SystemBC C2 Server Exposes 1,570+ Victims in The Gentlemen Ransomware Operation
Recent investigations have uncovered a serious cybersecurity threat associated with The Gentlemen ransomware-as-a-service (RaaS) operation. This group has been linked to the deployment of a malicious proxy malware known as SystemBC. Research conducted by Check Point indicates that the command-and-control (C2) server tied to SystemBC has been instrumental in identifying a botnet that includes over 1,570 victims worldwide.
The Emergence of The Gentlemen Ransomware Group
Since its establishment in July 2025, The Gentlemen has quickly become one of the most active ransomware groups, claiming over 320 victims on its data leak site. Operating under a double-extortion model, the group demonstrates a high level of sophistication, targeting a range of platforms, including Windows, Linux, NAS, and BSD systems. Their arsenal features a Go-based locker and the use of legitimate drivers to bypass security measures.
The methods of initial access for this group remain somewhat unclear. However, evidence suggests that they exploit internet-facing services or compromised credentials to gain entry. This is typically followed by reconnaissance, lateral movement, payload staging—including tools like Cobalt Strike and SystemBC—defense evasion, and ultimately, ransomware deployment. A notable tactic involves manipulating Group Policy Objects (GPOs) to achieve domain-wide compromise.
Technical Insights into SystemBC
According to Check Point, SystemBC creates SOCKS5 network tunnels within the victim’s environment, connecting to its C2 server via a custom RC4-encrypted protocol. This malware can download and execute additional malicious payloads, either by writing them to disk or injecting them directly into memory. The C2 server associated with SystemBC has been responsible for compromising hundreds of victims across various countries, including the United States, United Kingdom, Germany, Australia, and Romania.
While SystemBC has been employed in ransomware operations since 2020, the precise relationship between this malware and The Gentlemen’s activities remains ambiguous. It is unclear whether SystemBC is a standard element of their attack strategy or if it is utilized by specific affiliates for data exfiltration and remote access.
During lateral movement, the ransomware attempts to disable Windows Defender on accessible remote hosts. This is achieved through a PowerShell script that disables real-time monitoring, adds broad exclusions for drives and its own processes, shuts down firewalls, re-enables SMB1, and loosens LSA anonymous access controls before executing the ransomware binary.
The Broader Context of Ransomware Operations
The findings from Check Point align with insights from Rapid7, which has highlighted another emerging ransomware family named Kyber. This group targets Windows and VMware ESXi infrastructures, using encryptors developed in Rust and C++. The ESXi variant is specifically tailored for VMware environments, featuring capabilities for datastore encryption and optional virtual machine termination.
Data compiled by ZeroFox reveals that at least 2,059 separate ransomware and digital extortion incidents were recorded in the first quarter of 2026, with March alone accounting for 747 incidents. The most active groups during this timeframe included Qilin, Akira, The Gentlemen, INC Ransom, and Cl0p. Notably, North American victims represented approximately 20% of The Gentlemen’s attacks in the third quarter of 2025, a figure that fell to 2% in the fourth quarter of 2025, before rising to 13% in the first quarter of 2026.
Evolving Tactics and Trends in Ransomware
Cybersecurity firm Halcyon, in its 2025 Ransomware Evolution Report, emphasizes the maturation of ransomware into a more disciplined and business-oriented criminal enterprise. Ransomware attacks targeting the automotive sector more than doubled in 2025, accounting for 44% of all cyber incidents in that industry.
Significant trends include attempts to undermine Endpoint Detection and Response (EDR) tools, the use of the Bring Your Own Vulnerable Driver (BYOVD) technique for privilege escalation, and a growing overlap between nation-state and criminal ransomware campaigns. Additionally, there is an increasing focus on small to mid-sized organizations and operational technology environments.
Ransomware operations are becoming increasingly rapid, with dwell times shrinking from days to mere hours. Approximately 69% of observed attack attempts are strategically staged during nights and weekends to outpace defender responses. For example, attacks involving Akira ransomware have shown a swift escalation from initial access to full encryption within an hour, highlighting a highly efficient attack model.
The rapid evolution of ransomware tactics necessitates a proactive approach from cybersecurity professionals. As ransomware groups become more organized and sophisticated, the demand for robust defense mechanisms and incident response strategies is more critical than ever.
For ongoing coverage and breaking updates, visit our Latest News section.
Published on 2026-04-22 09:36:00 • By the Editorial Desk
