The Gentlemen ransomware-as-a-service (RaaS) group has been implicated in deploying the proxy malware SystemBC, marking a significant escalation in their operations. According to recent research from Check Point, this malware’s command-and-control (C2) server has led to the identification of over 1,570 victims worldwide.
SystemBC is capable of establishing SOCKS5 network tunnels within compromised environments and connects to its C2 server via a custom RC4-encrypted protocol. Notably, it can download and execute other malware, employing techniques that either write payloads to disk or inject them directly into memory.
Since its inception in July 2025, The Gentlemen has quickly become one of the most active ransomware groups, boasting more than 320 victims listed on its data leak site. Utilizing a double-extortion strategy, the group demonstrates a high level of versatility, targeting various systems—including Windows, Linux, NAS, and BSD—with sophisticated tools and exploitation techniques that leverage legitimate drivers and proprietary malicious software.
The initial access methods employed by these threat actors remain somewhat unclear; however, indications suggest that they exploit vulnerabilities in internet-facing services or utilize compromised credentials. Their attack workflow typically includes reconnaissance, lateral movement, staging of payloads like Cobalt Strike and SystemBC, and finally the deployment of ransomware. A critical tactic observed is the manipulation of Group Policy Objects (GPOs) to facilitate domain-wide compromises.
Security vendor Trend Micro has highlighted the group’s tailored tactics against specific security vendors, signaling a sophisticated understanding of their targets and an iterative approach to reconnaissance and tool refinement.
The Check Point findings reveal that an affiliate of The Gentlemen RaaS has successfully executed SystemBC on compromised hosts, resulting in widespread incidents in various countries, including the U.S., the U.K., Germany, Australia, and Romania. Despite SystemBC’s utilization in ransomware attacks since 2020, the exact relationship between this malware and The Gentlemen’s operations remains ambiguous, particularly regarding its role in data exfiltration and remote access strategies.
In operational execution, the ransomware attempts to disable Windows Defender on all reachable remote systems via a series of PowerShell scripts. This process includes disabling real-time monitoring and firewall functionalities, loosening access controls, and ultimately deploying the ransomware binary.
Notably, while the ESXi variant of the ransomware has reduced functionalities compared to its Windows counterpart, it can still terminate virtual machines to maximize the attack’s impact and establish persistence through crontab. The rapid and effective response of The Gentlemen contrasts with many other ransomware groups, marking them as a significant threat in the cyber landscape.
Recent reports from cybersecurity research highlight that at least 2,059 ransomware and digital extortion incidents were recorded in the first quarter of 2026, with March alone witnessing 747 incidents. The Gentlemen were among the most active groups during this period. As ransomware evolves into a more organized criminal enterprise, the interplay of elaborate techniques such as privilege escalation and exploitation of security weaknesses becomes critical to understanding the threat landscape. The adaptation of aggressive tactics points to a burgeoning trend where ransomware operations exhibit both speed and sophistication.