Threat actors associated with The Gentlemen ransomware-as-a-service (RaaS) operations have been observed attempting to deploy a known proxy malware called SystemBC.
A command and control (C2 or C&C) server linked to SystemBC uncovered a botnet with more than 1,570 victims, according to new research published by Check Point.
“SystemBC establishes a SOCKS5 network tunnel within the victim’s environment and connects to the C&C server using a custom RC4 encryption protocol,” Check Point said. The payload can also be written to disk or directly injected into memory to download and execute additional malware.
Since its emergence in July 2025, The Gentlemen has quickly established itself as one of the most prolific ransomware groups, claiming over 320 victims on data breach sites. Operating under the classic dual extortion model, the group is sophisticated and versatile, demonstrating the ability to target Windows, Linux, NAS, and BSD systems using Go-based lockers, employing legitimate drivers and custom malicious tools to subvert defenses.
While it is unclear exactly how threat actors gain initial access, evidence suggests that internet-facing services or compromised credentials are exploited to establish an initial foothold, followed by discovery, lateral movement, payload staging (i.e., Cobalt Strike, SystemBC, and encryption programs), defense evasion, and ransomware deployment. A notable aspect of this attack is the exploitation of Group Policy Objects (GPOs) to facilitate domain-wide compromise.
In a September 2025 analysis of the group’s tradecraft, security vendor Trend Micro said, “By tailoring its tactics to specific security vendors, The Gentleman demonstrates a keen awareness of the target’s environment and a willingness to conduct thorough reconnaissance and modify tools throughout the course of its operations.”
Check Point’s latest findings show that an affiliate of The Gentlemen RaaS deployed SystemBC on compromised hosts, whose C2 servers were linked to proxy malware, and extorted hundreds of victims around the world, including in the US, UK, Germany, Australia, and Romania.
SystemBC has been used in ransomware operations dating back to 2020, but the exact nature of this malware’s relationship to The Gentlemen electronic crime scheme remains unclear. For example, is it part of an attack plan or deployed by a specific affiliate for data exfiltration or remote access?
“During lateral movement, the ransomware attempts to blind Windows Defender on each reachable remote host by disabling real-time monitoring, adding broad exclusions for drives, staging shares, and proprietary processes, shutting down the firewall, re-enabling SMB1, and pushing a PowerShell script that loosens LSA anonymous access controls before deploying and running the ransomware binary on that host,” Check Point said.
ESXi variants include fewer features than Windows variants, but they do have the ability to shut down virtual machines to increase attack effectiveness, add persistence via crontab, and prevent recovery before ransomware binaries are deployed.
“Most ransomware groups start up and disappear with a bang. Gentleman is different,” Eli Smadja, group manager at Check Point Research, said in a statement shared with Hacker News.
“They solved the problem of affiliate recruitment by offering better terms than anyone else in the criminal ecosystem. When we penetrated one of their operator’s servers, we discovered over 1,570 compromised corporate networks that had not yet made the news. The true scale of this operation is much larger than publicly known, and it continues to grow.”
This discovery sheds light on the inner workings of another relatively new ransomware family called Kyber, which Rapid7 emerged in September 2025 and targeted Windows and VMware ESXi infrastructures using cryptographic equipment developed in Rust and C++, respectively.
“The ESXi variants are built specifically for VMware environments, with features such as datastore encryption, optional virtual machine termination, and management interface tampering,” the cybersecurity firm said. “A Windows variant written in Rust contains self-proclaimed ‘experimental’ features targeting Hyper-V.”
“Kyber ransomware is not a masterpiece of complex code, but it is highly effective at causing destruction. It reflects a shift towards specialization rather than sophistication.”
According to data compiled by ZeroFox, there were at least 2,059 ransomware and digital extortion (R&DE) incidents confirmed in the first quarter of 2026, with over 747 incidents occurring in March. The most active groups during this period were Qilin (338), Akira (197), The Gentlemen (192), INC Ransom, and Cl0p.
“Notably, North American-based victims accounted for approximately 20% of attacks by The Gentlemen in Q3 2025, 2% in Q4 2025, and 13% in Q1 2026,” ZeroFox said. “This is in sharp contrast to typical regional targeting trends by other R&DE groups, where at least 50% of victims are based in North America.”
Changes in the speed of ransomware attacks
In its 2025 Ransomware Evolution Report, cybersecurity firm Halcyon revealed that ransomware attacks targeting the automotive industry more than doubled in 2025, accounting for 44% of all cyber incidents across the industry, yet the threat continues to mature into a more disciplined, business-driven criminal organization.
Other important trends include attempts at endpoint detection and response (EDR) tools to compromise security, use of bring-your-vulnerability-driver (BYOVD) attack techniques to escalate privileges and disable security solutions, obfuscation of nation-state and criminal ransomware campaigns, and increased targeting of small and medium-sized organizations and operational technology (OT) environments.
“Rather than a single brand, ransomware continued to grow as a durable, industrialized ecosystem built on specialization, shared infrastructure, and rapid reproduction,” the company said. “Law enforcement pressure and infrastructure seizures have disrupted key operations, facilitated fragmentation, rebranding, and increased competition across a more fluid landscape.”
Ransomware is becoming faster and faster, reducing dwell times from days to hours. Approximately 69% of observed attack attempts were found to be intentionally conducted at night or on weekends to outperform defenders.
For example, attacks involving the Akira ransomware displayed unusual speed, rapidly escalating from initial foothold to full encryption, sometimes undetected, within an hour, highlighting a well-oiled attack engine designed to maximize impact.
“Akira’s combination of rapid compromise capabilities, disciplined operational tempo, and investment in reliable decryption infrastructure sets us apart from many ransomware operators,” Halcyon said. “Defenders should treat Akira not as an opportunistic threat, but as a capable and tenacious adversary who will exploit any weaknesses to achieve their objectives.”
Source link
