms and a C-based ESXi encryptor, enabling domain-wide encryption through lateral movement, credential reuse and Group Policy deployment. Defense evasion includes disabling AV, firewall protections, and deleting shadow copies while terminating critical processes. SystemBC proxy malware is used for covert C2 communication via SOCKS5 tunnels and in-memory payload delivery, with telemetry indicating 1,570+ infected systems concentrated in the US, UK and Germany.

    Show sources
    Open in new tab

Information Snippets

  • The Gentlemen ransomware operation operates as a RaaS model, recruiting technically skilled affiliates via underground forums since mid-2025.

    First reported: 21.04.2026 17:00
    1 source, 1 article
    Show sources

  • The ransomware supports Windows, Linux, NAS, BSD and ESXi systems using Go-based variants and a separate C-based ESXi encryptor.

    First reported: 21.04.2026 17:00
    1 source, 1 article
    Show sources

  • Affiliates gain access to built-in lateral movement, credential reuse, Group Policy deployment, and automated domain-wide encryption capabilities.

    First reported: 21.04.2026 17:00
    1 source, 1 article
    Show sources

  • Observed attacks include domain controller access, credential harvesting, remote execution via administrative shares, and widespread reconnaissance.

    First reported: 21.04.2026 17:00
    1 source, 1 article
    Show sources

  • Attackers disable endpoint protections, use scheduled tasks, services and registry changes for persistence, and terminate database, backup and VM processes.

    First reported: 21.04.2026 17:00
    1 source, 1 article
    Show sources

  • SystemBC proxy malware is used for covert C2 communication via SOCKS5 tunnels and in-memory payload delivery.

    First reported: 21.04.2026 17:00
    1 source, 1 article
    Show sources

  • Telemetry indicates 1,570+ infected systems globally, with heavy concentration in the US, UK and Germany targeting organizational environments.

    First reported: 21.04.2026 17:00
    1 source, 1 article
    Show sources