Gentlemen Ransomware Gang Employs SystemBC Proxy Botnet in Recent Attacks
A newly discovered botnet utilizing SystemBC proxy malware involves over 1,570 hosts, primarily corporate victims, linked to attacks by an affiliate of the Gentlemen ransomware gang. This finding emerged during an investigation into a recent ransomware incident attributed to the group.
What happened
Security researchers identified a proxy malware botnet based on the SystemBC malware family comprising more than 1,570 infected hosts. This botnet is believed to consist mostly of corporate victims and was discovered during an inquiry into a ransomware attack linked to an affiliate of the Gentlemen ransomware gang. The use of SystemBC infrastructure indicates an evolution in their attack methodologies toward enhanced obfuscation and proxying capabilities. Details about the full scope of victims or the timing remain limited as the investigation continues.
The botnet's discovery builds on prior knowledge of the Gentlemen group's operations, which frequently involve ransomware deployment following initial compromise stages orchestrated by affiliates. Utilizing a proxy malware botnet can facilitate anonymizing traffic, complicate threat attribution, and provide additional concealment layers during ransomware campaigns.
Why it matters
The integration of a sizable SystemBC proxy malware botnet into the operational toolkit of the Gentlemen ransomware group signals a significant shift in the infrastructure supporting their attacks. By leveraging a network of over 1,500 corporate victim hosts as proxies, the attackers can better evade detection, obscure their origins, and potentially increase the reach and impact of their ransomware campaigns.
This expanded capability presents challenges for defenders aiming to trace attack vectors and contain intrusions. It underscores the importance of understanding not only endpoint ransomware execution but also the underlying proxy infrastructures that support threat actor activities. Such developments highlight complexity increases in ransomware-related threat landscapes.
What security teams should do
Security teams should prioritize monitoring for signs of SystemBC proxy malware activity within their networks, particularly unusual proxy usage or outbound traffic patterns indicative of proxy botnets. Reviewing network logs for traffic relayed through atypical hosts may help identify infections.
In addition, teams should ensure endpoint detection and response solutions can identify and block SystemBC malware variants. Incident responders investigating ransomware should consider the potential presence of proxy malware infrastructure to fully scope compromises. Applying threat intelligence updates related to Gentlemen ransomware and associated proxy malware can improve detection and response posture.
Key technical details
SystemBC is a known proxy malware family used to proxy traffic for threat actors, enabling anonymized communications and complicating analysis efforts. This newly identified botnet includes over 1,570 compromised hosts acting as proxy nodes. These hosts are believed to be corporate victims, likely infected through initial intrusion vectors employed by the Gentlemen ransomware affiliate.
The botnet supports a ransomware attack chain by relaying traffic, which helps conceal the source of malicious activity and provides resilience against takedown efforts. The attribution to the Gentlemen ransomware affiliate emerged from investigation-based correlations between the ransomware deployment and the proxy infrastructure.
Affected organizations/products
The botnet primarily consists of over 1,570 infected hosts, believed to be corporate victims affected by SystemBC proxy malware. The infections are linked to a ransomware attack conducted by an affiliate of the Gentlemen ransomware group. No specific organizations or sectors have been disclosed at this stage.
Source attribution
