SME Cybersecurity and why The Gentlemen matters beyond large enterprise attacks
The Gentlemen is a Ransomware-as-a-Service (RaaS) operation – In plain language, that means the core group provides ransomware tools and infrastructure to affiliates who carry out attacks. This lowers the barrier to entry for cybercriminals and makes ransomware more scalable. It also means smaller organisations can face tactics once associated mainly with bigger, more mature threat actors.
NCC Group’s analysis shows The Gentlemen grew rapidly in early 2026 and was one of the most active extortion groups in the first quarter. The report also highlights affiliate use of SystemBC, a malware tool used to create covert proxy tunnels and support stealthy movement inside a compromised network. For an SME, that translates into a simple risk: once an attacker gets hold of privileged access, they may be able to move quietly, stage payloads, and deploy ransomware faster than a small team can react.
This is one reason SME Cybersecurity now has to focus on behaviours, not just malware signatures. If a business only looks for known ransomware files, it may miss the earlier stages that matter most, such as credential theft, remote execution, suspicious persistence, and changes to Active Directory.
Why does SystemBC matter for UK small business cyber threats?
Because SystemBC helps attackers hide in plain sight. It can turn infected systems into proxy points, allowing command-and-control traffic to blend in and making investigation harder. In the NCC Group report, associated infrastructure indicated a botnet with more than 1,500 victims, many in corporate environments, with the US, UK, and Germany prominently affected.
For SMEs, especially those with outsourced IT, shared admin accounts, flat networks, or exposed remote access, this increases the chance that compromise is discovered late. That is when ransomware incidents become business continuity problems rather than IT issues.
What SME cyber security best practices reduce ransomware exposure?
The practical response is to break the attack chain early. Start with controls backed by Cyber Essentials, the NCSC Small Business Guide, and NCSC incident management guidance.
What should SMEs prioritise first?
1. Enforce multi-factor authentication (MFA) on remote access, email, admin accounts, and cloud platforms.
2. Reduce domain admin use and remove shared privileged accounts.
3. Monitor for unusual account activity, remote execution, service creation, and unexpected scheduled tasks.
4. Apply stricter controls to Active Directory and alert on Group Policy changes.
5. Limit lateral movement by restricting SMB and remote admin access where possible.
6. Maintain offline or immutable backups and test restoration regularly.
