SystemBC C2 Server Exposes Over 1,570 Victims in The Gentlemen Ransomware Operation
Recent investigations have unveiled a significant cybersecurity threat linked to The Gentlemen ransomware-as-a-service (RaaS) operation. This group has been observed deploying a notorious proxy malware known as SystemBC. Research from Check Point has revealed that the command-and-control (C2) server associated with SystemBC has led to the identification of a botnet comprising over 1,570 victims globally.
The Emergence of The Gentlemen Ransomware Group
Since its inception in July 2025, The Gentlemen has rapidly gained notoriety as one of the most active ransomware groups, with claims of over 320 victims listed on its data leak site. Operating under a double-extortion model, the group exhibits a high level of sophistication, targeting various platforms including Windows, Linux, NAS, and BSD systems. Their toolkit includes a Go-based locker and the use of legitimate drivers to circumvent security measures.
Initial access methods for this group remain somewhat ambiguous. However, evidence suggests that they exploit internet-facing services or compromised credentials to establish a foothold. This is typically followed by reconnaissance, lateral movement, payload staging—including tools like Cobalt Strike and SystemBC—defense evasion, and ultimately, ransomware deployment. A notable tactic involves manipulating Group Policy Objects (GPOs) to achieve domain-wide compromise.
Technical Insights into SystemBC
According to Check Point, SystemBC establishes SOCKS5 network tunnels within the victim’s environment, connecting to its C2 server through a custom RC4-encrypted protocol. This malware is capable of downloading and executing additional malicious payloads, either by writing them to disk or injecting them directly into memory. The C2 server linked to SystemBC has been responsible for commandeering hundreds of victims across various countries, including the U.S., U.K., Germany, Australia, and Romania.
While SystemBC has been utilized in ransomware operations since 2020, the exact relationship between this malware and The Gentlemen’s operations remains unclear. It is uncertain whether SystemBC is a standard component of their attack strategy or if it is employed by specific affiliates for data exfiltration and remote access.
During lateral movement, the ransomware attempts to disable Windows Defender on accessible remote hosts. This is accomplished through a PowerShell script that disables real-time monitoring, adds broad exclusions for drives and its own processes, shuts down firewalls, re-enables SMB1, and loosens LSA anonymous access controls before executing the ransomware binary.
The Broader Context of Ransomware Operations
The findings from Check Point coincide with insights from Rapid7, which has drawn attention to another emerging ransomware family named Kyber. This group targets Windows and VMware ESXi infrastructures, employing encryptors developed in Rust and C++. The ESXi variant is specifically designed for VMware environments, featuring capabilities for datastore encryption and optional virtual machine termination.
Data compiled by ZeroFox indicates that at least 2,059 separate ransomware and digital extortion incidents were recorded in Q1 2026, with March alone accounting for 747 incidents. The most active groups during this period included Qilin, Akira, The Gentlemen, INC Ransom, and Cl0p. Notably, North American victims represented approximately 20% of The Gentlemen’s attacks in Q3 2025, a figure that dropped to 2% in Q4 2025, before rising to 13% in Q1 2026.
Evolving Tactics and Trends in Ransomware
Cybersecurity firm Halcyon, in its 2025 Ransomware Evolution Report, highlights the maturation of ransomware into a more disciplined and business-oriented criminal enterprise. Ransomware attacks targeting the automotive sector more than doubled in 2025, constituting 44% of all cyber incidents in that industry.
Significant trends include attempts to impair Endpoint Detection and Response (EDR) tools, the use of the Bring Your Own Vulnerable Driver (BYOVD) technique for privilege escalation, and a blurring of lines between nation-state and criminal ransomware campaigns. Additionally, there is an increased focus on small to mid-sized organizations and operational technology environments.
Ransomware operations are becoming increasingly rapid, with dwell times shrinking from days to mere hours. Approximately 69% of observed attack attempts are strategically staged during nights and weekends to outpace defender responses. For instance, attacks involving Akira ransomware have demonstrated a swift escalation from initial access to full encryption within an hour, underscoring a highly efficient attack model.
The rapid evolution of ransomware tactics necessitates a proactive approach from cybersecurity professionals. As ransomware groups become more organized and sophisticated, the need for robust defense mechanisms and incident response strategies is more critical than ever.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
