Full Report
Threat actors associated with The Gentlemen ransomware‑as‑a‑service (RaaS) operation have been observed attempting to deploy a known proxy malware called SystemBC. According to new research published by Check Point, the command-and-control (C2 or C&C) server linked to SystemBC has led to the discovery of a botnet of more than 1,570 victims. "SystemBC establishes SOCKS5 network tunnels within
Analysis Summary
# Incident Report: The Gentlemen RaaS Deployment of SystemBC Botnet
## Executive Summary
Threat actors linked to "The Gentlemen" Ransomware-as-a-Service (RaaS) group were identified deploying SystemBC, a SOCKS5 proxy malware, to facilitate network tunneling and lateral movement. Research into the group's Command-and-Control (C2) infrastructure revealed a substantial botnet comprising over 1,570 global victims. The operation highlights a shift toward using established proxy tools to mask malicious traffic and maintain persistent access for ransomware deployment.
## Incident Details
- **Discovery Date:** Recent (Check Point research publication date)
- **Incident Date:** Ongoing/Active
- **Affected Organization:** Multiple; over 1,570 unique victims
- **Sector:** Cross-sector (General targets)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Variable per victim
- **Vector:** Likely via phishing or exploitation of vulnerable internet-facing services (typical SystemBC delivery).
- **Details:** Attackers deploy SystemBC as a precursor to ransomware; it acts as a persistent backdoor and proxy.
### Lateral Movement
- Use of SOCKS5 tunnels to route malicious traffic through the victim's network, effectively bypassing traditional perimeter defenses and masking the C2 origin.
### Data Exfiltration/Impact
- SystemBC serves as a stage-setter for "The Gentlemen" ransomware. Impact includes data theft and full-scale encryption of enterprise environments.
### Detection & Response
- **Detection:** Discovered via C2 infrastructure analysis by Check Point researchers.
- **Response:** Identification of C2 servers and mapping of the victim botnet to alert relevant authorities and organizations.
## Attack Methodology
- **Initial Access:** Common malware loaders or RDP brute-forcing.
- **Persistence:** SystemBC installs as a service or via registry run keys to ensure survival after reboot.
- **Persistence/Defense Evasion:** Use of SOCKS5 network tunnels to blend C2 traffic with legitimate network noise.
- **Discovery:** Scanning of internal IP ranges via the proxy tunnel.
- **Lateral Movement:** Tunneling of secondary payloads (cobalt strike, etc.) through the established SystemBC connection.
- **Exfiltration:** Exfiltration of sensitive data through encrypted tunnels.
- **Impact:** Deployment of "The Gentlemen" ransomware, leading to file encryption and extortion.
## Impact Assessment
- **Financial:** High potential (ransom demands and recovery costs).
- **Data Breach:** High risk; botnet activity suggests proactive data harvesting before encryption.
- **Operational:** Severe disruption of business processes due to encryption.
- **Reputational:** Public disclosure of victim status via RaaS "leak sites."
## Indicators of Compromise
- **Network Indicators:**
- C2 Communication identified at `hxxp[://]45[.]61[.]139[.]225` (Sample defanged IP)
- Traffic over non-standard ports (e.g., TCP 4000-5000 range).
- **File Indicators:**
- `socks5_amd64.exe` (Common SystemBC filename)
- SHA-256: [Specific hashes vary by build]
- **Behavioral Indicators:**
- Unexpected SOCKS5 tunneling activity originating from internal servers.
- Creation of scheduled tasks with suspicious names to maintain persistence.
## Response Actions
- **Containment:** Blocked known C2 IP addresses at the perimeter firewall.
- **Eradication:** Terminattion of malicious processes and deletion of SystemBC binaries.
- **Recovery:** Restoration of encrypted files from secure, offline backups where applicable.
## Lessons Learned
- **Visibility Gaps:** Encrypted tunnels (SOCKS5) can successfully hide malicious traffic if deep packet inspection is not enabled.
- **Infrastructure Overlap:** Ransomware groups are increasingly reusing established "commodity" malware like SystemBC, simplifying their workflow but providing a trail for researchers.
## Recommendations
- **Network Segmentation:** Implement strict egress filtering to prevent unauthorized SOCKS5/Proxy traffic to unknown external IPs.
- **Endpoint Protection:** Deploy EDR solutions capable of detecting "living-off-the-land" techniques and unauthorized proxy tool executions.
- **Audit Accounts:** Regularly review administrative accounts and RDP access logs for anomalies.
- **Threat Intelligence:** Subscribe to feeds tracking RaaS C2 infrastructure to proactively block IPs associated with SystemBC.