Key Findings

• A compromised SystemBC C2 server linked to The Gentlemen ransomware operation revealed over 1,570 infected corporate networks globally

• The Gentlemen has claimed more than 320 victims since emerging in July 2025, establishing itself as one of the most prolific ransomware groups

• The group targets Windows, Linux, NAS, and BSD systems using Go-based encryption and demonstrates sophisticated defense evasion tactics

• SystemBC establishes SOCKS5 tunnels using custom RC4-encrypted protocols and can download and execute additional malware payloads

• Q1 2026 data shows 2,059 ransomware incidents with The Gentlemen among the top five most active groups

Background

The Gentlemen emerged in July 2025 as a ransomware-as-a-service operation operating under a double-extortion model. The group quickly distinguished itself through versatility and operational sophistication, capable of targeting multiple operating systems and infrastructure types. Check Point's discovery of the SystemBC C2 server provided unprecedented visibility into the operation's actual scale, revealing that publicly reported victims represent only a fraction of their true impact.

SystemBC Proxy Malware Capabilities

SystemBC functions as a sophisticated proxy tool that creates SOCKS5 network tunnels within victim environments. The malware communicates with its command-and-control infrastructure using a custom RC4-encrypted protocol, making detection more difficult for standard security measures. Beyond establishing tunnels for remote access, SystemBC can download and execute additional payloads either written directly to disk or injected into running processes to avoid detection.

Attack Methodology and Initial Access

The exact initial access vector remains unclear, but evidence suggests The Gentlemen exploits internet-facing services or compromised credentials to establish footholds. Once inside, operators engage in systematic reconnaissance, lateral movement, and payload staging before deploying ransomware. The group has demonstrated particular sophistication in abusing Group Policy Objects to achieve domain-wide compromise, indicating deep familiarity with Windows Active Directory environments.

Defense Evasion and Lateral Movement

During lateral movement, The Gentlemen employs aggressive anti-security measures. Operators deploy PowerShell scripts that disable Windows Defender real-time monitoring, add broad drive exclusions, shut down firewalls, re-enable SMB1, and loosen LSA anonymous access controls. This multi-layered approach ensures minimal resistance to ransomware deployment across compromised networks. The group has also demonstrated vendor-specific awareness, tailoring their tactics and tool modifications based on security products detected in target environments.

Multi-Platform Targeting

The group's Windows variant operates as a sophisticated Go-based encryptor, while their ESXi variant incorporates virtualization-specific functions including virtual machine shutdown capabilities, crontab-based persistence, and recovery inhibition. This specialization reflects serious operational planning aimed at maximizing damage and ransom leverage across diverse infrastructure types.

Affiliate Recruitment and Operation Scale

The Gentlemen's rapid growth stems from superior affiliate recruitment and revenue-sharing models compared to competitors. Check Point's analysis of the compromised operator server revealed that the publicly known victim count significantly underestimates the operation's true scope. The group continues expanding, suggesting the affiliate model is proving more sustainable than traditional ransomware operations that generate initial attention before disappearing.

Broader Ransomware Landscape

The first quarter of 2026 saw 2,059 separate ransomware and digital extortion incidents, with March alone accounting for 747 incidents. The Gentlemen ranked third among most active groups during this period, behind Qilin and Akira. Emerging competitors like Kyber ransomware demonstrate the ecosystem's continued evolution, with new families incorporating specialized capabilities for specific infrastructure types rather than broad general-purpose functionality.

Sources

• https://thehackernews.com/2026/04/systembc-c2-server-reveals-1570-victims.html

• https://www.socdefenders.ai/item/c35067c5-c887-45ba-8354-53369521b51f

• https://www.sepe.gr/en/it-technology/cybersecurity/22715868/systembc-c2-server-reveals-1-570-victims-in-the-gentlemen-ransomware-operation/