Gentlemen ransomware operators have significantly expanded their attack infrastructure by integrating the SystemBC proxy malware into their intrusion workflows, enabling covert payload delivery across a botnet of more than 1,570 compromised systems. The discovery, documented by Check Point researchers, reveals a tactical shift toward sophisticated post-exploitation frameworks designed to evade detection in enterprise environments.
SystemBC: The Proxy Infrastructure Powering Covert Operations
SystemBC is a SOCKS5 tunneling malware that has persisted in the threat landscape since at least 2019, functioning as a dedicated proxy tool for routing malicious traffic through compromised hosts. Unlike conventional backdoors, SystemBC establishes encrypted communication channels that allow threat actors to mask command-and-control (C2) traffic, effectively bypassing network monitoring and firewall restrictions. The malware has become a staple in the ransomware ecosystem, particularly favored by human-operated intrusion teams requiring persistent, stealthy access to high-value targets.
Despite a coordinated law enforcement takedown operation in 2024, the SystemBC botnet remains highly active. According to Black Lotus Labs, the infrastructure continued to infect approximately 1,500 commercial virtual private servers (VPS) daily throughout last year, demonstrating remarkable resilience. Check Point’s recent analysis reveals that Gentlemen ransomware affiliates have now tapped into this established proxy network, with victim concentrations identified in the United States, United Kingdom, Germany, Australia, and Romania.
The victimology suggests a deliberate focus on corporate entities rather than opportunistic targeting. SystemBC’s deployment patterns indicate integration into structured, human-operated intrusion workflows—characteristics consistent with advanced persistent threat (APT) methodologies rather than automated, mass-distribution campaigns.
Attack Methodology: From Domain Compromise to Network-Wide Encryption
Check Point’s investigation into a specific Gentlemen ransomware incident revealed a meticulously orchestrated attack chain beginning with Domain Controller compromise. The threat actor operated with Domain Admin privileges, leveraging this high-level access to conduct comprehensive reconnaissance and credential validation across the network.
The attack progression followed a multi-stage deployment strategy:
1. **Initial Foothold and Reconnaissance**: After compromising the Domain Controller, the attacker systematically tested credential validity and mapped network topology to identify high-value targets and lateral movement pathways.
2. **SystemBC Deployment**: The proxy malware was deployed to establish covert C2 channels, ensuring persistent communication capabilities that could withstand basic network detection mechanisms.
3. **Cobalt Strike Propagation**: Using Remote Procedure Call (RPC) protocols, the attackers deployed Cobalt Strike beacons to remote systems, establishing additional command nodes throughout the infrastructure.
4. **Credential Harvesting and Lateral Movement**: The operators utilized Mimikatz to extract credentials from memory, facilitating remote execution and privilege escalation across domain-joined systems.
5. **Ransomware Staging and Execution**: The encryptor payload was staged on an internal server and distributed via Group Policy Objects (GPO), enabling near-simultaneous execution across the entire domain infrastructure—a technique designed to maximize encryption speed and minimize response time for defenders.
Check Point has not definitively determined whether SystemBC deployment represents a standardized tool across all Gentlemen affiliates or remains limited to specific intrusion teams within the broader ransomware-as-a-service (RaaS) ecosystem.
Technical Analysis: Hybrid Encryption and Anti-Recovery Measures
Gentlemen ransomware employs a sophisticated hybrid encryption scheme combining X25519 Elliptic Curve Diffie-Hellman (ECDH) key exchange with XChaCha20 symmetric encryption. For each targeted file, the malware generates a random ephemeral key pair, ensuring that compromised files cannot be decrypted using captured static keys.
The encryption logic implements selective targeting based on file size: files under 1 MB undergo full encryption, while larger files receive partial encryption of specific data chunks—a strategy that balances encryption speed with data destruction effectiveness.
Pre-encryption activities demonstrate mature anti-forensic capabilities. The malware systematically terminates database services, backup software processes, and virtualization platforms to prevent data recovery attempts. Shadow Volume Copies and system logs are purged to eliminate restoration options. The ESXi variant specifically targets virtual machine environments, forcibly shutting down VMs to ensure disk files become available for encryption.
Implications for Enterprise Defense
The integration of SystemBC into Gentlemen ransomware operations signals an evolution toward more resilient, distributed attack infrastructures. By leveraging established proxy botnets, the operators reduce their exposure to takedown efforts while complicating network traffic analysis for defenders.
Check Point has released signature-based detection capabilities, including a YARA rule specifically designed to identify SystemBC and associated Gentlemen ransomware components. Security teams are advised to monitor for anomalous SOCKS5 traffic, unauthorized GPO modifications, and Domain Admin credential usage patterns consistent with the documented attack chain.
The persistence of the SystemBC botnet—despite previous law enforcement interventions—underscores the challenges facing defenders against modular ransomware ecosystems that rapidly adapt and integrate proven tools from the cybercriminal underground.
Source: Original article