Back to Intelligence

THEGENTLEMEN Ransomware: 15 New Victims Posted — Global Healthcare & Tech Surge + KEV Exploitation

SA
Security Arsenal Team
June 8, 2026
6 min read

Date: 2026-06-08 Actor: THEGENTLEMEN Activity: Publication of 15 new victims on dark web leak site.

Security Arsenal analysts have observed a significant spike in activity by the ransomware group THEGENTLEMEN. Over the last 24 hours, the group has added 15 new victims to their .onion portal, marking a high-water mark for their recent operations. The campaign exhibits a distinct shift toward the Healthcare and Technology sectors, leveraging known CISA KEV (Known Exploited Vulnerabilities) for initial access.

Threat Actor Profile — THEGENTLEMEN

  • Aliases: The Gentlemen Club, TGN
  • Operational Model: Ransomware-as-a-Service (RaaS) with an aggressive affiliate network. While previously closed-group, recent indicators suggest a shift toward a more franchise-like model to scale victim counts.
  • Ransom Demands: Historically ranging from $500,000 to $5 million USD. Recent Healthcare victims suggest demands are being adjusted based on insurance coverage and PHI sensitivity.
  • Initial Access Vectors: Primary reliance on external remote services (RDP, VPN) and exploitation of internet-facing applications (ConnectWise ScreenConnect, Microsoft Exchange, SmarterMail).
  • Double Extortion: Strict adherence to the model. The gang exfiltrates sensitive data (PFI, IP, financials) prior to encryption and utilizes a dedicated leak site (DLS) to pressure non-paying victims.
  • Dwell Time: Estimated 3–7 days. The gang moves quickly from initial foothold to lateral movement, reducing the window for detection.

Current Campaign Analysis

Sector & Geographic Targeting

  • Targeted Sectors:
    • Healthcare (27%): WCM Remedium (PL), The Clinic (GB), Central Arkansas Pediatrics (US).
    • Technology (13%): Yao Yuan Technology (TW), IP Rings (IE).
    • Manufacturing & Logistics: Jyharn Electronic (TW), Integrated Distribution (GB).
  • Geographic Spread: Highly globalized. Concentration in APAC (JP, HK, TW), Europe (PL, GB, RU, ES, IE), and the Americas (US, AR). This broad footprint suggests automated vulnerability scanning rather than manual, geographically limited targeting.

Victim Profile

The victims range from mid-market entities (e.g., The Clinic, local pediatrics) to large-scale logistics and staffing firms (e.g., FESCO Adecco). Revenue estimates suggest a target range of $10M - $500M USD, implying THEGENTLEMEN affiliates are capable of breaching both legacy networks and enterprise environments.

CVEs and Attack Vectors

Analysis of the victim types correlates strongly with the active exploitation of the following CISA KEVs:

  • CVE-2024-1708 (ConnectWise ScreenConnect): Critical for MSPs and IT-managed environments, explaining the infiltration of Technology and Business Services sectors.
  • CVE-2023-21529 (Microsoft Exchange): Likely used for the Healthcare and Education targets (Institucion Cervantes) where on-prem Exchange servers remain prevalent.
  • CVE-2025-52691 (SmarterTools SmarterMail): A specific vector for email exfiltration and access in environments not fully migrated to M365.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential ConnectWise ScreenConnect Authentication Bypass
description: Detects potential exploitation of CVE-2024-1708 involving path traversal and authentication bypass in ConnectWise ScreenConnect.
references:
  - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/08
modified: 2026/06/08
tags:
  - attack.initial_access
  - cve.2024.1708
  - ransomware.thegentlemen
status: experimental
logsource:
  category: webserver
detection:
  selection:
    cs-uri-query|contains:
      - '..'
      - 'Authorization'
    c-uri|contains:
      - '/App_Extensions/'
      - '/LiveChat/'
  condition: selection
falsepositives:
  - Legitimate administrative misconfiguration (rare)
level: critical
---
title: Suspicious PowerShell Deserialization Activity (Exchange)
description: Detects deserialization untrusted data patterns associated with CVE-2023-21529 exploitation on Microsoft Exchange servers.
references:
  - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/08
tags:
  - attack.initial_access
  - cve.2023.21529
  - attack.t1059.001
status: experimental
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4688
    NewProcessName|endswith: \\w3wp.exe
    CommandLine|contains:
      - 'Microsoft.Exchange.Management'
      - 'System.Web.UI.ObjectStateFormatter'
  condition: selection
falsepositives:
  - Legitimate Exchange Management Shell usage
level: high
---
title: SmarterTools SmarterMail Arbitrary File Upload
description: Identifies suspicious file upload patterns to SmarterMail endpoints indicative of CVE-2025-52691 exploitation.
references:
  - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/08
tags:
  - attack.initial_access
  - cve.2025.52691
  - attack.webshell
status: experimental
logsource:
  category: webserver
detection:
  selection:
    c-uri|contains: "/Services/MailBox.asmx"
    cs-method: POST
    cs-uri-query|contains: 'Upload'
  filter:
    cs-user-agent|contains:
      - 'SmarterMail'
      - 'Mozilla'
  condition: selection and not filter
falsepositives:
  - Legitimate client file uploads
level: high

KQL (Microsoft Sentinel)

Hunts for lateral movement and data staging associated with THEGENTLEMEN playbook (use of PsExec and Rclone).

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents 
| where Timestamp > ago(7d) 
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "pwsh.exe") 
| where FileName in ("psexec.exe", "psexec64.exe", "rclone.exe", "winscp.exe") 
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessAccountName
| summarize count() by FileName, DeviceName 
| order by count_ desc

PowerShell Rapid Response

Script to identify scheduled tasks created for persistence, a common TTP for this gang.

PowerShell
<#
.SYNOPSIS
    Hunts for scheduled tasks created/modified in the last 7 days.
.DESCRIPTION
    THEGENTLEMEN often utilizes scheduled tasks for persistence. This script enumerates tasks registered in the last week.
#>

Get-ScheduledTask | 
ForEach-Object {
    $task = $_
    $info = $task | Get-ScheduledTaskInfo
    if ($info.LastRunTime -gt (Get-Date).AddDays(-7) -or $task.Date -gt (Get-Date).AddDays(-7)) {
        [PSCustomObject]@{
            TaskName = $task.TaskName
            TaskPath = $task.TaskPath
            LastRunTime = $info.LastRunTime
            NextRunTime = $info.NextRunTime
            Author = $task.Author
            Actions = ($task.Actions.Execute) -join ', '
        }
    }
} | Format-Table -AutoSize

Incident Response Priorities

T-minus Detection Checklist

  1. Web Shell Scan: Immediate scan for web shells on IIS and Exchange servers (check App_Data, bin, and temporary upload directories).
  2. MSP Logs: If using ConnectWise ScreenConnect, audit logs for successful logins from unfamiliar IP addresses or unusual authentication bypass attempts on 2026-06-07 to 2026-06-08.
  3. Exchange Auditing: Search for New-MailboxExportRequest cmdlets, which are often used by THEGENTLEMEN to stage PST files for exfiltration.

Critical Asset Prioritization

  • Electronic Health Records (EHR): Highest priority for exfiltration.
  • R&D Databases: High priority for Technology and Manufacturing victims.
  • Email Archives: Targeted via SmarterMail/Exchange for business email compromise (BEC) follow-ups.

Containment Actions

  1. Isolate: Disconnect Internet-facing Exchange and ConnectWise servers from the network immediately.
  2. Reset: Revoke and reset credentials for service accounts associated with the vulnerable applications.
  3. Block: Block outbound traffic to known file transfer infrastructure (port 21, 443 non-standard) from critical servers.

Hardening Recommendations

Immediate (24 Hours)

  • Patch: Apply patches for CVE-2024-1708 (ConnectWise), CVE-2023-21529 (Exchange), and CVE-2025-52691 (SmarterMail) immediately.
  • Disable: Disable external RDP and VPN access where possible; enforce MFA strictly if access is required.
  • Accounts: Ensure all admin accounts on edge devices have unique, complex credentials.

Short-term (2 Weeks)

  • Network Segmentation: Segment critical Healthcare/EHR data and IP repositories from general user networks to limit lateral movement.
  • EDR Deployment: Ensure EDR coverage is 100% on Exchange servers and management consoles (ScreenConnect).
  • Conditional Access: Implement strict conditional access policies to limit management interface access to trusted IP ranges.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangthegentlemenransomware-as-a-servicehealthcarecisa-kevconnectwisedouble-extortion

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action