A Growing RaaS Operation Expands Its Arsenal
Security researchers at Check Point have uncovered a SystemBC proxy malware botnet comprising over 1,570 hosts — the majority believed to be corporate victims — after conducting an incident response investigation tied to an attack carried out by an affiliate of the Gentlemen ransomware gang. The discovery highlights how this relatively under-the-radar ransomware-as-a-service (RaaS) operation is rapidly maturing and integrating sophisticated post-exploitation tooling into its workflow.
The Gentlemen RaaS first emerged around mid-2025 and offers affiliates a Go-based locker capable of encrypting Windows, Linux, NAS, and BSD systems, as well as a separate C-based locker engineered specifically for ESXi hypervisors. Despite not dominating cybersecurity headlines, the group has publicly claimed approximately 320 victims, with the bulk of those attacks occurring in the current year.
Notable Victims and Public Claims
Gentlemen ransomware has been linked to several significant intrusions. In December 2025, the gang compromised Oltenia Energy Complex, one of Romania's largest energy providers. Earlier this month, The Adaptavist Group disclosed a breach that Gentlemen listed on its data leak site. These incidents, combined with the botnet discovery, suggest that the group is operating with increasing ambition and capability.
SystemBC: A Long-Running Proxy Threat Resurfaces
SystemBC has been active since at least 2019 and is primarily known for enabling SOCKS5 tunneling. Its ability to deliver malicious payloads covertly made it an attractive tool for ransomware operators, who quickly incorporated it into their intrusion workflows. Despite a law enforcement operation that disrupted it in 2024, the botnet has remained operational. Notably, Black Lotus Labs reported last year that SystemBC was infecting as many as 1,500 commercial virtual private servers (VPS) every single day in order to route malicious traffic.
Check Point researchers observed victim telemetry from the SystemBC command-and-control server associated with the Gentlemen affiliate's attack. As their report states:
"Check Point Research observed victim telemetry from the relevant SystemBC command‑and‑control server, revealing a botnet of over 1,570 victims, with the infection profile strongly suggesting a focus on corporate and organizational environments rather than opportunistic consumer targeting."
Geographic Spread of Infected Organizations
The majority of victims connected to this particular Gentlemen-affiliated SystemBC deployment were found in the following countries:
- United States
- United Kingdom
- Germany
- Australia
- Romania
Check Point noted that the command-and-control server had infected a large number of victims globally, and given that SystemBC is typically deployed as part of human-operated intrusion workflows rather than mass consumer campaigns, it is likely that most of those victims are companies and organizations. The researchers were unable to determine definitively whether the malware was being shared or coordinated among multiple affiliates within the Gentlemen ecosystem.
Attack Chain: From Domain Controller to Full Encryption
While Check Point could not pinpoint the initial access vector used in the observed attacks, once inside the target environment, the Gentlemen threat actor operated from a Domain Controller with Domain Admin privileges. The attacker systematically verified which credentials were valid and conducted reconnaissance before deploying Cobalt Strike payloads to remote systems via RPC.
Lateral movement was facilitated through credential harvesting using Mimikatz alongside remote execution techniques. The ransomware itself was staged from an internal server, and the attackers leveraged built-in propagation mechanisms and Group Policy (GPO) to trigger near-simultaneous execution of the encryptor across all domain-joined systems — maximizing the blast radius of the encryption event.
Encryption Scheme
Gentlemen ransomware employs a hybrid cryptographic scheme combining X25519 (Diffie–Hellman) and XChaCha20, with a unique ephemeral key pair generated for every individual file. The encryption strategy also varies by file size:
- Files under 1 MB are fully encrypted.
- Larger files have only a portion encrypted — approximately 9%, 3%, or 1% of data — depending on specific thresholds.
This partial encryption of large files is a common tactic designed to accelerate the encryption process while still rendering data inaccessible.
Pre-Encryption Disruption Tactics
Before the encryption phase begins, the ransomware terminates database services, backup software, and virtualization processes, and proceeds to delete Shadow Copies and system logs. The ESXi-specific variant additionally shuts down virtual machines to ensure that their disk images are accessible — and therefore encryptable — by the malware.
Implications for Defenders
Check Point's findings paint a picture of a RaaS operation that is evolving quickly. The researchers note that the group is actively recruiting new affiliates through underground forums, suggesting that the volume and sophistication of attacks is likely to increase. The integration of SystemBC alongside Cobalt Strike and a botnet of over 1,570 hosts indicates, as the researchers put it, that Gentlemen is now "actively integrating into a broader toolchain of mature, post‑exploitation frameworks and proxy infrastructure."
To assist defenders, Check Point published the indicators of compromise (IoCs) collected during the incident response engagement, along with a YARA rule for signature-based detection. Security teams are encouraged to monitor for SystemBC-related traffic patterns, unauthorized use of Cobalt Strike, and anomalous Group Policy modifications — all hallmarks of this affiliate's operational style.
Organizations should also prioritize patching, privileged access management, and robust backup strategies that keep copies isolated from domain-joined infrastructure to reduce exposure to this and similar RaaS operations.
Source: BleepingComputer