The Gentlemen Ransomware Now Uses SystemBC for Bot-Powered Attacks

The rise of ransomware‑as‑a‑service (RaaS) platforms has lowered the barrier to entry for cybercriminals, and Gentlemen is a prime example of this trend. First spotted in mid‑2025, the gang offers a Go‑based locker for Windows, Linux, NAS and BSD systems, alongside a C‑based variant that encrypts ESXi hypervisors. By co‑opting SystemBC—a proxy‑malware botnet active since 2019—the group gains a stealthy delivery channel that can tunnel malicious payloads through compromised virtual private servers. SystemBC’s SOCKS5 capabilities have made it a favorite among ransomware operators, and its persistence after a 2024 law‑enforcement takedown underscores the resilience of such infrastructure.

Technical analysis reveals a sophisticated intrusion workflow. Affiliates gain initial footholds, often via credential theft, then move laterally using Cobalt Strike and Mimikatz to harvest privileged accounts. Leveraging Domain Admin rights, they deploy the ransomware from an internal server, using Group Policy Objects to trigger near‑simultaneous encryption across domain‑joined machines. The hybrid cryptography—X25519 key exchange paired with XChaCha20—ensures rapid file encryption while evading some detection heuristics. The ESXi variant even shuts down virtual machines to guarantee disk access, highlighting the gang’s deep understanding of enterprise environments.

For businesses, the integration of SystemBC signals a shift toward more resilient, multi‑stage ransomware campaigns. Defenders must broaden detection beyond traditional ransomware indicators to include proxy‑malware traffic, anomalous SOCKS5 connections, and the newly released YARA rules. Incident response teams should prioritize hardening privileged accounts, monitoring for unusual Cobalt Strike activity, and segmenting critical workloads such as hypervisors. As RaaS ecosystems continue to mature, the line between ransomware and broader cyber‑espionage toolchains blurs, demanding a proactive, threat‑intel‑driven security posture.