The Gentlemen Ransomware Expands With SystemBC Proxy Attacks

Ransomware operators continue to refine their playbooks. The latest evolution of the Gentlemen ransomware shows how fast these groups adapt to scale and stay stealthy. It began as a relatively new ransomware-as-a-service (RaaS) operation in mid-2025. It has already matured into a more dangerous enterprise by integrating SystemBC, a long-standing proxy malware that enables covert communications and payload delivery.

Security researchers now warn that this combination gives affiliates stronger persistence, better evasion, and a larger attack surface across enterprise environments.

The Gentlemen is not just another ransomware family seeking attention on leak sites. It represents a broader trend: ransomware groups borrow infrastructure from established malware ecosystems instead of building everything from scratch. By using SystemBC, affiliates access a resilient bot-powered proxy network that conceals command-and-control traffic.

This network also enables more reliable malware staging before encryption begins. This shift, documented by Check Point, moves ransomware operations closer to full-service cybercrime platforms rather than just standalone extortion campaigns.

The Gentlemen emerged as a RaaS operation designed for affiliates seeking flexibility across multiple operating systems. Reports from Bleeping Computer and Check Point Research state the group provides a Go-based locker that can encrypt Windows, Linux, NAS, and BSD systems. They also offer a C-based locker for ESXi hypervisors.

This broad compatibility allows affiliates to target both traditional enterprise endpoints and critical virtualization infrastructure. As a result, the risk of operational disruption and higher ransom demands increases.

The group has already claimed about 320 victims publicly. Researchers suspect the real number may be higher. Notable attacks include the compromise of Oltenia Energy Complex, one of Romania's largest energy providers, and a breach disclosed by The Adaptavist Group. These incidents show that The Gentlemen is not limited to targeting small businesses; it can also target organizations where downtime causes major financial and operational consequences.

This shift departs from older ransomware crews that focused only on encryption. The Gentlemen, by contrast, appears to operate with a modern affiliate-first strategy, providing tooling, infrastructure, and operational support while affiliates handle intrusion and deployment. This model allows rapid expansion without requiring the core operators to perform every attack themselves.

SystemBC has existed since at least 2019 and has long attracted ransomware operators. Its key appeal comes from its proxy capabilities. Initially, it was identified as malware that turned infected devices into SOCKS5 proxies. This allowed attackers to route malicious traffic through compromised systems and hide the true source of their operations. Over time, SystemBC's role grew to include payload delivery, persistence, and covert communications.

Its appeal is simple. Defenders often focus on ransomware payloads and overlook the infrastructure that enables delivery and persistence. SystemBC fills that gap. It silently establishes communication channels, tunnels traffic through legitimate-looking hosts, and helps threat actors avoid exposing their own infrastructure directly.

Earlier reports on SystemBC highlighted its use by ransomware gangs. They increasingly used it to automate payload delivery and keep hidden access to victim environments. Instead of manually staging malware, attackers could use infected machines as part of a proxy highway. This supported lateral movement and further compromise. The approach reduced operational friction and improved survivability when defenders blocked known malicious IPs.

For The Gentlemen, then, integrating SystemBC means affiliates no longer rely solely on standard remote access tools or disposable infrastructure. They inherit a mature operational layer that strengthens the entire kill chain.

The 1,570-Host Botnet Discovery

Check Point researchers uncovered one of the most concerning indicators of this partnership: a SystemBC botnet of over 1,570 hosts, believed to be corporate victims. The discovery followed an investigation into a Gentlemen ransomware attack conducted by an affiliate. These were not isolated infections. The systems acted as part of a larger malicious infrastructure, supporting covert communications and attack prep.

This matters because proxy botnets create operational resilience and attribution challenges. If defenders block one node, traffic can quickly reroute through another compromised host. Security teams may struggle to distinguish malicious proxy traffic from legitimate internal network behavior—especially when infected systems are corporate assets.

Researchers and security practitioners on Reddit summarized the issue clearly. Defenders should prioritize spotting unusual internal proxy connections, especially on hosts that should not serve as proxies. Monitoring for unexpected SOCKS5 traffic can reveal SystemBC activity before ransomware deployment.

The botnet's scale suggests Gentlemen affiliates are investing in pre-ransomware positioning. Encryption is no longer the first visible sign of compromise. It is often the final stage after a much longer intrusion.

SystemBC's value is clearer when mapped to a typical ransomware intrusion. The modified attack chain works as follows:

• Initial compromise establishes foothold access through vulnerable services, phishing, or stolen credentials.
• SystemBC is deployed to create covert access, proxy communications, and facilitate secondary payload delivery.
• Affiliates perform reconnaissance, privilege escalation, and lateral movement before launching encryption and extortion.

This layered approach complicates incident response. Security teams that only respond to ransomware encryption events are already late. By the time files are encrypted, the attacker may have spent days or weeks preparing the environment, stealing data, and ensuring persistence.

SystemBC also boosts affiliate efficiency. RaaS operators benefit when affiliates move faster and succeed more often. A reusable proxy infrastructure cuts failed attacks and increases revenue opportunities. This explains why more ransomware gangs keep adopting the malware, despite years of public awareness about its behavior.

Ultimately, the partnership between The Gentlemen and SystemBC reflects a broader truth about modern ransomware: specialization wins. One group develops lockers, another provides proxy infrastructure, and affiliates execute the intrusion. This modular model increases attackers' speed, resilience, and profitability.

In response, security teams should stop viewing ransomware as a single event and start treating it as a supply chain of criminal services. The encryption payload may be the headline, but the real battle often begins weeks earlier with stealthy proxy malware and hidden persistence.

The Gentlemen's adoption of SystemBC demonstrates that ransomware operations are no longer built around brute force. Instead, they are built around operational efficiency. For defenders, success depends on disrupting that efficiency before the ransom note appears.