Overview
- Check Point researchers say a SystemBC command-and-control server tied to a Gentlemen operator connected with more than 1,570 infected hosts, mostly inside organizations rather than home users.
- In the investigated attack, the intruder gained Domain Admin on a controller, stole credentials with Mimikatz, pushed Cobalt Strike, and used Group Policy to trigger near-simultaneous encryption across Windows systems.
- The Gentlemen runs a ransomware-as-a-service with more than 320 claimed victims and offers cross-platform lockers, including Go-based payloads for Windows, Linux, NAS, and BSD and a separate ESXi encryptor written in C.
- The Windows encryptor uses X25519 and XChaCha20 with a fresh key per file and it kills database, backup, and virtualization processes and deletes shadow copies and logs to block recovery.
- Researchers shared indicators of compromise and a YARA rule and they note it is unclear whether SystemBC is used across all affiliates as some operators switched tools when blocked, which points to a modular, mature intrusion playbook.