A DFIR investigation details how an affiliate of the Gentlemen RaaS program gained domain control, attempted SystemBC tunneling, and deployed Go-based ransomware via Group Policy, affecting over 1,570 related infections worldwide.
A digital forensics and incident response engagement by Checkpoint Research uncovered an attack chain linked to an affiliate of the Gentlemen ransomware-as-a-service program. The operation combined domain-level compromise, proxy malware deployment, and ransomware distribution via Group Policy. The affiliate attempted to install SystemBC for tunneling and pivoting before proceeding with the Gentlemen encryptor. Analysis of the associated SystemBC command-and-control infrastructure identified more than 1,570 infected systems, predominantly in corporate networks across the United States, the United Kingdom, and Germany.
The Gentlemen RaaS program first appeared on underground forums in mid-2025. Operators recruit technically proficient affiliates by offering a portfolio of cross-platform lockers written in Go for Windows, Linux, NAS devices, and BSD systems, plus a separate C-language locker for VMware ESXi environments. Verified partners receive EDR evasion utilities and access to a multi-hop proxy infrastructure. Victim data is hosted on a dedicated onion site if payment is not received. Negotiations are handled through individual affiliate Tox IDs, while an associated X account is used to list compromised organizations publicly. The program has recorded claims against slightly more than 320 victims, the majority in the first months of 2026.
SystemBC functions as a SOCKS5 proxy that establishes encrypted tunnels to its command-and-control server using a custom RC4 protocol. It supports downloading and executing additional payloads either to disk or directly into memory. In the examined case, the affiliate staged the binary as socks.exe on a compromised host and directed it toward IP address 45.86.230.112. Endpoint protection blocked the attempt. Telemetry from the same C&C server indicated a botnet focused on enterprise environments rather than consumer devices.
The attack timeline began with the adversary already holding Domain Administrator privileges on a domain controller. From this position, the operator performed credential validation and host enumeration, issuing failed and successful logon attempts across the network. Cobalt Strike payloads were copied to administrative shares (ADMIN$) using randomly named seven-character executables and launched via RPC. Reconnaissance commands included systeminfo, whoami, dir c:\users, and access to internal documentation such as a file named 公司主機紀錄.txt on a network share.
On one system the attacker staged socks.exe, executed it, and verified the process with tasklist | findstr /i socks before the block occurred. Shortly afterward, a separate payload spawned rundll32.exe to connect to Cobalt Strike infrastructure at 91.107.247.163 on ports 443 and 80. A scheduled task then ran a PowerShell command to download grand.exe—the Gentlemen ransomware binary—from the domain controller’s internal web server and save it as c:\programdata\r.exe. The binary was launched with the arguments –password VvO8EtUh –spread [REDACTED_DOMAIN][REDACTED_USER]:[REDACTED_PASSWORD], enabling both controlled execution and lateral movement.
Defense evasion followed immediately. The attacker issued PowerShell to disable Windows Defender real-time monitoring with Set-MpPreference -DisableRealtimeMonitoring $true -Force. The same ransomware payload propagated under multiple filenames (r.exe, g.exe, o.exe) across endpoints. Environmental checks targeted security products (wmic product where Name like ‘%kaspe%’) and forced Group Policy updates (gpupdate /force). Remote Desktop Protocol was enabled by modifying the registry key fDenyTSConnections and adjusting the firewall rule group. AnyDesk was installed with the command anydesk.exe –install, configured with password Camry@12345, and started persistently. Credential material was harvested with Mimikatz, and domain enumeration continued with queries for active sessions, domain trusts, domain controllers, and membership in Domain Admins and Enterprise Admins groups.
The final stage used Group Policy to push the ransomware binary domain-wide. Policy refresh triggered near-simultaneous execution on joined systems, resulting in coordinated encryption. The Gentlemen binary, developed in Go, accepts a mandatory –password argument and supports optional flags for target paths, encryption modes (–system, –shares, –full), lateral spread via credentials, GPO deployment, silent operation, file wiping, and speed throttling. Development of the locker remains active, with incremental feature additions observed over time.
The incident illustrates a structured human-operated ransomware workflow: privileged access on a domain controller, layered command-and-control channels, rapid internal propagation, defense suppression, persistence via RDP and remote desktop software, and mass deployment through enterprise management tools. The failed SystemBC attempt prompted immediate fallback to alternative infrastructure, demonstrating operational resilience. Whether SystemBC forms part of the core Gentlemen toolkit or was selected independently by the affiliate remains undetermined from available evidence.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de