Seized Gentlemen Ransomware C2 Server Exposes 1,570 Victims — GPO Deployment Reveals Full Domain Compromise

Check Point Research has published a detailed analysis of a seized SystemBC command-and-control server linked to The Gentlemen ransomware-as-a-service operation, revealing a victim list of over 1,570 IP addresses and technical details about the group’s intrusion and deployment methodology. The analysis provides actionable detection intelligence for defenders and documents a critical tactical indicator: The Gentlemen deploys ransomware via Group Policy Objects, a distribution method that requires Domain Administrator access and indicates extended attacker dwell time within the target environment.

The Gentlemen RaaS Operation

The Gentlemen emerged as a ransomware-as-a-service operation in July 2025 and has grown rapidly, claiming more than 320 victims on its data leak site, with 240 of those attacks occurring in the first months of 2026. The operation’s rapid victim count places it among the most prolific ransomware groups currently active.

The group recruits affiliates who carry out intrusions and deploy the ransomware payload in exchange for a percentage of ransom receipts. The seized C2 server provides visibility into the affiliate-managed infrastructure layer — specifically the SystemBC proxy network that affiliates use to maintain persistence and stage attacks.

SystemBC: The Proxy Layer

SystemBC is a commodity malware that establishes SOCKS5 network tunnels within compromised environments, connecting to its C2 server via a custom RC4-encrypted protocol. It functions as a persistent beachhead — maintaining remote access that survives perimeter detection, enabling affiliates to perform extended reconnaissance, lateral movement, and pre-encryption staging without direct attacker-to-victim connectivity visible in network logs.

The seized C2 server’s victim database, which Check Point obtained and analysed, contained 1,570+ IP addresses representing active SystemBC beacons. This means 1,570+ organisations currently have an active SystemBC-based backdoor installed — they have been compromised, are being staged for ransomware or extortion, or have been compromised for use in subsequent attack infrastructure. The victim distribution spans multiple sectors and countries.

GPO Deployment: The Critical Indicator

The Gentlemen affiliates’ use of Group Policy Objects to distribute ransomware binaries is the technically significant finding for defenders. A GPO configured to execute a binary during domain policy refresh is not a technique available to an attacker who has compromised only a workstation or a non-privileged server account — it requires access to Active Directory with sufficient permissions to create or modify Group Policy Objects, which is effectively Domain Administrator access.

When ransomware deploys via GPO, the encryption event is not the beginning of the attack. It is the end. The Domain Admin access enabling GPO creation was acquired days or weeks before the ransomware binary was deployed. During that dwell time, data exfiltration, credential harvesting, backup destruction, and persistence establishment all occurred. Defenders who treat the ransomware encryption event as the point of initial compromise have missed the actual intrusion by a substantial margin.

Detection Indicators from the Seized Infrastructure

Check Point’s analysis of the C2 server provides concrete detection opportunities:

SystemBC network indicators:

• Outbound SOCKS5 proxy connections to external hosts, particularly using RC4-encrypted payloads over non-standard ports — SystemBC attempts to blend into normal traffic but its custom protocol has detectable framing characteristics
• Persistent outbound connections from servers and workstations that have no legitimate need for SOCKS5 proxying to external infrastructure
• RC4-encrypted tunnels that maintain long-lived sessions without matching legitimate application behaviour

GPO-based deployment indicators:

• New or modified Group Policy Objects with Computer Configuration > Windows Settings > Scripts > Startup or Shutdown entries pointing to binary paths outside standard system directories
• GPO modifications outside scheduled change management windows, particularly those adding executable policies to domain-level or high-OU-membership-count GPOs
• SYSVOL changes referencing UNC paths to non-domain shares or local paths containing recently created executables

Pre-encryption staging indicators:

• Shadow copy deletion via vssadmin delete shadows or wmic shadowcopy delete — standard pre-encryption cleanup
• Backup agent service termination (common targets: Veeam, Backup Exec, Windows Backup)
• Unusual outbound data transfers from servers with access to sensitive file shares during non-business hours

Recommended Actions

• Hunt for SystemBC beacons now: Query your SIEM and network monitoring for SOCKS5 proxy connections to external IPs from internal hosts. Cross-reference connection profiles against the IOC list published by Check Point Research. Treat any confirmed SystemBC presence as a ransomware pre-cursor requiring full IR engagement.
• Audit recent GPO changes: Review Active Directory for Group Policy Objects created or modified in the past 30 days that include startup/shutdown scripts or software installation policies pointing to executables. Investigate any changes outside your change management records.
• Validate Domain Admin account activity: Review the audit trail for Domain Admin group membership changes and administrative logon events. Unexplained Domain Admin access — especially from service accounts or during non-business hours — is a high-priority finding.
• Deploy deception assets: SystemBC-compromised environments often involve extended reconnaissance. Network deception canaries in file shares, fake admin credentials in password managers, and honeypot systems configured to alert on access can surface attacker activity during the dwell-time window before ransomware deploys.