The Gentlemen ransomware now uses SystemBC for bot-powered attacks

The Gentlemen Ransomware: SystemBC Botnet Powers Attacks

1. Overview

• The Gentlemen ransomware operation has begun using SystemBC as a proxy botnet to power covert payload delivery.
• The SystemBC network consists of more than 1,570 hosts, with the majority of observed infections tied to corporate environments rather than individual consumers.

1. Background: The Gentlemen RaaS

• The Gentlemen ransomware-as-a-service (RaaS) emerged around mid-2025, offering a Go-based locker for Windows, Linux, NAS, and BSD systems, plus a C-based locker for ESXi hypervisors.
• In December, the operation is tied to a high-profile compromise of Romania’s Oltenia Energy Complex, one of the country’s largest energy providers.
• In April 2026, a breach disclosed by Adaptavist listed Gentlemen on its data leak site, highlighting ongoing activity within the threat.
• While the RaaS publicly claimed around 320 victims, researchers observed that affiliate activity and infrastructure expansion continued through the year.

1. SystemBC and the broader toolchain

• SystemBC is a long-standing proxy tool used primarily for SOCKS5 tunneling and covert traffic routing; it has also been leveraged to deliver additional malicious payloads.
• Check Point researchers noted that a Gentlemen affiliate attempted to deploy SystemBC to facilitate covert payload delivery, aligning with the gang’s evolution toward more mature post-exploitation workflows.
• The botnet’s existence underscores a trend of ransomware groups integrating SystemBC with frameworks like Cobalt Strike to broaden access, evasion, and persistence.
• Law enforcement actions in 2024 targeted related infrastructure, but the botnet remained active in subsequent months, with industry researchers documenting continued use against enterprise environments.
• Previous analyses indicated that SystemBC had scaled to infect thousands of systems and actively routed malicious traffic through compromised servers.

1. Victims and geographic distribution

• The majority of observed victims are located in the United States, the United Kingdom, Germany, Australia, and Romania.
• Check Point’s telemetry suggests that most of the victims linked to Gentlemen’s SystemBC deployment are organizations rather than individual home users, consistent with enterprise-targeted intrusions.

1. Infection chain and encryption scheme

• Initial access: A Domain Controller with Domain Admin privileges served as the starting point for intrusions, enabling broad visibility and control.
• Credential access and discovery: Attackers used credential harvesting (notably Mimikatz) and reconnaissance to map the environment before expanding access.
• Lateral movement and payload staging: Remote execution and RPC-based deployment of Cobalt Strike payloads enabled movement across domain-joined systems; attacks were staged from an internal server.
• Propagation mechanics: The operation leveraged built-in Windows mechanisms such as Group Policy (GPO) to synchronize encryption across multiple machines in the environment.
• Encryption method: The ransomware uses a hybrid cryptosystem based on X25519 (elliptic-curve Diffie-Hellman) and XChaCha20, with a fresh ephemeral key pair generated for each file.
• Coverage across file sizes: Files under 1 MB are fully encrypted; for larger files, only partial encryption occurs, with chunks of roughly 9%, 3%, or 1% affected depending on size and other factors.
• System and data disruption: In addition to encryption, the attackers terminate databases, backup software, and virtualization processes, and they delete Shadow Copies and logs. The ESXi variant goes further by shutting down virtual machines to enable undetected encryption of disks.

1. ESXi variant and virtualization impact

• An ESXi-specific variant targets virtualization infrastructure, executing shutdowns of virtual machines to ensure that disk contents can be encrypted without interference.
• This approach increases the likelihood of rapid data unrecoverability on affected hosts and complicates simple recovery attempts.

1. Operational context and tooling integration

• The use of SystemBC in conjunction with Cobalt Strike and a large proxy botnet indicates a shift toward a more integrated, multi-layered attack toolkit.
• Researchers note that it remains unclear whether SystemBC is used by a single affiliate or multiple groups within the Gentlemen ecosystem; the infrastructure suggests collaboration across actors with shared post-exploitation capabilities.
• The ongoing expansion of the RaaS and its affiliate network points to a maturation of the operation and a broader attack surface.

1. Indicators of compromise and defensive signals

• Check Point and other researchers have documented IoCs and published signature-based detection rules (including YARA signatures) to help defenders identify SystemBC-based activity and related Gentlemen ransomware deployments.
• The global spread and modular nature of the attack chain imply that defenders should monitor both initial access vectors (domain-admin activity, credential harvesting) and post-exploitation behaviors (RPC-based payload delivery, lateral movement, and rapid, synchronized encryption across domain-joined endpoints).

1. Notable context and implications

• The combination of a corporate-focused botnet (SystemBC) and a Go-based, multi-OS ransomware locker underscores the evolving threat landscape where affiliates leverage mature toolchains to maximize impact.
• Infections tied to high-value targets (energy providers and large enterprises) illustrate a trend toward critical infrastructure and enterprise-sector compromises.
• The intersecting use of post-exploitation frameworks, proxy networks, and rapid encryption campaigns signals a need for layered defenses that address both initial access and post-compromise activity.

1. Visual and reference materials

• Observations and data are supported by incident response findings, telemetry reports, and published analyses that include global infection mappings and contemporary threat-playbooks related to SystemBC, the Gentlemen operation, and associated infrastructure.