Back to Intelligence

GENESIS Ransomware: US Sector Blitz — Critical Exploitation of ScreenConnect & Firewall Management Flaws

SA
Security Arsenal Team
June 3, 2026
7 min read

Threat Actor Profile — GENESIS

Operational Model: GENESIS operates as a Ransomware-as-a-Service (RaaS) affiliate model, allowing diverse access brokers to utilize their encryptor. Recent activity suggests a coordinated "big game hunting" push in the US market.

Ransom Demands: Historical data indicates demands ranging from $500,000 to $5 million, calculated based on victim revenue and the sensitivity of exfiltrated data (particularly high for Healthcare and Financial Services).

Initial Access Vectors: The current campaign demonstrates a heavy reliance on exploiting external-facing remote management and communication infrastructure rather than traditional phishing. The group is actively leveraging:

  • RMM Exploitation: Targeting ConnectWise ScreenConnect vulnerabilities.
  • Edge Device Compromise: Active exploitation of Cisco Secure Firewall Management Center (FMC).
  • Email Server Attacks: Exploiting Microsoft Exchange and SmarterMail vulnerabilities.

Tactics: GENESIS employs a double-extortion strategy, encrypting systems after exfiltrating sensitive PII and financial records. Average dwell time appears to be 3–7 days, as evidenced by the rapid posting of victims shortly after initial access CVEs were added to the CISA KEV list.

Current Campaign Analysis

Target Overview (Last 100 Postings): GENESIS has claimed 9 new victims between May 29 and June 3, 2026, indicating a high-velocity campaign.

Targeted Sectors:

  • Business Services: 33% (PB White & Co, A Roettgers, Cedar Street Capital)
  • Healthcare: 11% (Family Medical Associates of Raleigh)
  • Manufacturing: 11% (Cavalier Flooring Systems Inc.)
  • Energy: 11% (Green Resource)
  • Financial Services: 11% (Cedar Street Capital)

Geographic Concentration: 100% of the identified victims in this wave are located in the United States.

Victim Profile: The targets are mid-market entities, likely ranging from $20M to $200M in revenue. The inclusion of "Family Medical Associates" and "Cavalier Flooring" suggests GENESIS is probing smaller entities with potentially weaker patch management cycles for critical edge infrastructure (ScreenConnect/FMC).

CVE Correlation: The campaign correlates directly with recent CISA KEV additions. GENESIS affiliates are likely scanning for:

  • CVE-2024-1708 (ConnectWise): For initial access via managed service providers.
  • CVE-2026-20131 (Cisco FMC): To bypass perimeter defenses and pivot internally.
  • CVE-2025-52691 (SmarterMail): To gain access to email communications for initial access or data exfiltration.

Detection Engineering

The following detection logic targets the specific TTPs observed in this GENESIS campaign, focusing on the exploitation of management interfaces and common ransomware staging behaviors.

YAML
title: Potential Genesis Ransomware ScreenConnect Exploitation
description: Detects potential exploitation of ConnectWise ScreenConnect path traversal vulnerabilities (CVE-2024-1708) often used by Genesis for initial access.
status: experimental
date: 2026/06/03
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '/Guest/.aspx'
            - '/Handler.ashx?'
        cs-method: POST
    condition: selection
falsepositives:
    - Legitimate administrative use of ScreenConnect
level: high
tags:
    - attack.initial_access
    - cve.2024.1708
    - ransomware.genesis
---
title: Genesis Campaign SmarterMail File Upload Exploit
description: Detects suspicious file upload patterns indicative of CVE-2025-52691 exploitation targeting SmarterMail servers used in this campaign.
status: experimental
date: 2026/06/03
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection_uri:
        cs-uri-stem|contains:
            - '/Mailservice.asmx'
            - '/Services/MailService.asmx'
    selection_ext:
        cs-uri-query|contains:
            - '.aspx'
            - '.ashx'
            - '.asp'
    condition: all of selection_*
falsepositives:
    - Unknown
level: critical
tags:
    - attack.initial_access
    - cve.2025.52691
    - ransomware.genesis
---
title: Ransomware Data Staging Via Rclone
description: Detects the use of rclone, a tool frequently used by ransomware gangs including Genesis for data exfiltration prior to encryption.
status: experimental
date: 2026/06/03
author: Security Arsenal Research
logsource:
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\rclone.exe'
        - OriginalFileName: 'rclone.exe'
    selection_cli:
        CommandLine|contains:
            - 'copy'
            - 'sync'
            - 'megacopy'
            - 'config create'
    condition: all of selection_*
falsepositives:
    - Legitimate administrator backups
level: high
tags:
    - attack.exfiltration
    - attack.t1041

KQL Hunt Query (Microsoft Sentinel)

Use this query to hunt for lateral movement and staging indicators associated with the GENESIS playbook, specifically looking for unusual access to management consoles and mass file replication.

KQL — Microsoft Sentinel / Defender
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
// Hunt for ScreenConnect suspicious processes
| where (ProcessCommandLine contains "ScreenConnect" and ProcessCommandLine contains "setup") or
       (FileName =~ "w3wp.exe" and ProcessCommandLine contains "Mailservice.asmx") or
// Hunt for Genesis common staging tools
       (ProcessCommandLine contains "rclone" or ProcessCommandLine contains "mimikatz" or
        ProcessCommandLine contains "procdump" and ProcessCommandLine contains "-ma")
// Correlate with Network connection attempts to known C2 or non-standard ports
| join kind=inner (DeviceNetworkEvents 
    | where Timestamp > ago(TimeFrame) 
    | where RemotePort in (80, 443, 8040, 4433) 
    | distinct DeviceId, InitiatingProcessFileName, RemoteUrl) 
    on DeviceId, InitiatingProcessFileName
| project Timestamp, DeviceName, FileName, ProcessCommandLine, RemoteUrl, RemotePort, InitiatingProcessAccountName
| order by Timestamp desc

PowerShell Rapid Response Script

Execute this script on critical servers and workstations to identify potential GENESIS persistence mechanisms and compromise indicators related to the exploited CVEs.

PowerShell
<#
    Genesis Ransomware Rapid Response Script
    Checks for persistence, Shadow Copy deletions, and ScreenConnect anomalies.
#>

Write-Host "[!] Starting Genesis Threat Hunt..." -ForegroundColor Cyan

# 1. Check for Shadow Copy Deletion Attempts
$ShadowCopyEvents = Get-WinEvent -LogName "Microsoft-Windows-System/Operational" -FilterXPath "*[System[(EventID=70)]] and *[EventData[Data[@Name='Context']]]" -ErrorAction SilentlyContinue
if ($ShadowCopyEvents) {
    Write-Host "[WARNING] Potential vssadmin.exe execution found in System Logs." -ForegroundColor Red
    $ShadowCopyEvents | Select-Object TimeCreated, Message | Format-Table -AutoSize
} else {
    Write-Host "[OK] No immediate vssadmin deletion events detected." -ForegroundColor Green
}

# 2. Hunt for Suspicious Scheduled Tasks (Last 7 Days)
$suspiciousTasks = Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Get-ScheduledTaskInfo
if ($suspiciousTasks) {
    Write-Host "[WARNING] Scheduled tasks created/modified in the last 7 days:" -ForegroundColor Yellow
    $suspiciousTasks | Select-Object TaskName, LastRunTime, TaskPath
}

# 3. Check for ScreenConnect Service Anomalies (CVE-2024-1708)
$scService = Get-Service -Name "ScreenConnect*" -ErrorAction SilentlyContinue
if ($scService) {
    Write-Host "[INFO] ScreenConnect Service Detected. Verifying Binary Path..." -ForegroundColor Cyan
    $scPath = (Get-WmiObject -Class Win32_Service -Filter "Name like '%ScreenConnect%'").PathName
    Write-Host "Path: $scPath"
    # Check for unauthorized web shells in the web root (heuristic)
    $webRoot = "C:\Program Files (x86)\ScreenConnect\App_Web\"
    if (Test-Path $webRoot) {
        $recentFiles = Get-ChildItem -Path $webRoot -Recurse -File | Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(-24)}
        if ($recentFiles) {
            Write-Host "[CRITICAL] Recent files detected in ScreenConnect Web Root (Potential Web Shell):" -ForegroundColor Red
            $recentFiles | Select-Object FullName, LastWriteTime
        }
    }
}

# 4. Check for SmarterMail/IIS Worker Process Spawning Cmd
$parentProcs = Get-WmiObject Win32_Process | Where-Object {$_.Name -eq "cmd.exe" -or $_.Name -eq "powershell.exe"}
foreach ($proc in $parentProcs) {
    $parent = Get-WmiObject Win32_Process | Where-Object {$_.ProcessId -eq $proc.ParentProcessId}
    if ($parent.Name -eq "w3wp.exe") {
        Write-Host "[CRITICAL] IIS Worker Process spawning Shell (Potential SmarterMail Exploit):" -ForegroundColor Red
        Write-Host "PID: $($proc.ProcessId) Command: $($proc.CommandLine)"
    }
}
Write-Host "[!] Hunt Complete." -ForegroundColor Cyan

Incident Response Priorities

T-Minus Detection Checklist:

  1. Web Server Logs: Immediately query IIS and application logs for ScreenConnect (port 8040) and SmarterMail access anomalies (CVE-2025-52691).
  2. Firewall Logs: Audit management plane access to Cisco FMC appliances for unauthorized authentication attempts (CVE-2026-20131).
  3. RMM Audit: If using ConnectWise, force a password rotation for all ScreenConnect admins and review session logs for "Guest" access.

Critical Assets for Exfiltration:

  • Healthcare: Electronic Health Records (EHR), patient imaging databases (PACS).
  • Financial: ACH files, loan origination databases, investor PII.
  • Manufacturing: CAD drawings, intellectual property, ERP databases.

Containment Actions (Ordered by Urgency):

  1. Isolate Management Interfaces: Disconnect Cisco FMC and ScreenConnect servers from the internet if patch status for CVE-2026-20131 and CVE-2024-1708 is unconfirmed.
  2. Disable Guest Access: Force-disable Guest/anonymous access on all RMM tools immediately.
  3. Suspend Active Sync: Temporarily suspend external sync services (SmarterMail/Exchange) until logs are cleared of compromise indicators.

Hardening Recommendations

Immediate (24 Hours):

  • Patch External-Facing Assets: Apply patches for CVE-2024-1708 (ScreenConnect), CVE-2025-52691 (SmarterMail), and CVE-2026-20131 (Cisco FMC).
  • MFA Enforcement: Enable FIDO2 or hardware-token MFA for all administrative access to RMM, Firewall Management, and Email gateways.
  • Block RDP from Internet: Ensure direct RDP (TCP 3389) is blocked at the perimeter.

Short-Term (2 Weeks):

  • Network Segmentation: Move management interfaces (RMM, Firewall Management) to a dedicated, isolated VLAN, accessible only via bastion hosts.
  • Zero Trust Implementation: Implement device health checks for any machine attempting to access critical management planes.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-ganggenesisgenesis-ransomwareconnectwise-screenconnectcisco-fmcus-healthcareransomware-as-a-service

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action