The Gentlemen Ransomware Surge: GPO Detonation Threat to SAMA Banks

The Gentlemen ransomware-as-a-service operation escalated from 35 victims in Q4 2025 to 182 in Q1 2026 — a 420% surge that places it second only to LockBit-derivative groups in attack volume. With confirmed attacks against Warka Bank for Investment and Finance and a botnet exceeding 1,570 SystemBC-infected hosts, the group has clearly pivoted toward financial services. For SAMA-regulated institutions in the Kingdom, the technical playbook behind this surge demands immediate attention.

Who Are The Gentlemen and Why Saudi CISOs Should Care

The Gentlemen first surfaced on dark web leak sites in August 2025, marketing a polished affiliate program built on Go-language lockers for Windows, Linux, NAS, and BSD systems, with a separate ESXi encryptor written in C. Unlike opportunistic crews, telemetry from a captured SystemBC command-and-control server analyzed by Check Point Research and reported by The Hacker News revealed a victim profile heavily skewed toward corporate and regulated environments. The January 2026 listing of Warka Bank on their leak portal signaled an explicit appetite for banking targets — exactly the profile that overlaps with Saudi Arabia's commercial and Islamic banks operating under SAMA Cyber Security Framework supervision.

The Technical Playbook: SystemBC Tunnels and GPO Mass Detonation

The Gentlemen attack chain follows a methodical pattern that defeats perimeter-only defenses. Initial access typically arrives through exposed RDP, edge-device exploitation, or phishing payloads, after which operators deploy SystemBC — a SOCKS5 proxy malware that establishes RC4-encrypted tunnels to C2 infrastructure for lateral covert communication. From there, affiliates harvest credentials with Mimikatz, validate access via failed-then-successful logon patterns originating from a compromised Domain Controller, and stage Cobalt Strike beacons through RPC calls.

The signature impact technique — and the reason this group is uniquely dangerous — is its built-in Group Policy deployment mode. Once Domain Admin privileges are achieved, the locker is copied to the NETLOGON share, a malicious GPO is created containing an immediate scheduled task, and a forced policy refresh detonates the ransomware near-simultaneously across every domain-joined system. Defense evasion is layered: Windows Defender is disabled, the Windows Firewall is dropped, C-drive scanning is suppressed, and persistence is reinforced through RDP and AnyDesk. By the time security operations teams correlate alerts, the encryption event is already global.

Impact on Saudi Financial Institutions and Regulatory Exposure

For Saudi banks, payment service providers, and fintechs licensed by the Central Bank, a successful Gentlemen intrusion triggers four concurrent regulatory crises. SAMA Cyber Security Controls Compliance (CSCC) sub-domain 3.3.5 on Cybersecurity Resilience and 3.3.6 on Incident Management require notification of major incidents within tight windows, and a domain-wide encryption event will simultaneously breach availability obligations under sub-domain 3.3.4. NCA Essential Cybersecurity Controls 2-12 on Backup and Recovery and 2-13 on Cybersecurity Incident and Threat Management both presume that backups are isolated from the production domain — an assumption that GPO-deployed ransomware specifically destroys when backup servers are domain-joined. PDPL articles 20 and 33 attach data-breach notification duties when exfiltrated customer records are dumped on leak sites, and PCI-DSS v4.0 requirement 12.10 mandates a tested and documented incident response plan that will be evaluated by QSAs during the next assessment cycle.

Recommendations and Practical Steps

1. Hunt for SystemBC indicators across endpoint and network telemetry using YARA rules and the published C2 IOCs from Check Point Research; SOCKS5 outbound traffic to non-corporate destinations on uncommon ports is the highest-fidelity signal.
2. Implement tiered Active Directory administration following Microsoft's Enterprise Access Model — Tier-0 Domain Controllers must never be administered from Tier-1 servers or Tier-2 workstations, breaking the credential chain Gentlemen affiliates depend on.
3. Audit and lock down GPO creation and modification rights to a small, named group of identities protected by phishing-resistant MFA (FIDO2 or smart-card), and enable Group Policy Object change auditing with alerts routed to the SOC.
4. Deploy LAPS (Local Administrator Password Solution) and rotate krbtgt twice in succession to invalidate any harvested Golden Ticket material — a standard hygiene step that many Saudi banks still defer.
5. Move critical backups to immutable, air-gapped, or object-locked storage that is not domain-joined and cannot be reached through Group Policy or domain credentials, satisfying NCA ECC 2-12 in spirit rather than only on paper.
6. Conduct a tabletop exercise simulating a Gentlemen-style domain-wide detonation and validate that SAMA, NCA, and PDPL notification clocks, communications trees, and customer messaging are documented and rehearsed.
7. Engage red-team or purple-team engagements that specifically test GPO abuse, NETLOGON write paths, and Domain Controller compromise scenarios — not just external perimeter testing.

Conclusion

The Gentlemen's 420% quarter-over-quarter growth is not a temporary spike — it reflects a maturing affiliate model that rewards speed, scale, and regulated-sector targeting. Saudi banks that still rely on flat Active Directory designs, domain-joined backups, and perimeter-centric monitoring are exposed to a single-day enterprise-wide encryption event that no SAMA examiner will accept as an isolated incident. The defensive shift required is structural, not tactical: tier the directory, isolate backups, harden GPO governance, and rehearse the regulatory playbook before the leak-site countdown begins.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and an Active Directory exposure review focused on GPO abuse and ransomware blast-radius containment.