THEGENTLEMEN Ransomware: 15 New Victims in Global Manufacturing & Energy Assault — Detection Playbook

Security Arsenal is tracking a significant surge in activity by the THEGENTLEMEN ransomware gang. On 2026-06-15, the group posted 15 new victims to their dark web leak site, marking a high-velocity campaign primarily targeting the Manufacturing, Energy, and Technology sectors. Analysis of the victimology and the CVEs listed in their arsenal indicates a shift toward exploiting perimeter network devices, specifically Check Point and Cisco appliances, to gain initial access.

Threat Actor Profile — THEGENTLEMEN

• Known Aliases: None confirmed (operates strictly as THEGENTLEMEN).
• Operational Model: RaaS (Ransomware-as-a-Service) with a closed-knit core development team and widespread affiliate network.
• Typical Ransom Demands: High; ranging from $2M to $10M USD, scaling with victim revenue.
• Initial Access Vectors: Historically relied on phishing and RDP brute-forcing. Recent intelligence confirms a pivot to exploiting vulnerabilities in edge networking devices (VPN/Firewalls) and remote management tools (ScreenConnect, Nx Console).
• Extortion Strategy: Double extortion standard. They exfiltrate sensitive data (CAD drawings, client databases, employee PIIs) 24-48 hours prior to encryption to leverage negotiation pressure.
• Average Dwell Time: 5–9 days. The group conducts thorough network reconnaissance and lateral movement before detonating the payload.

Current Campaign Analysis

Sector Targeting

The latest batch of victims reveals a distinct preference for Manufacturing (4 victims), followed closely by Technology, Agriculture, and Business Services. Notably, the attack on Maine Oxy (Energy) suggests critical infrastructure is in scope.

Geographic Concentration

While the United States remains the primary target (Buechel Stone, Maine Oxy, Cole Manufacturing), the campaign is aggressively global. Victims span Poland (Kozminski University), France (Constructions Piraino), Argentina (Fecovita), Germany (Traublinger), Singapore (Times Software), and Australia (Mackay Sugar).

Initial Access & CVE Correlation

This campaign is closely correlated with the active exploitation of CVE-2026-50751 (Check Point Security Gateway) and CVE-2026-20131 (Cisco Secure Firewall Management Center). We assess with high confidence that THEGENTLEMEN affiliates are scanning for unpatched edge devices as the primary entry point, bypassing traditional endpoint detection by attacking the network perimeter.

Victim Profile

The victims range from mid-market enterprises ($50M - $500M revenue) to large educational institutions and public sector bodies. The inclusion of "Centre Medical Crowley" indicates the group is not adhering to any "healthcare safe" protocols.

Detection Engineering

SIGMA Rules

---
title: Potential Exploitation of Cisco FMC Deserialization CVE-2026-20131
id: 4a8f9b1c-6d2e-4a5c-9f1e-1b2c3d4e5f6a
status: experimental
description: Detects potential exploitation attempts against Cisco Secure Firewall Management Center deserialization vulnerability. 
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/15
logsource:
    category: web
    product: proxy
detection:
    selection:
        cs-method: 'POST'
        c-uri|contains:
            - '/mgmt/fmc'
            - '/api/fmc_config'
        sc-content|contains|all:
            - 'Serialized'
            - 'javax.management'
    condition: selection
falsepositives:
    - Legitimate administrative API usage
level: critical
---
title: Check Point VPN IKEv1 Anomalous Authentication Failures
id: 5b9g0c2d-7e3f-5b6d-0g2f-2c3d4e5f6a7b
status: experimental
description: Detects bursts of IKEv1 authentication failures indicative of brute-force or exploitation of CVE-2026-50751.
author: Security Arsenal Research
date: 2026/06/15
logsource:
    product: checkpoint
    service: vpn
detection:
    selection:
        type: 'Log'
        sub_type: 'vpn'
        action: 'key install'
        ike_suite: 'IKEv1'
    filter:
        status: 'failure'
    timeframe: 1m
    condition: selection | count() > 10
falsepositives:
    - Misconfigured VPN clients
level: high
---
title: Suspicious PsExec Service Installation Lateral Movement
id: 6c0h1d3e-8f4g-6c7e-1h3g-3d4e5f6a7b8c
status: experimental
description: Detects the creation of services via PsExec, a common lateral movement technique used by THEGENTLEMEN.
author: Security Arsenal Research
date: 2026/06/15
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains: 'PSEXESVC'
    condition: selection
falsepositives:
    - Legitimate administrator usage of PsExec
level: high

KQL (Microsoft Sentinel)

// Hunt for lateral movement and data staging associated with THEGENTLEMEN
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
// Look for common archive tools used for staging
| where ProcessName in~ ("winrar.exe", "7z.exe", "winzip.exe", "tar.exe")
// Filter for parent processes often abused by ransomware (powershell, cmd, wmi)
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wmiprvse.exe", "mshta.exe")
// Look for mass file arguments
| where ProcessCommandLine has "-a" or ProcessCommandLine has "-u" 
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Rapid Response Script

# THEGENTLEMEN Ransomware Response Script
# Checks for ShadowCopy manipulation and suspicious scheduled tasks

Write-Host "[+] Checking for recent Shadow Copy deletions..."
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=12343} -MaxEvents 10 -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message

Write-Host "[+] Enumerating Scheduled Tasks created in the last 7 days..."
$DateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {$_.Date -gt $DateCutoff} | ForEach-Object {
    $TaskInfo = Export-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath
    Write-Host "Task: $($_.TaskName) - Path: $($_.TaskPath)"
    # Check for suspicious commands in the task action
    if ($TaskInfo -match "powershell" -or $TaskInfo -match "cmd.*/c" -or $TaskInfo -match "http") {
        Write-Host "[!] WARNING: Suspicious command string detected in task action." -ForegroundColor Red
    }
}

Write-Host "[+] Checking for unexpected PsExec services..."
Get-WmiObject Win32_Service | Where-Object {$_.Name -like "*PSEXESVC*" -and $_.State -eq "Running"} | Select-Object Name, State, ProcessId

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption):

1. Perimeter Logs: Immediately review logs for Check Point Security Gateway and Cisco FMC for the 24 hours prior to alert. Look for massive IKEv1 failures or suspicious API POST requests.
2. RMM Tools: Audit ConnectWise ScreenConnect logs for authentication anomalies or path traversal attempts (CVE-2024-1708).
3. Active Directory: Hunt for "DCSync" permissions or unusual Service Principal Name (SPN) additions.

Critical Assets Prioritized for Exfiltration:

• Manufacturing: CAD schematics, proprietary formulas, ERP databases.
• Energy: SCADA config files, ICS network diagrams.
• All: HR databases (SSN/Tax info) and Executive Finance folders.

Containment Actions (Order of Urgency):

1. Isolate: Disconnect VPN concentrators and Firewalls from the management network if suspicious traffic is detected.
2. Suspend: Suspend service accounts associated with RMM tools immediately.
3. Credential Reset: Force reset of credentials for all local administrators on critical servers, especially those with RDP access.

Hardening Recommendations

Immediate (24 Hours):

• Patch: Apply the patch for CVE-2026-50751 on all Check Point Gateways immediately.
• Patch: Apply the patch for CVE-2026-20131 on Cisco Secure Firewall Management Center.
• Block: Block inbound Internet access to management interfaces (HTTPS/SSH) for all firewall and VPN appliances from the WAN; enforce VPN access to management planes only.

Short-Term (2 Weeks):

• MFA Enforcement: Implement phishing-resistant MFA (FIDO2) for all VPN and RMM access.
• Network Segmentation: Ensure ICS/SCADA and Manufacturing networks are strictly segmented from the IT corporate network.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub