Back to Intelligence

GENESIS Ransomware Gang: 9 New US Victims Targeted — Critical Firewall & VPN Exploitation Detected

SA
Security Arsenal Team
July 5, 2026
5 min read

Threat Actor Profile — GENESIS

Aliases & Structure: GENESIS operates as a sophisticated Ransomware-as-a-Service (RaaS) entity, likely orchestrating affiliate operations to maximize volume across varied sectors.

Tactics & Procedures:

  • Initial Access: Heavy reliance on exploiting edge perimeter vulnerabilities. Recent campaigns pivot aggressively on enterprise firewall and VPN vulnerabilities (Check Point, Cisco) alongside remote management software (ConnectWise ScreenConnect).
  • Ransom Demands: Estimates suggest demands ranging from $500k to $5M USD, calibrated based on victim revenue and sensitivity of exfiltrated data.
  • Double Extortion: Strict adherence to double extortion. GENESIS exfiltrates sensitive data (PHI, source code, client databases) prior to encryption and utilizes a leak site to pressure victims.
  • Dwell Time: Short operational dwell time (3–7 days). The group moves quickly from initial access (via CVE exploitation) to lateral movement and encryption to minimize defender response windows.

Current Campaign Analysis

Sector Targeting: The latest dump indicates a distinct pivot towards critical services and technology providers:

  • Healthcare: 2 victims (Mirage Endoscopy Center, East Texas Family Medicine).
  • Technology: 4 victims (Bri-Tech, Inc, SBI Software, Synergy Interactive, DICON).
  • Agriculture: 1 victim (Apex Agro, LLC).
  • Business Services: 1 victim (Dunagan Associates).

Geographic Focus: 100% of the analyzed victims (9/9) are located in the United States.

Victim Profile: Targets range from mid-market businesses (revenue $10M-$50M) to larger software and agricultural entities. The inclusion of SBI Software and Apex Agro suggests GENESIS is targeting supply chain nodes to maximize downstream impact.

Observed Frequency: A "bulk-posting" event occurred on 2026-07-03, with all 9 victims published simultaneously. This often indicates automated site management or a significant operational milestone for the affiliate group.

CVE Correlation: The campaign aligns closely with the weaponization of recent CISA KEV vulnerabilities:

  • Perimeter Breach: CVE-2026-50751 (Check Point Security Gateway) and CVE-2026-20131 (Cisco Secure Firewall FMC) are likely primary vectors for the Technology and Business Services victims where VPN/Firewall exposure is high.
  • Remote Access: CVE-2024-1708 (ConnectWise ScreenConnect) remains a high-utility vector for managed service providers (MSPs) or IT management within the targeted firms.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Check Point IKEv1 Exploitation Attempt
description: Detects potential exploitation of CVE-2026-50751 involving improper authentication in IKEv1 key exchange on Check Point gateways. Correlates high volumes of IKE failures or specific payload patterns.
status: experimental
author: Security Arsenal Research
date: 2026/07/05
logsource:
  product: firewall
  service: checkpoint
detection:
  selection:
    product: 'VPN'
    action: 'key_exchange'
    ike_version: 'v1'
  condition: selection | count() > 50
falsepositives:
  - Legitimate misconfigured VPN clients
level: critical
---
title: ScreenConnect Path Traversal Exploitation (CVE-2024-1708)
description: Detects suspicious URL patterns associated with the ScreenConnect authentication bypass and path traversal vulnerability.
status: experimental
author: Security Arsenal Research
date: 2026/07/05
logsource:
  category: webserver
detection:
  selection_uri:
    cs-uri-query|contains:
      - '..%255c'
      - '..\'
      - 'Authorization=
  selection_status:
    sc-status: 200
  condition: all of selection*
falsepositives:
  - Unknown
level: critical
---
title: Suspicious Vssadmin Shadow Copy Deletion
description: Detects attempts to delete Volume Shadow Copies using vssadmin, a common precursor to ransomware encryption to prevent recovery.
status: experimental
author: Security Arsenal Research
date: 2026/07/05
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\vssadmin.exe'
    CommandLine|contains: 'delete shadows'
  condition: selection
falsepositives:
  - System administrator maintenance (rare)
level: high

KQL (Microsoft Sentinel)

Hunts for lateral movement patterns indicative of GENESIS post-exploitation, specifically focusing on SMB and WMI execution often used to spread after VPN access is gained.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents  
| where Timestamp > ago(7d)  
| where InitiatingProcessFileName in ("cmd.exe", "powershell.exe", "wmiprvse.exe")  
| where FileName in ("wmic.exe", "psexec.exe", "psexec64.exe", "wmiexec.exe")  
| where ProcessCommandLine has any(@"\\\\", "-node", "-target")  
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName  
| order by Timestamp desc

PowerShell Response Script

Rapid response script to enumerate scheduled tasks created in the last 7 days—a common persistence mechanism for GENESIS affiliates—and check for exposed RDP ports.

PowerShell
# Genesis Response Check: Recent Scheduled Tasks & RDP Status
Write-Host "[!] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Yellow

$DateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {
    $_.Date -gt $DateCutoff -and $_.Author -notlike '*Microsoft*'
} | Select-Object TaskName, Author, Date, State, Action

Write-Host "[!] Checking for active RDP sessions (Port 3389 listeners)..." -ForegroundColor Yellow
Get-NetTCPConnection -LocalPort 3389 -State Listen -ErrorAction SilentlyContinue | 
    Select-Object LocalAddress, OwningProcess | 
    ForEach-Object { Get-Process -Id $_.OwningProcess | Select-Object ProcessName, Id, Path }

Write-Host "[!] Check complete. Verify any non-standard tasks immediately." -ForegroundColor Cyan

Incident Response Priorities

T-Minus Detection Checklist:

  1. VPN/Firewall Logs: Immediate scrub of Check Point and Cisco FMC logs for authentication anomalies on 2026-07-01 through 2026-07-05.
  2. Web Server Logs: Scan IIS/Apache logs for the ScreenConnect path traversal signature (..%255c).
  3. Identity: Look for impossible travel logs and successful MFA bypasses on privileged accounts (admin/domain admin).

Critical Exfiltration Assets:

  • Healthcare: Electronic Health Records (EHR), Patient Billing, Insurance Data.
  • Technology: Source code repositories, Client Credentials (secrets), Intellectual Property.

Containment Actions (Urgency Order):

  1. Isolate: Disconnect management interfaces (VPN, ScreenConnect) from the internet immediately.
  2. Patch: Apply emergency patches for CVE-2026-50751 and CVE-2024-1708 if not already done.
  3. Credential Reset: Force reset of all local and domain administrator passwords, assuming credential dumping has occurred.

Hardening Recommendations

Immediate (24h):

  • Patch Management: Deploy patches for CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC) immediately.
  • Access Control: Disable Internet-facing ScreenConnect/Remote Desktop instances. Enforce MFA strictly on all VPN entry points.

Short-term (2 weeks):

  • Network Segmentation: Segregate critical backup servers from the main network to prevent ransomware propagation to backup storage.
  • Zero Trust: Implement strict validation for all lateral movement requests (WMI, SMB) between endpoints.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-ganggenesisgenesis-ransomwarehealthcaretechnologycve-2026-50751cve-2024-1708

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.