{"id":5846,"date":"2026-04-11T22:20:43","date_gmt":"2026-04-11T22:20:43","guid":{"rendered":"https:\/\/lockitsoft.com\/?p=5846"},"modified":"2026-04-11T22:20:43","modified_gmt":"2026-04-11T22:20:43","slug":"the-gentlemen-ransomware-gang-elevates-its-arsenal-with-systembc-botnet-for-sophisticated-corporate-attacks","status":"publish","type":"post","link":"https:\/\/lockitsoft.com\/?p=5846","title":{"rendered":"The Gentlemen Ransomware Gang Elevates Its Arsenal with SystemBC Botnet for Sophisticated Corporate Attacks"},"content":{"rendered":"

A significant escalation in the tactics employed by the Gentlemen ransomware-as-a-service (RaaS) operation has been identified, with affiliates now leveraging a vast network of over 1,570 compromised hosts, primarily corporate entities, to facilitate their malicious activities. This discovery, detailed by researchers at Check Point Software Technologies, reveals a strategic integration of the SystemBC proxy malware, enhancing the gang’s capabilities for covert payload delivery and sophisticated post-exploitation maneuvers. The Gentlemen RaaS, which emerged around mid-2025, has been actively recruiting affiliates through underground forums, offering a versatile encryption suite capable of targeting a broad spectrum of systems, including Windows, Linux, Network Attached Storage (NAS) devices, BSD systems, and ESXi hypervisors. This expansion into utilizing a robust botnet underscores the growing threat posed by this ransomware operation, which has already claimed notable victims such as one of Romania’s largest energy providers, the Oltenia Energy Complex, in December 2025, and more recently, a breach disclosed by The Adaptavist Group in April 2026.<\/p>\n

Gentlemen Ransomware: A Growing Threat Landscape<\/h3>\n

The Gentlemen RaaS operation, though not always making prominent headlines, has demonstrated a consistent and concerning trajectory of growth. Publicly, the group has claimed approximately 320 victims, with a notable surge in attacks observed throughout the current year, 2026. However, the recent findings by Check Point researchers suggest that the true scale of their operations, particularly when considering the underlying infrastructure, may be considerably larger. The affiliate’s deployment of SystemBC indicates a deliberate effort to expand and enhance their attack toolkit and infrastructure, moving beyond simpler deployment methods to more clandestine and resilient attack vectors.<\/p>\n

\"The<\/figure>\n

SystemBC, a proxy malware known for its SOCKS5 tunneling capabilities, has been in circulation since at least 2019. Its inherent ability to obfuscate malicious traffic and serve as a pivot point for delivering further payloads has made it an attractive tool for various threat actors, including ransomware gangs. Despite a significant law enforcement operation in 2024 that aimed to disrupt its infrastructure, the SystemBC botnet has proven remarkably resilient and adaptive. Black Lotus Labs reported in 2025 that the botnet was infecting an alarming rate of 1,500 commercial virtual private servers (VPS) daily, highlighting its continued prominence in funneling malicious traffic. The discovery of SystemBC’s integration into the Gentlemen ransomware attack chain signifies a critical evolution in their operational maturity.<\/p>\n

The SystemBC Botnet: A Hidden Network of Compromised Assets<\/h3>\n

The investigation into the Gentlemen ransomware attacks led Check Point researchers to uncover a substantial SystemBC botnet comprising over 1,570 infected hosts. The researchers’ analysis of victim telemetry data from a specific SystemBC command-and-control (C2) server revealed the scale of this compromised network. Crucially, the infection profile strongly suggests a deliberate targeting of corporate and organizational environments rather than opportunistic consumer-level attacks. This focus on businesses aligns with the typical modus operandi of sophisticated ransomware gangs, who seek to maximize their financial gains through larger ransom demands and the potential disruption of critical business operations.<\/p>\n

The geographical distribution of victims associated with the Gentlemen ransomware’s use of SystemBC is notably concentrated in several key regions. The United States, the United Kingdom, Germany, Australia, and Romania have emerged as the primary locations of infected organizations. This widespread geographical reach underscores the global nature of cyber threats and the interconnectedness of the modern business landscape. The use of SystemBC as a proxy infrastructure allows attackers to anonymize their origin and to distribute malicious payloads across a wide array of targets without revealing their true command and control centers, making attribution and disruption significantly more challenging for law enforcement agencies.<\/p>\n

\"The<\/figure>\n

Check Point\u2019s report emphasizes the nature of SystemBC deployments: "The specific Command and Control server that was used for the communication had infected a large number of victims across the globe. It is likely that the majority of those victims are companies and organizations, given that SystemBC is typically deployed as part of human-operated intrusion workflows rather than massive targeting." This observation reinforces the understanding that the Gentlemen affiliates are engaged in more targeted and sophisticated intrusion campaigns, leveraging SystemBC to maintain persistent access and execute complex attack chains.<\/p>\n

Unpacking the Gentlemen Ransomware Infection Chain<\/h3>\n

While Check Point researchers could not definitively ascertain the initial access vector for every observed attack, their investigation provided critical insights into the subsequent stages of the Gentlemen threat actor’s operations. In the analyzed incidents, the attackers successfully gained Domain Controller access, securing Domain Admin privileges. This level of access is a significant foothold, granting them extensive control over the compromised network.<\/p>\n

Once inside, the attackers proceeded with a series of reconnaissance and lateral movement activities. They systematically identified working credentials, likely through techniques such as credential dumping and brute-force attacks, to map out the network and discover valuable assets. Following this reconnaissance phase, Cobalt Strike payloads were deployed to remote systems, often leveraging the Remote Procedure Call (RPC) protocol for execution. Cobalt Strike is a popular and powerful post-exploitation framework that allows attackers to maintain control, execute commands, and move laterally within a network.<\/p>\n

\"The<\/figure>\n

Credential harvesting using tools like Mimikatz played a crucial role in the lateral movement phase. Mimikatz is notorious for its ability to extract plaintext passwords, hash values, and Kerberos-tickets from memory, enabling attackers to impersonate legitimate users and gain access to further systems. Remote execution capabilities were also employed to facilitate the spread of malicious payloads and the staging of the ransomware.<\/p>\n

The ransomware itself was staged from an internal server within the compromised network. This tactic allows attackers to avoid external network detection and leverage internal network resources for distribution. The propagation of the ransomware was executed with remarkable efficiency, utilizing built-in Windows propagation mechanisms and Group Policy Objects (GPOs). By leveraging GPOs, attackers can trigger the near-simultaneous execution of the encryptor across numerous domain-joined systems, maximizing the impact of the attack in a short timeframe.<\/p>\n

Encryption Scheme and Impact on Victims<\/h3>\n

The Gentlemen ransomware employs a sophisticated hybrid encryption scheme, combining the X25519 (Diffie-Hellman) key exchange algorithm with XChaCha20. This approach ensures robust encryption that is computationally intensive to break. A unique, random ephemeral key pair is generated for each file that is encrypted, adding another layer of complexity to decryption efforts.<\/p>\n

\"The<\/figure>\n

The ransomware’s encryption strategy also varies based on file size. Files smaller than 1 megabyte are fully encrypted. However, for larger files, the ransomware encrypts only specific chunks of data, typically around 9%, 3%, or 1% of the total file size. This selective encryption method can be a strategic choice by ransomware operators, potentially to speed up the encryption process or to conserve resources, while still rendering the files inaccessible without the decryption key.<\/p>\n

Before commencing the encryption process, the Gentlemen ransomware actively disrupts critical systems and data integrity measures. It terminates database processes, backup software, and virtualization platforms. Furthermore, it deletes Shadow copies, which are Windows’ built-in backups, and purges system logs. This multi-pronged approach aims to prevent victims from recovering their data through standard means and to erase traces of the attack.<\/p>\n

The ESXi variant of the Gentlemen ransomware exhibits an even more aggressive approach. To ensure the complete encryption of virtual machine disks, it actively shuts down running VMs. This action directly impacts the availability of critical services hosted on these virtualized environments, leading to immediate and significant operational disruption for affected organizations. The ransom notes generated by the ESXi variant are designed to be intimidating, often demanding payment in cryptocurrency for the decryption key.<\/p>\n

\"The<\/figure>\n

Implications and Future Outlook<\/h3>\n

The integration of SystemBC into the Gentlemen ransomware operation signals a maturation of their tactics and infrastructure. The ability to command a botnet of over 1,570 compromised corporate hosts provides a significant advantage in terms of stealth, resilience, and the scale of attacks they can orchestrate. This move suggests that the Gentlemen ransomware gang is actively seeking to elevate its operational capabilities by incorporating mature, post-exploitation frameworks and robust proxy infrastructure into their toolchain.<\/p>\n

Researchers at Check Point are still investigating the exact relationship between SystemBC and the Gentlemen ransomware ecosystem. It remains unclear whether SystemBC is utilized by multiple Gentlemen affiliates or if it is a specific tool employed by a particular group within the RaaS operation. However, the observed patterns indicate a deliberate effort to enhance their post-exploitation capabilities, moving beyond basic ransomware deployment to more complex and potentially more damaging attack scenarios.<\/p>\n

The continuous recruitment of affiliates through underground forums, coupled with the adoption of advanced tools like SystemBC and Cobalt Strike, positions the Gentlemen RaaS as a growing concern in the cybersecurity landscape. Organizations worldwide must remain vigilant, strengthen their defenses, and implement comprehensive security measures to mitigate the risks posed by such evolving and sophisticated threats. Check Point has provided indicators of compromise (IoCs) and a YARA rule to aid defenders in detecting and preventing attacks associated with this evolving threat. The cybersecurity community will undoubtedly continue to monitor the activities of the Gentlemen ransomware gang and their evolving tactics, techniques, and procedures (TTPs) to stay ahead of emerging threats. The reliance on such a substantial botnet for payload delivery and network traversal highlights the critical need for organizations to prioritize network segmentation, robust endpoint detection and response (EDR) solutions, and continuous security awareness training to combat the pervasive threat of ransomware.<\/p>\n","protected":false},"excerpt":{"rendered":"

A significant escalation in the tactics employed by the Gentlemen ransomware-as-a-service (RaaS) operation has been identified, with affiliates now leveraging a vast network of over 1,570 compromised hosts, primarily corporate entities, to facilitate their malicious activities. This discovery, detailed by researchers at Check Point Software Technologies, reveals a strategic integration of the SystemBC proxy malware, …<\/p>\n","protected":false},"author":15,"featured_media":5845,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[108],"tags":[1856,135,1470,1858,109,886,1855,1854,111,612,110,588,1857],"class_list":["post-5846","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-protection","tag-arsenal","tag-attacks","tag-botnet","tag-corporate","tag-cybersecurity","tag-elevates","tag-gang","tag-gentlemen","tag-privacy","tag-ransomware","tag-security","tag-sophisticated","tag-systembc"],"_links":{"self":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/posts\/5846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5846"}],"version-history":[{"count":0,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/posts\/5846\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=\/wp\/v2\/media\/5845"}],"wp:attachment":[{"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lockitsoft.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}