SystemBC and Gentlemen: the 1,570-machine botnet that reveals the new face of the Ransomware for companies

The recent findings of Check Point Research put on the table a disturbing reality: a net based on the SystemBC proxy with more than 1,570 active machines has been identified as part of the investigation of an attack of the Ransomware operation known as Gentlemen. The remarkable thing is not only the size of the botnet, but the profile of the victims: organisations and businesses, not isolated consumers., which suggests a campaign directed and resourced behind.

Gentlemen appeared in mid-2025 as a Ransomware (RaaS) service that offers powerful tools for different environments. Its "locker" written in Go can cipher Windows, Linux, NAS and BSD; it also has a C variant designed for ESXi hypervisors. It is not a theoretical threat: the group has been involved in high-impact incidents, such as intrusion into one of Romania's largest energy suppliers last December, and recently its name appeared on the list of victims published after a violation reported by The Adaptavist Group.

Check Point's investigation reveals that in at least one case, a Gentlemen affiliate tried to use SystemBC to hand over malicious charges covert. SystemBC, a SOCKS5 proxy tool that exists since at least 2019, has become a recurrent component in human-operated intrusion flows because it allows to route traffic and deliver payloads without drawing the direct connection to the attacker. Despite law enforcement actions in 2024, the infrastructure remains active and, according to previous intelligence reports, has been responsible for large volumes of committed servers used as relays.

Check point was able to observe telemetry from the SystemBC command and control server that targeted more than 1,570 globally distributed victims; most, according to the analysis, are located in the United States, the United Kingdom, Germany, Australia and Romania. The researchers were unable to determine with certainty how SystemBC fits into the Gentlemen ecosystem - whether it was used by a single affiliate or several - but the indicators point to a deeper integration into operating chains that combine mature post-exploitation tools and proxy networks.

The attack pattern described in the report is typical of sophisticated campaigns: access to a Domain Controller with domain manager privileges, internal recognition, and deployment of loads like Cobalt Strike through RPC. Lateral mobility is sustained by the theft of credentials through tools such as Mimikatz and remote execution. For the final deployment of the cipher, attackers usually prepare malware on an internal server and take advantage of native mechanisms such as Group Policies to run the Ransomware almost simultaneously on computers attached to the domain. For technical details on the above-mentioned tools, it is worth reviewing the MITRE ATT & CK chips on Cobalt Strike and Mimikatz.

In the cryptographic, Gentlemen adopts a hybrid approach: it combines X25519 (a variant of Diffie-Hellman) with XChaCha20 for file encryption, generating a couple of ephemeral keys for each file. Files less than 1 MB are usually fully encrypted; the larger ones receive a partial block encryption (small percentages as 9%, 3% or 1%), a technique that reduces time and operating cost but makes recovery difficult. Before encryption, the malware finishes database processes, backup solutions and virtual machines, and removes shadow copies and records, while the variant for ESXi switches off virtual machines to ensure exclusive access to storage.

That Gentlemen recruit affiliates and promote their service in clandestine forums is not a novelty in the picture of cybercrime, but the combination of a relatively young RaaS with mature infrastructures such as SystemBC and post-exploitation frameworks denotes a level leap in its operational capacity. Operators have moved from point tests to assembly of chain tools that reflect models of experienced adversaries, which increases the risk of successful attacks with severe corporate impact.

For defenders and response teams, the report includes commitment indicators and a YARA rule provided by Check Point for signature-based detection, but protection requires more than signatures. It is essential to strengthen basic controls: network segmentation, protection and monitoring of Domain Controllers, limitation of the use of accounts with high privileges, solid multi-factor authentication controls and verified and isolated backup. For practical guidance and Ransomware mitigation measures, the guidelines issued by CISA They're a good starting point.

This case highlights a constant lesson: threats evolve towards hybrid and human-operated infrastructure, which requires organizations not only to detect and block known signatures, but to implement continuous visibility, detection of anomalous behaviour and proven response plans. Defenses that rely only on static perimeters and signatures will end up being insufficient in front of well-orchestrated and composite attack chains.

For those who want to deepen the technical details and the IoC collected, the full report of Check Point Research is available on their official page: DFIR report - The Gentlemen. Keeping informed and implementing basic cyberhygiene controls remains, today more than ever, the best way to reduce risk.