The Gentlemen ransomware-as-a-service (RaaS) operation has been linked to new attack activity involving the deployment of SystemBC proxy malware, signaling an escalation in its capabilities and global reach. The development highlights the group’s continued evolution as one of the fastest-growing ransomware threats since its emergence in mid-2025.

According to findings released by Check Point, infrastructure tied to SystemBC led to the discovery of a botnet comprising more than 1,570 compromised systems worldwide. The malware is designed to establish encrypted SOCKS5 tunnels within victim environments, enabling attackers to maintain persistence, facilitate remote access, and deliver additional malicious payloads.

The Gentlemen has rapidly positioned itself among the most active ransomware groups, claiming over 320 victims on its leak site. Operating under a double-extortion model, the group targets a wide range of platforms, including Windows, Linux, NAS, and BSD systems. Its toolkit includes a Go-based ransomware locker, along with the use of legitimate drivers and customized tools to bypass security defenses.

While the exact initial access vector remains unclear, attackers are believed to exploit internet-facing services or compromised credentials to infiltrate networks. Once inside, they conduct reconnaissance, move laterally across systems, and deploy tools such as SystemBC and other payloads before executing the final ransomware stage. A notable tactic includes the abuse of Group Policy Objects (GPOs) to enable domain-wide compromise.

The integration of SystemBC into these attacks enhances the group’s operational flexibility. The malware’s ability to execute payloads either directly in memory or via disk significantly reduces detection rates while enabling seamless communication with command-and-control infrastructure.

The scale of the operation underscores its growing threat. Eli Smadja noted that the number of compromised corporate networks identified through the group’s infrastructure far exceeds publicly reported incidents, indicating a much broader and still-expanding campaign.

Geographically, victims linked to the operation span multiple regions, including the United States, the United Kingdom, Germany, Australia, and Romania. Despite this global footprint, the group has demonstrated unconventional targeting patterns compared to other ransomware collectives, with fluctuating activity across North America.

In parallel, another emerging ransomware family known as Kyber has also surfaced, targeting both Windows and VMware ESXi environments. The group leverages encryptors developed in Rust and C++, focusing on destructive efficiency rather than technical complexity, and highlighting a broader industry trend toward specialized attack tooling.

Data from ZeroFox indicates that ransomware and digital extortion incidents continue to surge, with over 2,000 cases recorded in the first quarter of 2026 alone. The Gentlemen ranks among the most active groups during this period, alongside other prominent operators in the threat landscape.

The rapid evolution of ransomware is further reinforced by trends identified by Halcyon, which show attackers adopting faster, more coordinated methods. Modern campaigns are increasingly executed within hours rather than days, often timed during nights and weekends to evade detection and response.

The emergence of SystemBC within The Gentlemen’s operations reflects a broader shift in ransomware strategy – one that prioritizes stealth, speed, and scalability. As cybercriminal groups continue to refine their techniques and expand their infrastructure, organizations face mounting pressure to strengthen defenses against increasingly sophisticated and industrialized ransomware ecosystems.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com