SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation
الحجم المخفي ديال "The Gentlemen": اكتشاف سيرفر C2 ديال SystemBC كشف كتر من 1,570 ضحية ديال Ransomware
The Hidden Scale of The Gentlemen: SystemBC C2 Discovery Reveals 1,570+ Ransomware Victims
TL;DR
New research into a Command-and-Control (C2) server used by The Gentlemen ransomware-as-a-service (RaaS) has exposed a massive botnet of over 1,570 victims worldwide. Utilizing the SystemBC proxy malware to facilitate lateral movement and data exfiltration, the group has quickly become one of the most prolific threats in the cybercrime landscape since its emergence in July 2025.
Uncovering the Global Botnet
Recent analysis by Check Point Research has provided a rare look into the internal operations of The Gentlemen, a Ransomware-as-a-Service (RaaS) group. By gaining access to a C2 server linked to the SystemBC proxy malware used by an affiliate of the group, researchers discovered that the scale of the operation is far larger than previously believed.
While The Gentlemen’s public data leak site lists approximately 320 victims, the C2 server revealed a botnet comprising more than 1,570 compromised corporate networks. These victims are spread across the globe, with significant concentrations in the United States, United Kingdom, Germany, Australia, and Romania.
"The real scale of this operation is significantly larger than what's publicly known, and it's still growing," stated Eli Smadja, group manager at Check Point Research.
The Role of SystemBC
SystemBC is a well-known proxy malware that has been a staple in ransomware playbooks since at least 2020. In the context of The Gentlemen’s operations, SystemBC serves several critical functions:
- Network Tunneling: It establishes SOCKS5 network tunnels within the victim's environment.
- Encrypted Communication: It connects to its C2 server using a custom RC4-encrypted protocol to evade detection.
- Payload Delivery: It acts as a loader, capable of downloading and executing additional malware directly into memory or writing them to disk.
Security researchers are still investigating whether SystemBC is a mandatory part of The Gentlemen’s standard attack playbook or a tool preferred by specific affiliates for remote access and exfiltration.
Advanced Tradecraft and Defense Evasion
The Gentlemen operate under a double-extortion model and demonstrate a high level of sophistication by targeting Windows, Linux, NAS, and BSD systems using a Go-based locker.
Their typical attack chain involves:
- Initial Access: Likely obtained via compromised credentials or vulnerable internet-facing services.
- Lateral Movement: Abuse of Group Policy Objects (GPOs) to facilitate domain-wide compromise.
- Blinding Defenses: Before deploying the ransomware, the group uses PowerShell scripts to disable Windows Defender, shut down firewalls, and loosen LSA anonymous access controls.
- Specialized ESXi Tactics: The group's ESXi variant is designed to shut down virtual machines and inhibit recovery via crontab persistence before encryption.
A Crowded Ransomware Landscape
The Gentlemen are currently ranked among the most active ransomware collectives. According to ZeroFox data for Q1 2026, the group recorded 192 incidents, trailing only Qilin (338) and Akira (197).
Unlike many other groups that focus over 50% of their efforts on North American targets, The Gentlemen exhibit a more distributed regional targeting strategy, with North American victims accounting for only 13% of their attacks in early 2026.
This report surfaces alongside findings on other emerging threats, such as the Kyber ransomware (discovered in September 2025), which uses Rust and C++ to target Windows and VMware ESXi environments, further emphasizing the industry's shift toward multi-platform specialization.
Conclusion
The Gentlemen have distinguished themselves from "noisy" groups that disappear after a few successful hits. By offering competitive affiliate terms and employing a disciplined, versatile toolkit—including the widespread use of SystemBC—they have built a massive, understated infrastructure of compromised networks. As ransomware dwell times continue to collapse from days to mere hours, defenders must prepare for adversaries that are increasingly industrialized and capable of blinding security solutions before the first file is even encrypted.
Source: https://thehackernews.com/2026/04/systembc-c2-server-reveals-1570-victims.html
