The Gentlemen ransomware now uses SystemBC for bot-powered attacks

Gentlemen Ransomware Expands Arsenal with SystemBC Botnet, Targeting Over 1,570 Corporate Victims Worldwide

A sophisticated ransomware operation known as Gentlemen is rapidly evolving its attack capabilities, now incorporating the notorious SystemBC proxy malware to build a sprawling botnet of corporate victims across the globe. Check Point Research has uncovered that this ransomware-as-a-service (RaaS) operation—active since mid-2025—has quietly infected more than 1,570 organizations, primarily in the United States, United Kingdom, Germany, Australia, and Romania, leveraging SystemBC to mask malicious traffic and deliver payloads with surgical precision.

Gentlemen ransomware, written in Go for Windows, Linux, NAS, and BSD systems and in C for ESXi hypervisors, first gained notoriety after breaching Romania’s Oltenia Energy Complex in December 2025 and recently listing The Adaptavist Group among its victims. Despite publicly claiming around 320 victims this year, the true scale of its operations is far larger, with the newly discovered SystemBC integration pointing to a mature, well-resourced affiliate ecosystem.

SystemBC, a proxy malware that has been active since at least 2019, allows attackers to tunnel malicious traffic through SOCKS5 proxies, effectively hiding their activities and enabling stealthy delivery of ransomware and other payloads. Even after a major law enforcement takedown in 2024, SystemBC remains operational, with Black Lotus Labs reporting it was infecting 1,500 commercial virtual private servers (VPS) daily as recently as last year.

In the Gentlemen campaign, Check Point researchers observed an affiliate deploying SystemBC from a compromised Domain Controller with Domain Admin privileges. The attacker used credential harvesting tools like Mimikatz, lateral movement via RPC, and Cobalt Strike payloads to spread across the network. The ransomware was staged internally and triggered via Group Policy Objects (GPO), ensuring near-simultaneous encryption across domain-joined systems.

The encryption scheme employed by Gentlemen is particularly aggressive: files under 1 MB are fully encrypted, while larger files are partially encrypted in chunks—sometimes as little as 1%—to maximize speed and disruption. Before encryption, the malware terminates critical processes (databases, backup software, virtualization), deletes Shadow copies, and shuts down VMs on ESXi hosts to ensure complete compromise.

The ransom note for the ESXi variant is stark, demanding payment in cryptocurrency and warning victims of permanent data loss if they fail to comply.

While the exact initial access vector remains unclear, the sophistication of the attack—combining SystemBC, Cobalt Strike, and advanced ransomware techniques—signals that Gentlemen is no longer a niche player. The operation is actively recruiting new affiliates via underground forums, integrating into a broader post-exploitation toolchain that includes mature frameworks and proxy infrastructure.

Check Point warns that this evolution marks a significant escalation in the Gentlemen ransomware ecosystem, with the potential for even broader and more damaging campaigns ahead. To aid defenders, the researchers have released a YARA signature for detection and a list of indicators of compromise (IoCs).

As ransomware gangs continue to innovate and expand their reach, organizations worldwide must remain vigilant, patch aggressively, and invest in robust detection and response capabilities to counter these increasingly sophisticated threats.

#GentlemenRansomware #SystemBC #CyberAttack #Ransomware #Botnet #Malware #CyberSecurity #DataBreach #Hacking #ThreatIntelligence #SecurityBreach #CyberCrime #Encryption #MalwareAnalysis #SecurityResearch #CyberDefense #CyberThreats #DigitalSecurity #InfoSec #ZeroDay #CyberAttackers #CorporateSecurity #NetworkSecurity #CyberResilience #ThreatActors #RansomwareGang #CyberIncident #SecurityAlert #CyberAwareness

“Stealthy, sophisticated, and scaling fast—Gentlemen ransomware just leveled up its game.”

“Over 1,500 corporate victims: Gentlemen’s botnet is bigger than you think.”

“SystemBC + Gentlemen = a new era of corporate cyber warfare.”

“Ransomware just got smarter: partial encryption, proxy networks, and global reach.”

“Defending against Gentlemen means staying ahead of the evolving threat landscape.”

“The Gentlemen gang is recruiting—and their arsenal is growing by the day.”

“Corporate networks beware: Gentlemen’s botnet is quietly expanding worldwide.”

“Check Point uncovers the hidden scale of Gentlemen ransomware’s global campaign.”

“SystemBC’s return signals a resurgence in advanced ransomware tactics.”

“Gentlemen ransomware: not just a locker, but a full-scale cyber operation.”,