Gentlemen ransomware bolts SystemBC botnet onto 1,570-host attack toolchain

Check Point researchers traced a Gentlemen ransomware intrusion to a SystemBC command-and-control server running a botnet of more than 1,570 infected hosts, with telemetry indicating corporate rather than consumer targets concentrated in the US, UK, Germany, Australia, and Romania. SystemBC — a SOCKS5 proxy and payload delivery tool active since 2019 — survived a 2024 law enforcement action and continues to infect roughly 1,500 commercial VPS daily, making it a durable covert channel for human-operated intrusions.

Gentlemen, a RaaS operation that surfaced in mid-2025, ships a Go-based locker for Windows, Linux, NAS, and BSD plus a C variant for ESXi. The observed affiliate operated from a Domain Controller with Domain Admin rights, used Mimikatz for credential harvesting, deployed Cobalt Strike via RPC, and staged the encryptor internally before triggering simultaneous execution through GPO. The locker uses X25519 plus XChaCha20 with per-file ephemeral keys, fully encrypting files under 1 MB and partially encrypting larger ones at 1–9% chunks while killing databases, backups, and shadow copies first.

The pairing of SystemBC with Cobalt Strike signals the operation is maturing into a post-exploitation toolchain on par with more established crews. Prior victims include Romania’s Oltenia Energy Complex and The Adaptavist Group, and the gang is actively recruiting affiliates on underground forums — a growth trajectory defenders should treat as more than a fringe threat.