Exposed SystemBC Server Reveals 1,570+ Hidden Ransomware Victims

Security researchers at Check Point gained access to a SystemBC command-and-control server operated by an affiliate of The Gentlemen ransomware operation. Inside, they found evidence of more than 1,570 compromised corporate networks—the vast majority never publicly disclosed.

"When we got inside one of their operator's servers, we found over 1,570 compromised corporate networks that hadn't even made the news yet," Check Point stated in their analysis.

This discovery suggests that public ransomware victim counts—already at record levels—significantly underrepresent the actual scale of attacks. Organizations hit by The Gentlemen either paid ransoms quietly, haven't yet realized they're compromised, or remain in active negotiation.

SystemBC: The Ransomware Enabler

SystemBC functions as a proxy and remote access tool that ransomware operators deploy after initial access. The malware establishes SOCKS5 network tunnels within victim environments, allowing attackers to route traffic through compromised hosts and download additional payloads.

Communications with C2 servers use custom RC4-encrypted protocols. SystemBC can deliver payloads either to disk or directly into memory—the latter making forensic detection considerably harder. The tool has become a standard component in ransomware affiliate toolkits, similar to what we've documented in fake Claude AI installer campaigns and other malware delivery operations.

The exact relationship between SystemBC and The Gentlemen remains unclear. It could be a standard tool in their attack playbook, or specific affiliates may deploy it independently for data exfiltration and persistent access.

Geographic Spread

Victims span multiple countries including the United States, United Kingdom, Germany, Australia, and Romania. The distribution suggests opportunistic targeting rather than a focus on specific regions or industries. Ransomware operations often prioritize organizations based on revenue potential and defensive posture rather than geography.

This international scope complicates law enforcement response. The Gentlemen operates across jurisdictions where cooperation may be limited or slow. Victims in some countries face regulatory disclosure requirements, while others can settle ransoms privately without public acknowledgment.

Why So Many Hidden Victims

The gap between Check Point's 1,570+ figure and public victim counts reflects several factors:

Ransom payments: Organizations that pay often do so under agreements that prohibit disclosure. The Gentlemen removes victims from their leak site after payment, erasing public evidence of compromise.

Ongoing negotiations: Many victims remain in active negotiation when researchers observe C2 infrastructure. These organizations haven't yet appeared on leak sites because deadlines haven't expired.

Detection failures: Some compromised networks don't know they're compromised. SystemBC's tunneling capabilities can persist for extended periods before ransomware deployment or data exfiltration triggers alerts.

Non-encryption extortion: Modern ransomware groups increasingly skip encryption entirely, focusing on data theft and extortion. These incidents may never trigger the operational disruption that forces public disclosure.

We've tracked this shift toward exfiltration-only attacks throughout 2026. Groups recognize that data theft alone creates sufficient leverage for payment without the technical overhead of mass encryption.

Implications for Threat Intelligence

Check Point's C2 access provided rare visibility into operational scale. Most ransomware victim counts rely on leak site monitoring—essentially counting what attackers choose to publicize. This approach consistently undercounts actual compromises.

For security teams, the finding reinforces that industry statistics represent floors, not ceilings. If The Gentlemen operates at 10x their public victim count, similar ratios likely apply to other ransomware operations. The Canada Life Assurance breach and other recent incidents represent only visible portions of broader campaigns.

Organizations should assume threat actor capabilities exceed public reporting. Detection and response programs need to account for sophisticated operators maintaining prolonged access before any visible attack indicators emerge.

Detection Guidance

SystemBC leaves forensic artifacts despite its evasion capabilities. Security teams should monitor for:

• SOCKS5 proxy traffic from unexpected internal hosts
• RC4-encrypted communications to unfamiliar external IP addresses
• Process injection patterns consistent with in-memory payload execution
• Scheduled tasks or registry modifications establishing persistence

The malware's proxy functionality means compromised hosts generate outbound connection patterns that differ from normal user activity. Network-level monitoring offers detection opportunities even when endpoint tools miss initial deployment.

What Organizations Should Do

The 1,570+ victim count should prompt reassessment of ransomware risk calculations. Standard security investments often assume baseline attacker prevalence—if actual attack volume exceeds public figures by an order of magnitude, defensive economics shift.

Review incident response procedures for handling undisclosed compromises. Organizations that detect ransomware precursors like SystemBC face decisions about notification timing, regulatory obligations, and communication strategies before any data actually appears on leak sites.

For foundational ransomware defense concepts, our ransomware overview covers detection, response, and recovery strategies applicable regardless of which group is responsible for an incident.