⬇️
Key Takeaways
- The Gentlemen are scaling attacks using the SystemBC botnet identified by Check Point Research
- The group targets enterprises with a fast, hybrid encryption method across multiple operating systems
- Double extortion tactics and Tor-hosted leak sites increase pressure on victims
The emergence of The Gentlemen in mid-2025 initially drew limited attention outside cybersecurity circles. Now the group has pushed itself into the spotlight. Check Point Research has confirmed that the ransomware operation is using the SystemBC botnet, a network of more than 1,570 infected machines, to drive a new wave of coordinated and targeted attacks across several major regions.
The adoption of SystemBC is not a minor development. It shows a growing sophistication and a willingness to align with established criminal infrastructures. SystemBC has been around for years, but its use has largely been associated with broad, opportunistic attacks. Here, the botnet is being pointed directly at enterprise environments and critical organizations in the United States, Europe, and Australia. According to the findings referenced by Check Point Research, a major energy company in Romania is among the victims, along with multiple technology firms already dealing with the fallout.
The technical execution underscores this sophistication. The Gentlemen operate with a Ransomware-as-a-Service model, and their tooling spans several platforms. Their encryption utilities written in Go are designed for Windows, Linux, and NAS devices. They also deploy a C-based variant that targets ESXi hypervisors, which are common in large enterprise virtualization environments. That kind of multi-platform reach is no longer rare, but the level of coordination inside their attack chain still raises concerns for network defenders.
Their typical intrusion begins with achieving Domain Admin access inside a Domain Controller. That is a high-value target, and once obtained, it opens the door to almost anything on the network. The group then uses tools like Cobalt Strike to maintain persistence and move laterally. Some companies still underestimate how quietly Cobalt Strike can sit inside a network if detection rules are not tuned well. After securing their foothold, The Gentlemen pivot to Group Policy Objects (GPO). This allows simultaneous deployment of ransomware across an entire organization.
The speed of the encryption process is another core part of their strategy. Rather than fully locking each file, the group uses a hybrid method that encrypts only a small portion of large files, roughly between 1 and 9 percent. This reduces processing time and accelerates disruption. Partial encryption is becoming more common among fast-moving ransomware crews, as it renders files effectively unusable while evading traditional detection methods that scan for bulk encryption activities.
The group also relies heavily on double extortion tactics. The Gentlemen exfiltrate sensitive data before encryption begins, threatening to leak it on Tor-hosted sites if ransom demands are ignored. The tactic itself is nothing new, although its legal and reputational impact continues to grow as more jurisdictions tighten reporting requirements. For companies that operate across multiple countries, the complications multiply rapidly. This pressure often complicates incident response, increasing the likelihood of organizations considering ransom payments despite advisory warnings.
Experts cited in the research emphasize that integrating tools like SystemBC marks a significant shift for The Gentlemen. It suggests that they are evolving from a newer entrant into a more established player in the cybercriminal marketplace. The botnet gives them immediate access to compromised infrastructure that can be weaponized at scale. That changes the threat model for many businesses, especially those that have relied on the assumption that newer groups tend to focus on smaller or less mature targets.
In addition to payload delivery, these attacks highlight the importance of monitoring core infrastructure. Many defensive teams still concentrate their attention on endpoints, but these campaigns underscore the necessity of monitoring Domain Controllers, network traffic patterns, and unexpected connections to proxy or command-and-control (C2) servers. Recommended practices, such as Layer 7 inspection or deeper authentication monitoring, require operational changes that organizations may resist at first. Yet the alternative is facing adversaries who are more coordinated than ever.
For enterprises reviewing their risk posture, the findings from Check Point Research point to a few immediate priorities. Organizations must strengthen oversight on Domain Controller activity, watch for abnormal network connections that resemble SystemBC patterns, and improve network segmentation to contain lateral movement. Most importantly, incident response plans must account for highly accelerated attacks, as fast-moving ransomware crews like The Gentlemen are aggressively shrinking the window for detection and mitigation.
As The Gentlemen continue to expand their operations, businesses across the United States, Europe, Australia, and other regions will likely see more aggressive campaigns. The fact that they blend established tools, multi-platform ransomware, rapid encryption, and double extortion makes them a threat that defenders cannot dismiss. The SystemBC integration simply underscores the direction they are heading, which is toward larger, more sophisticated operations designed to overwhelm unprepared networks.
