Recent investigations have uncovered significant details about the SystemBC proxy malware’s involvement in the operations of the notorious ransomware group, The Gentlemen. Researchers at Check Point have identified a command-and-control (C2) server linked to SystemBC, revealing a botnet with over 1,570 victims.
SystemBC’s Role in Ransomware Attacks
SystemBC is known for establishing SOCKS5 network tunnels within affected environments, connecting to its C2 server via a custom RC4-encrypted protocol. This allows the malware to download and execute additional malicious software, either by writing it to disk or injecting it directly into memory. Since its inception in July 2025, The Gentlemen group has rapidly become a dominant force in ransomware, claiming over 320 victims on its data leak site.
The group uses a double-extortion model and is equipped to target a variety of systems, including Windows, Linux, NAS, and BSD, using a Go-based locker. Their methods include using legitimate drivers and custom tools to evade detection, although the initial access method remains uncertain. It is suspected that they exploit internet-facing services or compromised credentials to gain a foothold, followed by extensive reconnaissance and lateral movement.
Exploiting Security Weaknesses
Trend Micro’s analysis highlights The Gentlemen’s strategic approach, noting their ability to tailor tactics against specific security vendors. Their reconnaissance and tool modification efforts have been significant throughout their operations. The recent findings indicate that an affiliate deployed SystemBC on compromised hosts, affecting victims globally, including in the U.S., U.K., Germany, Australia, and Romania.
While SystemBC has been utilized in ransomware operations since 2020, its relationship with The Gentlemen’s scheme remains partially ambiguous. The malware’s role could be part of a broader attack strategy or a tool used by specific affiliates for data exfiltration and remote access.
Ransomware Trends and Future Threats
In recent developments, Rapid7 has shed light on another ransomware family, Kyber, which emerged in September 2025. It targets Windows and VMware ESXi infrastructures using encryptors developed in Rust and C++. The ESXi variant is crafted for VMware environments with capabilities such as datastore encryption and virtual machine termination.
Statistics from ZeroFox show that ransomware incidents are on the rise, with 2,059 cases recorded in Q1 2026. The Gentlemen accounted for 192 incidents, with a significant portion targeting North America. This trend reflects a broader shift in ransomware operations towards specialization and rapid execution.
The 2025 Ransomware Evolution Report from Halcyon notes a growing maturity in ransomware operations, characterized by quick-moving attacks and increased targeting of specific industries. As ransomware groups continue to evolve, defenders must remain vigilant and adapt to these increasingly sophisticated threats.
