The Gap Between Public and Hidden Victim Counts
When a ransomware gang publishes victims on its data leak site, that number is never the full story. For The Gentlemen — identified by Check Point Research as the second most productive Ransomware-as-a-Service operation in early 2026 — the gap is extraordinary: 332 publicly named victims versus 1,570+ enterprises identified through infrastructure analysis of their SystemBC command-and-control servers.
This 4.7x discrepancy between public claims and actual telemetry is not a rounding error. It reflects a deliberate operational posture. Victims that pay quietly, victims still in negotiation, and victims in industries where disclosure would trigger regulatory consequences are routinely kept off the data leak site. The only way to detect them is to go upstream — to the C2 infrastructure that persists long after the ransom demand lands.
SystemBC, the proxy malware used by The Gentlemen as their primary C2 channel, beacons continuously once deployed on a compromised network. That beaconing traffic leaves a permanent forensic trail. By mapping the botnet’s C2 topology, Check Point Research was able to correlate victimology data that the group’s own operators considered hidden. The result is one of the most complete pictures of a RaaS group’s actual reach published to date in 2026.
For enterprise defenders, this finding introduces an uncomfortable possibility: your organization may already appear in a ransomware operator’s panel without your knowledge. The public leak site is not a reliable signal of whether you’ve been targeted.
How The Gentlemen Built Their Operation
The Gentlemen launched their Ransomware-as-a-Service operation in early 2026 and achieved second-place productivity rankings within five months. Their operational architecture is sophisticated and layered, built around nine core operator accounts and an affiliate payout structure that allocates 90% of ransoms to affiliates and 10% to the central operator — a split that sits at the generous end of the RaaS spectrum, explaining the rapid affiliate recruitment.
Initial access methods cluster around three vectors that enterprise teams frequently underestimate:
- Exposed edge appliances: FortiGate firewalls and Cisco devices with unpatched management interfaces, particularly CVE-2024-55591 in FortiOS and CVE-2025-32433 in Erlang SSH
- Credential brute-forcing: VPN panels and web management consoles targeted systematically via port scanners including
gogo.exe - NTLM relay attacks: Exploiting CVE-2025-33073 for lateral privilege escalation after initial access is achieved; the group’s specialist “qbit” is specifically assigned reconnaissance and NTLM relay responsibilities
Once inside, operators demonstrate strong Active Directory tradecraft. The affiliate “quant” maintains a custom tool called buildx641 specifically for credential harvesting from OWA and Microsoft 365 authentication logs. Post-compromise activity consistently targets NAS devices, backup systems, and virtualization infrastructure before ransomware deployment — a sequencing designed to maximize leverage by destroying recovery options first.
The group’s EDR evasion toolkit is extensive. Tools named EDRStartupHinder, gfreeze, and glinker are used to disable or circumvent endpoint detection. Event Tracing for Windows (ETW) is actively manipulated to blind logging pipelines, and registry abuse is used to establish persistence across reboots. The combination means that by the time ransomware deploys, the environment’s native detection capacity has typically been degraded.
A particularly notable tactical element: The Gentlemen engage in deliberate “dual-pressure” strategies that weaponize victim relationships. In one documented case, data stolen from a UK software consultancy was reused as initial access leverage against a Turkish company — and the Turkish company was then published on the data leak site with the UK consultancy credited as an “access broker.” This is designed to generate legal pressure on the consultancy, creating a secondary coercive channel.
Advertisement
What the Internal Breach Reveals About RaaS Operational Risk
On May 4, 2026, The Gentlemen’s own infrastructure was breached. An account identified as “n7778” exfiltrated the group’s “Rocket” backend database and offered the full dataset — approximately 16.22 GB — for 10,000 USD in Bitcoin. A partial leak of 44.4 MB was released publicly as proof.
The exposed data includes the nine core operator accounts (including administrator credentials for the account “zeta88/hastalamuerte”), the eight TOX communication identifiers used by affiliates, and transaction records documenting ransom payments. One disclosed ransom example: 190,000 USD secured after a 60,000 USD discount from the initial demand — a figure that illustrates how quickly ransoms are negotiated and why the financial incentives sustain the ecosystem.
For defenders, this internal breach is intelligence, not just news. The leaked data contains:
- Full affiliate TOX IDs: Eight distinct Tox identifiers are now known to threat intelligence providers, enabling improved attribution and possibly law enforcement action
- Tool signatures: The operator toolset — ZeroPulse, Velociraptor, Cloudflare Zero Trust tunnels, NetExec, RelayKing-Depth, PrivHound, CertiHound, TaskHound — is now fully documented
- Bitcoin laundering methods: Members used Tinkoff QR conversions, peer-to-peer OTC arrangements, and non-custodial wallets (Guarda, Trust Wallet, Exodus) to move funds, patterns now available to financial intelligence teams
There is also a broader operational lesson embedded here. The Gentlemen’s breach followed a known pattern: insider threat from an affiliate or low-trust operator account. RaaS groups are inherently fragile because they rely on trust relationships with pseudonymous affiliates who have access to infrastructure but whose loyalty is purely financial. The 90/10 payout split that accelerated affiliate recruitment also created a large pool of individuals with sufficient access to monetize a leak.
What Security Teams Should Do
The combination of hidden telemetry scale and full operational exposure from the May 4 leak creates a time-limited window for enterprises to act with high-fidelity intelligence. The following prescriptions prioritize actions that map directly to The Gentlemen’s documented TTPs.
1. Audit and Patch All Internet-Facing Edge Infrastructure Within 72 Hours
The Gentlemen’s three primary CVEs — CVE-2024-55591 (FortiOS management interface), CVE-2025-32433 (Erlang SSH in Cisco environments), and CVE-2025-33073 (NTLM relay) — all have patches available. The 72-hour window is not arbitrary: Check Point Research’s analysis shows initial access specialists like “qbit” actively scan for unpatched appliances and can move from scan to initial access in under 24 hours on exposed FortiGate devices. Verify that management interfaces are not reachable from the public internet regardless of patch status. FortiGate management panels exposed on port 8443 remain accessible on over 60,000 internet-facing devices globally as of mid-2026. Patching without restricting access addresses only half the attack surface.
2. Hunt for SystemBC and The Gentlemen’s Full Tool Signature Set Now
The leaked operational data gives defenders a complete hunting kit. Check Point Research’s published IOC list includes 30 Windows SHA256 hashes, 3 Linux SHA256 hashes, and a YARA rule targeting Go-based ransomware with the strings README-GENTLEMEN.txt, gentlemen.bmp, and the associated encryption messages. Load all 33 hashes into your EDR retroactively — query the last 90 days of telemetry. Beyond the ransomware payload itself, hunt for the operator toolset: NetExec, Velociraptor (when deployed outside your authorized tooling inventory), RelayKing-Depth, PrivHound, CertiHound, gogo.exe, and KslDump. Presence of any two or more of these tools in the same environment is a strong indicator of pre-ransomware staging.
3. Close NTLM Relay Paths and Protect ETW Logging Pipelines
The Gentlemen consistently exploit NTLM relay (CVE-2025-33073) for lateral movement post-access, and their EDR evasion relies on ETW manipulation to blind logging before lateral spread. These are two discrete but sequential chokepoints. Enforce SMB signing across the environment to break relay chains. Audit Active Directory for delegation configurations that allow unconstrained Kerberos delegation — these are a secondary lateral movement path when NTLM relay is closed. For ETW protection, deploy Sysmon or equivalent with tamper-alert capabilities, and route ETW logs to an out-of-band SIEM collector that cannot be disabled via local registry changes. The group’s gfreeze and glinker tools manipulate process handles to suspend EDR processes; configure your EDR to alert on process suspension of its own agent.
4. Implement Backup and Virtualization Isolation Before Ransomware Deploys
The Gentlemen’s pre-encryption sequencing consistently targets NAS devices, backup appliances, and virtualization hypervisors (Veeam configurations and iDRAC interfaces are specifically documented). The goal is to eliminate recovery options before the ransom demand. Segment backup infrastructure behind a dedicated VLAN with no direct path from enterprise workstations or servers. Require out-of-band authentication for backup job modification. For Veeam environments, audit for the iDRAC misconfigurations noted in the Check Point report and disable remote management access where not operationally required. Test backup restoration every 30 days — a backup that has not been restored is a backup of unknown reliability.
The Bigger Picture: What the 4.7x Gap Means for Enterprise Risk Quantification
The fundamental problem that The Gentlemen’s telemetry reveals is not unique to this group. Across major RaaS ecosystems, the ratio of actual victims to publicly claimed victims consistently runs between 3x and 6x. Organizations use public data leak site monitoring as a proxy for ransomware exposure — but that monitoring layer only surfaces the fraction of victims for whom operators have decided disclosure serves their leverage strategy.
Enterprise risk quantification models that rely on “number of companies in my sector listed on ransomware leak sites” are therefore systematically underestimating actual sector exposure by a factor of 3 to 6. For insurance underwriting, board-level risk reporting, and procurement security questionnaires, this is a material gap.
The appropriate remediation is not to stop monitoring leak sites — that intelligence remains valuable. The remediation is to complement leak-site monitoring with C2 infrastructure tracking via threat intelligence platforms that map botnet telemetry in real time. Several commercial platforms now provide SystemBC C2 mapping as a standard feed. The 1,570-victim figure in Check Point’s analysis is not exceptional — it is the expected output of infrastructure-level analysis applied to a mid-tier RaaS group. Apply the same methodology to the top 10 RaaS groups and the hidden victim count industry-wide is likely in the tens of thousands.
The May 4 breach of The Gentlemen is also a reminder that RaaS groups are not monolithic adversaries. They are loosely coordinated affiliate networks with pseudonymous trust, financial incentives that can flip, and operator security practices that are frequently weaker than those of their victims. Threat intelligence that exploits these structural vulnerabilities — as Check Point did by analyzing the leaked database — yields asymmetric returns for defenders.
Frequently Asked Questions
What is SystemBC and why does it matter for ransomware detection?
SystemBC is a proxy malware and remote access tool used by multiple ransomware groups as their primary command-and-control channel. It tunnels C2 traffic over SOCKS5 proxies to evade standard network detection. For The Gentlemen specifically, SystemBC creates continuous beaconing connections back to operator infrastructure — connections that persist even during the pre-encryption staging phase. This makes C2 traffic analysis one of the most reliable detection paths available, since the SystemBC beaconing predates ransomware deployment by hours or days and can be detected before data theft or encryption begins.
How did The Gentlemen’s internal breach happen and what does it expose?
On May 4, 2026, an account identified as “n7778” — likely a disgruntled insider or low-privilege affiliate — exfiltrated The Gentlemen’s “Rocket” backend database. A 44.4 MB partial dataset was released publicly as proof of access; the full database is approximately 16.22 GB and was offered for sale at 10,000 USD in Bitcoin. The exposure includes administrator credentials for the group’s primary operator account, eight affiliate TOX communication identifiers, the full operational toolset inventory, and financial transaction records including specific ransom amounts and Bitcoin laundering methods.
Should enterprises assume they are already in The Gentlemen’s victim panel?
Not necessarily — but the 4.7x ratio between hidden and public victims (1,570 vs. 332) means the probability is higher than most risk models assume. Enterprises in sectors The Gentlemen target — manufacturing, professional services, healthcare, and logistics — should run the IOC hunt described above regardless of whether they have received a ransom demand. Presence of The Gentlemen’s tools in telemetry does not automatically mean ransomware will deploy; early detection during the staging phase is precisely where defenders have the highest leverage to contain an incident before it becomes a breach.
Sources & Further Reading
🔗 Related Intelligence
The Gentlemen Ransomware Group’s 5x Surge: Q1 2026 Data and What ‘Elevated New Normal’ Means for Defenders
Encryption-Free Ransomware: Threat Actors Pivot to Pure Data Extortion in 2026
Ransomware New Normal: 49% More Groups, 2,122 Q1 Victims — What Now?
When Ransomware Kills: Healthcare’s Patient Safety Crisis
