Skip to content
endpoint-securitycredential-theftVulnerability Research

The Gentlemen, SystemBC, and the Myth of the “New” Ransomware Brand

4 min read
Share

The Gentlemen Are Not Operating Alone, and Now We Have the Receipts

Every six months, a new ransomware brand shows up on the leak sites and the threat intel community does the same dance. We track the leak posts, we count the victims, we triage the negotiation language, and at some point a researcher correlates the build infrastructure or the affiliate handle and we figure out the new brand is a rebrand of something we already knew. The Gentlemen, which started showing up on leak sites in 2025, is the latest entry in that cycle, and Check Point Research just gave us the operational receipts.

The team published the writeup on Monday, April 21. They were on an incident response engagement, observed the Gentlemen affiliate attempting to drop SystemBC during the post-compromise phase, and then went the other direction: they enumerated the SystemBC C2 itself and pulled telemetry on every active proxy session. The result was a victim list of more than 1,570 hosts, with an infection profile that strongly indicates corporate environments. The Gentlemen brand has publicly claimed about 320 victims, with roughly 240 of those claims dated to the first four months of 2026.

What SystemBC Actually Does

SystemBC is a proxy malware. Once it is on the victim, it opens a SOCKS5 tunnel back to the operator's C2 over a custom RC4-encrypted protocol, and from that point on, any traffic the operator wants to push into or out of the victim network gets routed through the same channel. It can also pull additional payloads from the C2 and either drop them to disk or inject them straight into memory.

The reason ransomware operators love SystemBC is that it gives them a single, persistent, encrypted entry point into the victim that survives the loud parts of the attack chain. They can stage Cobalt Strike beacons through it, they can run reverse SSH out of it, they can exfil through it without lighting up the SIEM rules that flag direct outbound to known-bad infrastructure. The same pattern shows up in BlackBasta, Conti, and now Gentlemen engagements. The malware is old. The use of it is the maturity signal.

Why the 1,570 Number Matters

The Check Point number is not a count of Gentlemen ransomware victims. It is a count of hosts that were proxied through this specific SystemBC C2 instance at the time of enumeration. Some of those hosts are probably already encrypted Gentlemen victims. Some are pre-encryption staging targets the affiliate was setting up. Some are persistent footholds the affiliate is keeping warm for later monetization. Some are likely victims of other operators who are sharing or renting the same proxy infrastructure.

That last category is the one that should worry you. SystemBC C2 instances historically get rented or shared between affiliate groups, which means the same proxy mesh that just hosted a Gentlemen engagement could host a BlackBasta affiliate next week and a stealer operation the week after. Treating SystemBC infrastructure as a single-actor IOC is exactly the wrong mental model.

The Brand-Age Trap

The Gentlemen has been on leak sites for about a year. The affiliate Check Point observed was running a kit that took years of operational development. That mismatch is the most useful thing in the report.

When you see a new RaaS brand climbing the leaderboard, the default assumption should be that the operators are not new. They are veterans of an earlier brand that got disrupted, or burned, or rebranded for legal reasons, and they brought their tooling and their playbook with them. Threat intel that treats new brand names as new operations is going to miss the recurring affiliate, the recurring infrastructure, and the recurring TTPs that actually let you defend.

What to Do With This

Two things, neither of them surprising.

One, hunt for SystemBC. The IOC pack is in the Check Point post and is high quality. SOCKS5 outbound traffic over non-standard ports, persistent connections to recently-registered infra, the custom RC4 protocol on the wire are all detectable with reasonable EDR coverage and the right rules.

Two, when your IR engagements turn up SystemBC, treat the C2 as shared. Other affiliates are probably using the same instance. The lateral threat intel you can extract by mapping that infrastructure is more valuable than the immediate IOC list, because the C2 is the part of the operation that does not get rebranded.

The Gentlemen are not new. They are good. The receipts are now public. Plan accordingly.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you'd rather know about your weak spots from a friendly face.

Related articles

Supply ChainAI Securitycredential-theft

Vercel Got Popped Through an AI Tool Nobody Was Tracking as a Vendor

An employee installed an AI tool, Context.ai, as a Google OAuth app. When Context.ai got breached, the blast radius landed at Vercel. This is the shadow-AI supply chain risk we have all been pretending is theoretical.

vulnerabilityCVEendpoint-securityVulnerability Research

Adobe Reader Has Been Silently Exploited Since December. The Patch Arrived Yesterday.

CVE-2026-34621 has been quietly doing damage since late 2025, hidden inside PDFs that look completely normal. Adobe finally patched it Saturday. Here's what happened.

AI SecurityAnthropicLLMDual UseVulnerability Research

Anthropic's Most Powerful Model Is Being Released for Security Work. That's the Point, and Also the Problem.

Anthropic just released a preview of Mythos, its most capable model yet, to a select group of companies for cybersecurity work. The company simultaneously warned it could be weaponized by attackers. Both things can be true.