Full Report
A SystemBC proxy malware botnet of more than 1,570 hosts, believed to be corporate victims, has been discovered following an investigation into a Gentlemen ransomware attack carried out by a gang affiliate. [...]
Analysis Summary
# Incident Report: The Gentlemen Ransomware & SystemBC Botnet Integration
## Executive Summary
A large-scale SystemBC proxy botnet consisting of over 1,570 hosts was discovered during an incident response engagement involving the "The Gentlemen" Ransomware-as-a-Service (RaaS) group. The investigation revealed that ransomware affiliates are increasingly utilizing mature post-exploitation frameworks and proxy infrastructure to target global corporate environments. The attack resulted in widespread encryption across domain-joined systems, utilizing sophisticated hybrid encryption schemes targeting Windows, Linux, and ESXi environments.
## Incident Details
- **Discovery Date:** April 2026
- **Incident Date:** Ongoing (RaaS emerged mid-2025; recent activity peaked in early 2026)
- **Affected Organization:** Multiple (including Oltenia Energy Complex and The Adaptavist Group)
- **Sector:** Energy, Technology, Professional Services
- **Geography:** Global (Primarily USA, UK, Germany, Australia, and Romania)
## Timeline of Events
### Initial Access
- **Date/Time:** Undetermined (Investigation began following early April 2026 breaches)
- **Vector:** Unknown (Likely credential-based or vulnerability exploitation)
- **Details:** Attackers were first identified operating from a compromised Domain Controller with Domain Admin privileges.
### Lateral Movement
- **Method:** Attackers conducted credential harvesting using Mimikatz and used Remote Procedure Calls (RPC) to deploy Cobalt Strike beacons to remote systems.
- **Propagation:** Leveraged Group Policy Objects (GPO) and built-in propagation scripts to stage ransomware across the network.
### Data Exfiltration/Impact
- **Impact:** Near-simultaneous encryption of domain-joined systems.
- **Exfiltration:** Affiliates likely utilized the SystemBC botnet (1,570+ hosts) and SOCKS5 tunneling for covert data transfer and C2 communication. Data was posted to a leak site for extortion.
### Detection & Response
- **Detection:** Discovered by Check Point researchers during an active IR engagement via telemetry from a SystemBC Command-and-Control (C2) server.
- **Response:** Analysis of the C2 infrastructure revealed the scope of the botnet; release of YARA rules for detection.
## Attack Methodology
- **Initial Access:** Not confirmed (Evidence points to high-level access achieved early).
- **Persistence:** SystemBC proxy malware for SOCKS5 tunneling and persistent C2.
- **Privilege Escalation:** Domain Administrator access obtained (method unspecified).
- **Defense Evasion:** Termination of backup software, deletion of VSS Shadow copies, and deletion of system logs; use of SystemBC for covert traffic.
- **Credential Access:** Mimikatz for harvesting plaintext credentials/hashes.
- **Discovery:** Internal reconnaissance from the Domain Controller; identifying live hosts and database services.
- **Lateral Movement:** Cobalt Strike via RPC; GPO-based deployment.
- **Collection:** Targeting of corporate databases, virtualization (ESXi/VMs), and NAS systems.
- **Exfiltration:** Use of a proxy botnet to funnel traffic and bypass network monitoring.
- **Impact:** Hybrid encryption (X25519/XChaCha20). Files <1MB fully encrypted; larger files partially encrypted (1-9% chunks).
## Impact Assessment
- **Financial:** High (Ransom demands and operational downtime).
- **Data Breach:** Substantial (320+ victims listed on leak site).
- **Operational:** Critical disruption to energy providers and tech firms; shutdown of ESXi virtual machines.
- **Reputational:** Public disclosure of breaches by major organizations (e.g., Oltenia Energy Complex).
## Indicators of Compromise
- **Network indicators:**
- SystemBC C2 Infrastructure (Internal/External Proxy Traffic)
- Cobalt Strike Beacons (RPC/HTTP/S)
- **File indicators:**
- Go-based lockers (Windows/Linux/NAS)
- C-based lockers (ESXi)
- `mimikatz.exe`, `SystemBC.exe` (or variants)
- **Behavioral indicators:**
- Mass execution of processes via GPO.
- Unexpected termination of `vssvc.exe`, backup agents, and SQL databases.
- Rapid deletion of Windows Event Logs.
## Response Actions
- **Containment:** Disabling compromised Domain Admin accounts and blocking identified C2 IPs.
- **Eradication:** Removal of SystemBC proxy agents and Cobalt Strike payloads from infected hosts.
- **Recovery:** Restoration of data from offline backups (where not deleted by the attacker).
## Lessons Learned
- **Visibility Deficit:** The transition from initial access to Domain Admin occurred before detection, highlighting a need for better lateral movement monitoring.
- **Botnet Proliferation:** The use of mature proxy botnets (SystemBC) makes traditional IP-based blocking less effective.
- **Asset Coverage:** Attackers specifically targeted ESXi and NAS, which often have less security instrumentation than standard Windows endpoints.
## Recommendations
- **Identity Security:** Implement Multi-Factor Authentication (MFA) on all administrative accounts and utilize Tiered Administration models to protect Domain Controllers.
- **GPO Hardening:** Monitor for unauthorized changes to Group Policy Objects, particularly those involving script execution or software deployment.
- **Network Segmentation:** Restrict RPC and SMB traffic between workstations to prevent lateral movement.
- **Backup Integrity:** Ensure backups are stored in an immutable or air-gapped environment to prevent the ransomware's automated deletion scripts from affecting recovery.
- **Detection:** Deploy the specific YARA rules provided by researchers to scan for Gentlemen Ransomware and SystemBC artifacts.