Cyber Security

SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation

Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 8 hours ago
0 1 4 minutes read
SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation

Threat actors associated with The Gentlemen ransomware‑as‑a-service (RaaS) operation have been spotted attempting to use a malware called SystemBC.

According to a new study published by Check Point, the command and control (C2 or C&C) server connected to SystemBC led to the discovery of a botnet of more than 1,570 victims.

“SystemBC establishes SOCKS5 network tunnels at the victim’s location and connects to its C&C server using a custom-encrypted RC4 protocol,” Check Point said. It can download and run additional malware, with payloads written to disk or loaded directly into memory.

Since its appearance in July 2025, The Gentlemen has quickly established itself as one of the most productive ransomware groups, claiming more than 320 victims in its data breach. Operating under a classic double-spoofing model, the group is as versatile as it is sophisticated, demonstrating the capabilities of targeting Windows, Linux, NAS, and BSD systems with Go-based lockers and employing legitimate drivers and custom malicious tools to undermine defenses.

How threat actors gain initial access is unclear, although evidence suggests that cyber-facing resources or compromised credentials are compromised to gain access in the first place, followed by involvement in discovery, coordinated movement, payload installation (ie, Cobalt Strike, SystemBC, and Encryptor), defense evasion, and ransomware deployment. A notable feature of the attack is the exploitation of Group Policy Objects (GPOs) to facilitate domain-wide compliance.

“By combining their tactics against certain security vendors, the Gentlemen have shown great awareness of their target area and a willingness to engage in deep exploration and tool change during their work,” notes security vendor Trend Micro in a group trade analysis for September 2025.

The latest findings from Check Point show that The Gentlemen RaaS affiliate used SystemBC on a vulnerable host, with the C2 server linked to the malware controlling hundreds of victims worldwide, including the US, UK, Germany, Australia, and Romania.

While SystemBC has been used in ransomware operations since 2020, the original nature of the connection between the malware and The Gentlemen’s e-crime program remains unclear, such as whether it is part of the attack playbook or something sent by some related company for data extraction and remote access.

“During the lateral movement, the ransomware makes an attempt to blind Windows Defender on each accessible remote host by executing a PowerShell script that disables real-time monitoring, adds a wide extraction of the drive, the stage share, and its process, closes the firewall, re-enables SMB1, and loosens the LSA to control the unknown configuration, before checking the binary access controls,”. Point said.

The ESXi variant includes fewer functions than the Windows variant, but is equipped to shut down virtual machines to improve attack efficiency, adds crontab persistence, and prevents recovery before the ransomware binary is executed.

“Many ransomware groups make a splash when they start and disappear. Gentlemen is different,” said Eli Smadja, group manager at Check Point Research, in a statement sent to The Hacker News.

“They solved the problem of recruiting affiliates by offering a better deal than anyone else in the crime scene. When we went inside one of their servers, we found over 1,570 compromised corporate networks that hadn’t even made the news yet. The true scale of this operation is much bigger than what’s growing in the community, and it’s still growing.”

The findings come as Rapid7 highlights the inner workings of another new ransomware family called Kyber that emerged in September 2025, targeting Windows and VMware ESXi infrastructure using encryptors developed in Rust and C++, respectively.

“The ESXi variant is designed specifically for the VMware environment, with datastore encryption capabilities, optional virtual machine termination, and defragmentation of management environments,” the cybersecurity firm said. “The Windows variant, written in Rust, includes a self-explanatory ‘test’ feature for targeting Hyper-V.”

“Kyber ransomware is not a sophisticated piece of code, but it is very effective at causing destruction. It shows a shift to specialization over technology.”

According to data compiled by ZeroFox, at least 2,059 separate incidents of ransomware and digital extortion (R&DE) were observed in Q1 2026, with March accounting for no less than 747 incidents. The most active groups during that period were Qilin (338), Akira (197), The Gentlemen (192), INC Ransom, and Cl0p.

“Importantly, victims based in North America account for 20 percent of The Gentlemen attacks in Q3 2025, 2% in Q4 2025, and 13% in Q1 2026,” ZeroFox said. “This is in stark contrast to typical regional targeting practices by other R&DE clusters, with at least 50 percent of their targets based in North America.”

The Shifting Velocity of Ransomware Attacks

Cybersecurity company, Halcyon, in its 2025 Ransomware Evolution report, revealed that the threat continues to mature into a business-driven criminal enterprise, with ransomware attacks targeting the automotive industry doubling by 2025, accounting for 44% of all cyber incidents across the industry.

Other key trends include efforts to disrupt the security of Endpoint Detection and Response (EDR) tools, the use of the Bring Your Own Vulnerable Driver (BYOVD) attack method to escalate privileges and disable security solutions, the fading of national ransom and crime campaigns, and the rise of targeting small and medium-sized organizations and operational technologies (OT).

“Ransomware has continued to grow as a durable, industrialized area built on expertise, shared infrastructure, and reinventing itself faster than any single genre,” it said. “Enforcement pressures and infrastructure seizures have disrupted large operations, driving fragmentation, name changes, and intensified competition in a more fluid environment.”

Ransomware operations are increasingly fast, with dwell times dropping from days to hours. About 69% of the observed attack attempts were found to be deliberately carried out at night and on weekends to bypass the defenders’ response.

For example, attacks involving the Akira ransomware showed extraordinary speed, quickly escalating from a hold-down to a full hit within an hour in some cases without detection, highlighting a well-oiled attack engine designed to maximize impact.

“Akira’s combination of rapid compromise capabilities, streamlined operational tempo, and investment in reliable encryption infrastructure sets it apart from most ransomware users,” Halcyon said. “Defenders should treat Akira not as an opportunistic threat, but as a powerful, persistent enemy who will exploit every available weakness to achieve his goal.”

Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 8 hours ago
0 1 4 minutes read
Photo of pleasuremandarya@gmail.com

pleasuremandarya@gmail.com

Related Articles

Coinbase Lobbying Hit .07M in Q1 on Crypto Laws

Coinbase Lobbying Hit $1.07M in Q1 on Crypto Laws

3 hours ago
Coinbase AI Agents Get Their Own App Store

Coinbase AI Agents Get Their Own App Store

5 hours ago
Kalshi and Polymarket Enter Crypto Race to Launch Infinite Futures

Kalshi and Polymarket Enter Crypto Race to Launch Infinite Futures

7 hours ago
USDT supply hits new 8b ATH as Tether tightens hold on stablecoins

USDT supply hits new $188b ATH as Tether tightens hold on stablecoins

10 hours ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button