The Gentlemen ransomware expands toolkit with SystemBC botnet

Researchers investigating a Gentlemen ransomware attack have uncovered a proxy malware botnet of more than 1,570 hosts operating inside the group's infrastructure, with the infection profile pointing almost entirely to corporate and organizational environments.

What happened

Researchers investigating an incident response engagement linked to a Gentlemen ransomware affiliate have discovered a SystemBC proxy malware botnet of more than 1,570 compromised hosts connected to the group's command-and-control infrastructure. According to BleepingComputer, researchers found that a Gentlemen affiliate attempted to deploy SystemBC as part of the attack chain, and subsequent analysis of the relevant command-and-control server revealed the botnet's scope. The infection profile strongly suggests a focus on corporate and organizational targets rather than opportunistic consumer targeting. The Gentlemen ransomware-as-a-service (RaaS) operation emerged around mid-2025, providing affiliates with a Go-based locker capable of encrypting Windows, Linux, NAS, and BSD systems, alongside a separate locker for ESXi hypervisors. The group has publicly claimed approximately 320 victims, with most attacks occurring in 2026.

Going deeper

Researchers could not determine the initial access vector in the observed attack, but found that the affiliate operated from a Domain Controller with Domain Admin privileges. From that position, the attacker harvested credentials, conducted reconnaissance, and deployed Cobalt Strike payloads to remote systems. Lateral movement used credential harvesting tools and remote execution. The ransomware was staged from an internal server and propagated across domain-joined systems near-simultaneously using built-in Group Policy mechanisms. Before encrypting files, the malware terminates database, backup, and virtualization processes and deletes Shadow copies and logs. The ESXi variant shuts down virtual machines before encrypting their disks. The encryption scheme uses a hybrid of X25519 key exchange and XChaCha20 encryption, with a unique ephemeral key generated per file. Files under 1 MB are fully encrypted, while larger files have only a fraction of their data encrypted, at approximately 9, 3, or 1 percent, depending on size. SystemBC, active since at least 2019, functions as a SOCKS5 proxy and payload delivery mechanism. Despite a 2024 law enforcement operation targeting the botnet, it remains active.

What was said

Researchers stated in their April 20 report that "victim telemetry from the relevant SystemBC command-and-control server revealed a botnet of over 1,570 victims, with the infection profile strongly suggesting a focus on corporate and organizational environments rather than opportunistic consumer targeting." Researchers assessed that the use of SystemBC alongside Cobalt Strike and the broader botnet infrastructure may indicate that The Gentlemen is "actively integrating into a broader toolchain of mature, post-exploitation frameworks and proxy infrastructure," and warned that the RaaS is growing rapidly by recruiting new affiliates through underground forums.

In the know

The Gentlemen have confirmed attacks beyond healthcare. The group compromised one of Romania's largest energy providers, the Oltenia Energy Complex, in December 2025, and earlier in April 2026, the Adaptavist Group disclosed a breach the group had listed on its leak site. Most of the SystemBC botnet victims identified by researchers are located in the United States, the United Kingdom, Germany, Australia, and Romania. Researchers noted they could not confirm whether SystemBC was being used by a single affiliate or multiple operators within the group's RaaS structure, leaving the full scope of the botnet's use within the Gentlemen ecosystem unclear.

The big picture

The discovery of a 1,570-host corporate botnet tied to a group that four weeks ago claimed a Puerto Rico community hospital as its fourth confirmed healthcare victim represents a direct escalation in operational maturity. Healthcare organizations that encountered The Gentlemen only as a claim on a dark web leak site are now looking at a RaaS operation with mature post-exploitation infrastructure, credential harvesting at the domain level, and near-simultaneous network-wide encryption capability. According to Paubox's 2026 Healthcare Email Security Report, ransomware attacks on healthcare organizations have surged 264 percent since 2018, and the average healthcare data breach costs $9.8 million, according to IBM. RaaS operations that provide affiliates with both encryption tooling and pre-built botnet infrastructure remove the technical barriers that previously limited who could conduct a sophisticated, network-wide ransomware attack.

FAQs

What is SystemBC, and why do ransomware groups use it?

SystemBC is a proxy malware that creates a SOCKS5 tunnel between an infected host and an attacker-controlled server, allowing attackers to route malicious traffic covertly and deliver additional payloads onto infected systems. Ransomware groups use it to maintain persistent, hidden access to victim networks while avoiding detection by security tools that monitor for anomalous outbound connections.

What does operating from a Domain Controller with Domain Admin privileges mean for an attack's impact?

Domain Admin access gives an attacker control over every system joined to the organization's Active Directory domain. From that position, they can push software, modify group policies, harvest credentials from any domain-joined machine, and trigger near-simultaneous encryption across the entire network, which is exactly what the observed Gentlemen affiliate did.

Why does partial file encryption of large files still cause serious damage?

Encrypting even a small percentage of a large file corrupts the file's structure, making it unreadable without the decryption key. Encrypting chunks rather than entire large files also allows the ransomware to process more files in less time, reducing the window available for detection and response before the attack is complete.

What is a RaaS operation, and how does it change the threat profile?

A ransomware-as-a-service operation provides ransomware tooling, infrastructure, and support to affiliates in exchange for a share of ransom payments. Affiliates conduct the actual attacks. The model means the number of actors capable of deploying sophisticated ransomware is no longer limited by technical skill, expanding the pool of potential attackers significantly.

How should healthcare organizations defend against domain-level ransomware attacks?

Restricting Domain Admin privileges to the minimum number of accounts required for operations, monitoring for anomalous Group Policy changes, maintaining offline and immutable backups that cannot be reached from domain-joined systems, and deploying endpoint detection tools that flag credential harvesting activity all reduce the damage a domain-level compromise can cause.