Skip to content
.ca
sign in
7 mincritical

DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

The Gentlemen is an emerging Ransomware-as-a-Service (RaaS) operation that provides affiliates with versatile, multi-platform lockers. Recent incident response telemetry reveals affiliates utilizing Cobalt Strike and SystemBC for post-exploitation and C2, culminating in highly automated, domain-wide ransomware deployment via Group Policy and built-in lateral movement mechanisms.

Sens:ImmediateConf:highAnalyzed:2026-04-21reports

Authors: Check Point Research

ActorsThe GentlemenSystemBCCobalt Strike
The GentlemenSystemBCRansomwareRaaSCobalt Strike

Source:Check Point

IOCs · 3

Key Takeaways

  • The Gentlemen is a rapidly growing RaaS with over 320 claimed victims, offering multi-OS lockers for Windows, Linux, NAS, BSD, and ESXi.
  • Affiliates leverage tools like SystemBC (proxy malware) and Cobalt Strike for covert tunneling, C2, and payload delivery.
  • The ransomware features a highly automated lateral movement capability (--spread) using PsExec, WMI, scheduled tasks, and services.
  • A powerful --gpo flag allows operators with Domain Controller access to weaponize Active Directory for simultaneous domain-wide encryption.
  • The ESXi variant actively terminates VMs, modifies storage buffer settings for faster encryption, and establishes persistence via /bin/.vmware-authd.

Affected Systems

  • Windows
  • Linux
  • NAS
  • BSD
  • VMware ESXi

Attack Chain

The attack begins with the threat actor gaining Domain Admin privileges on a Domain Controller, followed by network reconnaissance and credential validation. The attacker deploys Cobalt Strike and SystemBC for command-and-control and proxying. Lateral movement is achieved using PsExec, WMI, and scheduled tasks, while defense evasion techniques disable Windows Defender and clear event logs. Finally, the ransomware is deployed domain-wide via Group Policy (GPO) or built-in spreading mechanisms, encrypting files and dropping extortion notes.

Detection Availability

  • YARA Rules: Yes
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Check Point Research

A YARA rule is provided to detect The Gentlemen ransomware written in Go by matching specific strings and the MZ header.

Detection Engineering Assessment

EDR Visibility: High — The attack relies heavily on noisy command-line executions (vssadmin, wevtutil, schtasks, sc, powershell) and drops multiple executables to disk, which are highly visible to EDR. Network Visibility: Medium — SystemBC and Cobalt Strike use encrypted channels (RC4 over SOCKS, HTTPS), but the internal lateral movement via SMB/RPC and internal HTTP staging is visible. Detection Difficulty: Moderate — While the ransomware uses defense evasion (disabling Defender), the sheer volume of administrative commands, GPO modifications, and lateral movement attempts provides numerous detection opportunities.

Required Log Sources

  • Windows Event Log (Security)
  • Sysmon (Event ID 1, 3, 11, 12, 13)
  • PowerShell Script Block Logging (Event ID 4104)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for vssadmin.exe or wmic.exe executing shadow copy deletion commands.Process execution logs (Event ID 4688 or Sysmon Event ID 1)ImpactLow
Monitor for wevtutil.exe clearing multiple event logs (System, Application, Security) in rapid succession.Process execution logs (Event ID 4688 or Sysmon Event ID 1)Defense EvasionLow
Identify PowerShell commands attempting to disable Windows Defender real-time monitoring or adding root drive exclusions.PowerShell Script Block Logging (Event ID 4104)Defense EvasionLow
Detect the creation of scheduled tasks named UpdateSystem, UpdateUser, DefU, or DefS running from C:\Temp or C:\ProgramData.Scheduled Task creation logs (Event ID 4698)PersistenceLow
Hunt for ESXi commands modifying advanced configuration settings (esxcfg-advcfg) or forcefully killing VM processes (esxcli vm process kill).ESXi shell/syslog logsImpactMedium

Control Gaps

  • Lack of strict egress filtering allowing SystemBC/Cobalt Strike C2
  • Insufficient protection of Domain Controller GPO objects
  • Overly permissive SMB/RPC access between workstations

Key Behavioral Indicators

  • Process ancestry involving cmd.exe spawning from psexesvc.exe or wmiprvse.exe
  • Creation of ScheduledTasks.xml in SYSVOL by unexpected processes
  • Modifications to LSA registry keys allowing anonymous access

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Isolate infected hosts and block communication to known C2 IPs (91.107.247.163, 45.86.230.112).
  • Reset all Domain Admin and compromised user credentials.
  • Review and revert any unauthorized Group Policy Objects (GPOs) created recently.

Infrastructure Hardening

  • Restrict SMB and RPC communication between workstations to prevent lateral movement.
  • Implement strict egress filtering to block unauthorized outbound proxy and C2 connections.
  • Harden ESXi hosts by disabling SSH if not needed and restricting access to management interfaces.

User Protection

  • Ensure EDR agents are configured with tamper protection to prevent unauthorized disabling via PowerShell.
  • Deploy LAPS (Local Administrator Password Solution) to prevent lateral movement using local credentials.

Security Awareness

  • Train incident response teams on identifying and responding to human-operated ransomware precursors like SystemBC and Cobalt Strike.

MITRE ATT&CK Mapping

  • T1078 - Valid Accounts
  • T1059.003 - Command Shell
  • T1059.001 - PowerShell
  • T1047 - Windows Management Instrumentation
  • T1053.005 - Scheduled Task
  • T1569.002 - Service Execution
  • T1543.003 - Windows Service
  • T1547.009 - rc.local
  • T1053.003 - Cron
  • T1562.001 - Disable or Modify Tools
  • T1070.001 - Clear Windows Event Logs
  • T1070.004 - File Deletion
  • T1486 - Data Encrypted for Impact
  • T1490 - Inhibit System Recovery
  • T1021.002 - SMB/Windows Admin Shares
  • T1021.006 - Windows Remote Management
  • T1090.003 - Multi-hop Proxy

Additional IOCs

  • Ips:
    • 91[.]107[.]247[.]163 - Cobalt Strike C&C
    • 45[.]86[.]230[.]112 - SystemBC C&C
  • Urls:
    • hxxp://tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad[.]onion/ - The Gentlemen leak site
  • File Hashes:
    • 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 (SHA256) - The Gentlemen Windows payload
    • 2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d (SHA256) - The Gentlemen Windows payload
    • 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235 (SHA256) - The Gentlemen Windows payload
    • 48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd (SHA256) - The Gentlemen Windows payload
    • cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e (SHA256) - Embedded psexesvc.exe/psexec.exe binary
    • 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b (SHA256) - Embedded psexesvc.exe/psexec.exe binary
    • fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68 (SHA256) - gentlemen.bmp desktop wallpaper
    • 5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca (SHA256) - The Gentlemen Linux payload
    • 788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19 (SHA256) - The Gentlemen Linux payload
    • 1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c (SHA256) - The Gentlemen Linux payload
  • Registry Keys:
    • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v GupdateU - Persistence mechanism for the ransomware in the user context.
    • HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v NullSessionShares - Modified to allow null session shares for lateral movement.
    • HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v EveryoneIncludesAnonymous - Modified to loosen LSA anonymous access controls.
    • HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RestrictAnonymous - Modified to loosen LSA anonymous access controls.
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections - Modified to enable Remote Desktop connections.
  • File Paths:
    • C:\ProgramData\r.exe - Staged ransomware payload.
    • C:\ProgramData\g.exe - Staged ransomware payload.
    • C:\ProgramData\o.exe - Staged ransomware payload.
    • C:\Temp\wipefile.tmp - Temporary file used to wipe free disk space.
    • %TEMP%\gentlemen.bmp - Ransomware desktop wallpaper.
    • /bin/.vmware-authd - ESXi persistence binary masquerading as legitimate daemon.
    • /etc/rc.local.d/local.sh - ESXi boot persistence script.
    • \\<domain>\NETLOGON\<exe> - Ransomware payload staged for GPO deployment.
    • \\<domain>\SYSVOL\<domain>\Policies\{<guid>}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml - Malicious GPO scheduled task configuration.
  • Command Lines:
    • Purpose: Disable Windows Defender real-time monitoring | Tools: powershell.exe | Stage: Defense Evasion | powershell.exe -Command Set-MpPreference -DisableRealtimeMonitoring $true
    • Purpose: Delete volume shadow copies to prevent recovery | Tools: vssadmin.exe | Stage: Impact | vssadmin delete shadows /all /quiet
    • Purpose: Clear Windows Event Logs to hide tracks | Tools: wevtutil.exe | Stage: Defense Evasion | wevtutil cl System
    • Purpose: Create a scheduled task for persistence | Tools: schtasks.exe | Stage: Persistence | schtasks /Create /SC ONSTART /TN UpdateSystem /TR
    • Purpose: Forcefully kill ESXi VM processes | Tools: esxcli | Stage: Impact | esxcli vm process kill --type=force --world-id=
  • Other:
    • D527959A7BC728CB272A0DB683B547F079C98012201A48DD2792B84604E8BC29F6E6BDB8003F - Tox ID for Windows victims
    • D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69 - Tox ID for ESXi victims

Related