Gentlemen ransomware affiliates have integrated SystemBC proxy malware into their attack toolkit, creating a botnet of over 1,570 corporate victims across multiple countries while expanding their encryption capabilities.
The Gentlemen ransomware operation has significantly expanded its capabilities by integrating SystemBC proxy malware into its attack infrastructure, creating a botnet of over 1,570 corporate victims across multiple countries, according to new research from Check Point.
Gentlemen Ransomware's Evolution
The Gentlemen ransomware-as-a-service (RaaS) operation emerged in mid-2025 and has quickly established itself as a formidable threat. The operation provides both Go-based and C-based encryptors capable of targeting Windows, Linux, NAS, BSD systems, and ESXi hypervisors. Despite claiming approximately 320 victims publicly, the true scale of their operations appears much larger.
Earlier this month, The Adaptavist Group disclosed a breach that Gentlemen ransomware listed on its data leak site. In December 2025, the operation compromised one of Romania's largest energy providers, the Oltenia Energy Complex, demonstrating their ability to target critical infrastructure.
SystemBC Integration Reveals Larger Infrastructure
During an incident response engagement, Check Point researchers discovered that a Gentlemen ransomware affiliate attempted to deploy SystemBC proxy malware for covert payload delivery. This discovery led to the identification of a botnet containing over 1,570 infected hosts.
"Check Point Research observed victim telemetry from the relevant SystemBC command-and-control server, revealing a botnet of over 1,570 victims, with the infection profile strongly suggesting a focus on corporate and organizational environments rather than opportunistic consumer targeting," the researchers stated in their report.
SystemBC, which has been active since at least 2019, provides SOCKS5 tunneling capabilities that enable covert payload delivery and malicious traffic routing. Despite a law enforcement operation in 2024 that disrupted its operations, the botnet remains active. Black Lotus Labs reported last year that SystemBC was infecting approximately 1,500 commercial virtual private servers (VPS) daily to funnel malicious traffic.
Global Impact and Victim Distribution
The geographic distribution of infected organizations reveals a clear pattern of targeting corporate entities:
Location of infected organizations Source: Check Point
Most victims are located in the United States, United Kingdom, Germany, Australia, and Romania. Check Point researchers believe that the majority of these victims are companies and organizations rather than individual consumers, given that SystemBC is typically deployed as part of human-operated intrusion workflows rather than mass targeting campaigns.
The researchers note that the specific command-and-control server used in the Gentlemen ransomware attacks had infected a large number of victims globally, indicating a sophisticated and widespread operation.
Attack Methodology and Encryption Techniques
While the initial access vector remains undetermined, Check Point's investigation revealed that the Gentlemen threat actor operated from a Domain Controller with Domain Admin privileges. This high-level access enabled extensive lateral movement and control over the victim network.
The attack chain followed a systematic approach:
- Reconnaissance to identify working credentials
- Deployment of Cobalt Strike payloads to remote systems via RPC
- Lateral movement supported by credential harvesting using Mimikatz
- Remote execution capabilities
- Staging of ransomware from an internal server
- Leveraging built-in propagation and Group Policy (GPO) for near-simultaneous execution
Gentlemen ransomware affiliate's attack chain Source: Check Point
The encryption scheme employed by Gentlemen ransomware demonstrates sophisticated technical capabilities. The malware uses a hybrid encryption approach based on X25519 (Diffie-Hellman) and XChaCha20, with a random ephemeral key pair generated for each file.
For files under 1 MB, the entire file is encrypted. For larger files, only portions are encrypted - approximately 9%, 3%, or 1% of the data - a technique that speeds up the encryption process while still rendering files unusable.
Before encryption begins, Gentlemen ransomware terminates databases, backup software, and virtualization processes. It also deletes Shadow copies and logs to prevent recovery. The ESXi variant specifically shuts down virtual machines to ensure disk encryption can proceed without interruption.
Strategic Implications and Future Threats
The integration of SystemBC into Gentlemen's toolkit suggests the ransomware operation is "actively integrating into a broader toolchain of mature, post-exploitation frameworks and proxy infrastructure," according to Check Point researchers. This evolution indicates that Gentlemen is operating at a higher level than previously observed.
Check Point warns that despite not making frequent headlines, Gentlemen ransomware is "quickly growing" and actively recruiting new affiliates through underground forums. The operation's ability to combine multiple sophisticated tools - SystemBC for proxy infrastructure, Cobalt Strike for post-exploitation, and their own ransomware encryptors - creates a comprehensive attack platform.
Defense Recommendations
To protect against Gentlemen ransomware and similar threats, organizations should:
- Implement network segmentation to limit lateral movement
- Monitor for unusual RPC activity and Cobalt Strike indicators
- Deploy YARA rules provided by Check Point for signature-based detection
- Maintain offline backups that cannot be accessed from the network
- Apply principle of least privilege to limit Domain Admin access
- Monitor for SystemBC-related network traffic patterns
Check Point has provided indicators of compromise (IoCs) from the investigated incident, along with a YARA rule for defenders to help protect against these attacks. The discovery of this expanded infrastructure serves as a reminder that ransomware operations continue to evolve and integrate new capabilities to increase their effectiveness and reach.
The Gentlemen ransomware operation's integration of SystemBC demonstrates how modern ransomware campaigns are becoming increasingly sophisticated, combining multiple tools and techniques to maximize impact and evade detection. Organizations must remain vigilant and implement comprehensive security measures to defend against these evolving threats.
Comments
Please log in or register to join the discussion