DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

Key Points:

• The Gentlemen ransomware-as-a-service (RaaS) has rapidly gained traction, claiming over 320 victims, primarily targeting corporate environments. Affiliates utilize SystemBC proxy malware for covert tunneling and payload delivery.
• The attack chain involves initial access through compromised Domain Controllers, followed by credential validation, deployment of Cobalt Strike, and execution of ransomware payloads across multiple systems using Group Policy.
• Recommended actions include implementing strict access controls on Domain Controllers, monitoring for unusual credential usage, and deploying endpoint protection solutions capable of detecting and blocking known ransomware behaviors.

Technical Details: The Gentlemen RaaS employs a multi-platform locker written in Go and C, with SystemBC facilitating command-and-control communications through SOCKS5 tunnels. The ransomware uses Group Policy for mass deployment and incorporates advanced evasion techniques against security tools.

MITRE ATT&CK Techniques:

• T1078 - Valid Accounts (Defense Evasion)
• T1190 - Exploit Public-Facing Application (Initial Access)
• T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
• T1047 - Windows Management Instrumentation (WMI) (Execution)
• T1566 - Phishing (Initial Access)

IOCs Mentioned:

• IPs: 45.86.230[.]112, 91.107.247[.]163
• Malware: SystemBC, The Gentlemen Ransomware

This summary provides actionable intelligence on the ongoing threat posed by The Gentlemen RaaS and its operational tactics. Security teams should prioritize defensive measures to mitigate risks associated with this evolving threat landscape.