Check Point Uncovers Link Between SystemBC Malware and Gentlemen Ransomware Operation
Threat Actors Linked to The Gentlemen Ransomware Operation Employ SystemBC Malware
In a recent development, researchers have discovered a connection between the notorious ransomware group, The Gentlemen, and the malware strain, SystemBC.
SystemBC Malware Overview
SystemBC is a well-known proxy malware that establishes SOCKS5 network tunnels within a victim’s environment, facilitating communication with its command-and-control server via a custom RC4-encrypted protocol.
The malware can also employ legitimate drivers and custom tools to evade defenses, making it a formidable tool for malicious actors.
The Gentlemen Ransomware Operation
The Gentlemen, which emerged in July 2025, operates a double-extortion model, targeting Windows, Linux, NAS, and BSD systems with a Go-based locker.
The group has claimed over 320 victims on its data leak site, with its activities spanning multiple continents.
Tactics and Techniques
Researchers have identified several key tactics employed by The Gentlemen, including the abuse of internet-facing services or compromised credentials, followed by discovery, lateral movement, payload staging, and ransomware deployment.
The group uses Group Policy Objects to facilitate domain-wide compromise, allowing them to spread their malware efficiently.
Additionally, The Gentlemen employs PowerShell scripts to disable Windows Defender during lateral movement.
Other Ransomware Families
Other ransomware families, such as Kyber, have also been identified, targeting Windows and VMware ESXi infrastructure using encryptors developed in Rust and C++.
Ransomware attacks continue to evolve, with dwell times shrinking from days to hours and attackers increasingly targeting small and mid-sized organizations and operational technology environments.