Back to Intelligence

THEGENTLEMEN Ransomware: 15 New Victims Posted — Global Manufacturing Sector Targeted via VPN & ScreenConnect Exploits

SA
Security Arsenal Team
June 17, 2026
6 min read

On 2026-06-15, THEGENTLEMEN ransomware gang posted 15 new victims to their dark web leak site, marking a significant escalation in activity. This briefing analyzes the cluster of victims, linking the attacks to the active exploitation of critical perimeter vulnerabilities, specifically CVE-2026-50751 (Check Point Security Gateway) and CVE-2024-1708 (ConnectWise ScreenConnect). The campaign shows a distinct preference for the Manufacturing sector (26% of recent victims) and North American/European targets.

Threat Actor Profile — THEGENTLEMEN

  • Aliases: No significant rebrands observed; operates strictly as "THEGENTLEMEN".
  • Operating Model: Ransomware-as-a-Service (RaaS). The diverse geographic spread (US to AU) and sector variance suggest a decentralized affiliate model utilizing a common encryptor and leak site infrastructure.
  • Ransom Demands: Estimated $500,000 – $3,000,000 USD based on victim profiles (mix of mid-market manufacturing and public sector entities).
  • Initial Access Vectors: Heavy reliance on external remote services. Recent intelligence confirms the use of exploits for VPN appliances (Check Point, Cisco) and remote monitoring tools (ConnectWise ScreenConnect).
  • Double Extortion: Yes. The group maintains a dedicated "Tor" leak site where they publish victim data if negotiations fail.
  • Dwell Time: Estimated 3–7 days. The rapid posting of 15 victims on a single day suggests synchronized detonation or a "deadline dump" following initial access earlier in the week.

Current Campaign Analysis

Sector Targeting

The latest postings indicate a pivot toward critical industrial and supply chain targets:

  • Manufacturing (4 victims): Buechel Stone (US), Cole Manufacturing (US), Traublinger (DE), Buratti (IT).
  • Energy (1 victim): Maine Oxy (US).
  • Agriculture & Food (2 victims): Fecovita (AR), Mackay Sugar (AU).
  • Technology (2 victims): Times Software (SG), SigmaControl (NL).

Geographic Concentration

  • Americas: US (4), AR (1), CA (1).
  • Europe: DE (2), PL (1), FR (1), IT (1), DK (1), NL (1).
  • Asia-Pacific: SG (1), AU (1).

TTP Correlation

The victimology correlates strongly with the recent addition of CVE-2026-50751 to the CISA KEV list. Manufacturing and Energy sectors frequently utilize VPN concentrators like Check Point for remote OT/IoT connectivity, making them prime targets for this specific exploit. Additionally, the presence of Technology and Business Services victims suggests parallel exploitation of CVE-2024-1708 (ScreenConnect) via managed service providers (MSPs).

Detection Engineering

SIGMA Rules

YAML
---
title: Potential THEGENTLEMEN Initial Access via ScreenConnect Auth Bypass
description: Detects potential exploitation of CVE-2024-1708 involving ScreenConnect path traversal leading to remote code execution. Monitoring for suspicious child processes spawned by the ScreenConnect service.
status: experimental
date: 2026/06/17
author: Security Arsenal
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\\ScreenConnect.WindowsClient.exe'
        Image|endswith:
            - '\\cmd.exe'
            - '\\powershell.exe'
            - '\\pwsh.exe'
            - '\\wscript.exe'
    condition: selection
falsepositives:
    - Legitimate administrative use by IT staff
level: high
tags:
    - attack.initial_access
    - cve.2024.1708
    - ransomware
---
title: THEGENTLEMEN Check Point VPN IKEv1 Anomaly
description: Detects indicators of CVE-2026-50751 exploitation involving improper authentication in IKEv1 key exchange on Check Point Security Gateways.
status: experimental
date: 2026/06/17
author: Security Arsenal
logsource:
    product: firewall
    service: checkpoint
detection:
    selection:
       |contains:
            - 'IKEv1'
            - 'vpn_trunk'
    filter_valid:
        src_ip_network:
            - '10.0.0.0/8'
            - '192.168.0.0/16'
            - '172.16.0.0/12'
    condition: selection | not filter_valid
falsepositives:
    - Legacy VPN configurations
level: critical
tags:
    - attack.initial_access
    - cve.2026.50751
    - thegentlemen
---
title: THEGENTLEMEN Lateral Movement via PsExec
id: 4b0c4c6e-8c5e-4f3d-9c1f-2d4e5f6a7b8c
description: Detects the use of PsExec for lateral movement, a common technique observed in THEGENTLEMEN engagements prior to encryption.
status: experimental
date: 2026/06/17
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\\psexec.exe'
        CommandLine|contains:
            - '-accepteula'
            - '\\'
    condition: selection
falsepositives:
    - System administration
level: high
tags:
    - attack.lateral_movement
    - attack.execution
    - thegentlemen

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious process chains associated with ScreenConnect exploitation (CVE-2024-1708)
// and lateral movement tools common to THEGENTLEMEN
let SuspiciousTools = dynamic(['powershell.exe', 'cmd.exe', 'whoami.exe', 'nltest.exe', 'net.exe', 'taskkill.exe', 'rundll32.exe']);
let ScreenConnectParents = dynamic(['ScreenConnect.WindowsClient.exe', 'ScreenConnect.ClientService.exe', 'ConnectWise.Control.Client.exe']);
DeviceProcessEvents  
| where InitiatingProcessFileName in~ ScreenConnectParents 
| where FileName in~ SuspiciousTools
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessAccountName
| order by Timestamp desc

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Rapid Response Script for THEGENTLEMEN Indicators.
.DESCRIPTION
    Checks for signs of CVE-2024-1708 exploitation, recent scheduled tasks,
    and abnormal service configurations associated with THEGENTLEMEN activity.
#>

Write-Host \"[*] Checking for recent suspicious Scheduled Tasks (Last 7 Days)...\" -ForegroundColor Cyan
$DateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {
    $_.Date -gt $DateCutoff -and 
    ($_.TaskName -like '*update*' -or $_.TaskName -like '*patch*' -or $_.TaskName -match '^[a-f0-9]{8,}')
} | Select-Object TaskName, Date, Author, Actions | Format-Table -AutoSize

Write-Host \"[*] Enumerating Services with Unusual Binary Paths (Potential Hijacking)...\" -ForegroundColor Cyan
Get-WmiObject Win32_Service | Where-Object {
    $_.PathName -match 'C:\\Users\\Public\' -or 
    $_.PathName -match 'C:\\Windows\\Temp\' -or
    $_.PathName -match '\.dll$' -and $_.StartMode -eq 'Auto'
} | Select-Object Name, DisplayName, PathName, StartMode | Format-Table -AutoSize

Write-Host \"[*] Checking for ScreenConnect Client Process Anomalies...\" -ForegroundColor Cyan
$Procs = Get-WmiObject Win32_Process | Where-Object { $_.Name -eq 'cmd.exe' -or $_.Name -eq 'powershell.exe' }
foreach ($Proc in $Procs) {
    $Parent = Get-WmiObject Win32_Process | Where-Object { $_.ProcessId -eq $Proc.ParentProcessId }
    if ($Parent.Name -match 'ScreenConnect') {
        Write-Host \"[!] ALERT: Suspicious process spawned by ScreenConnect!\" -ForegroundColor Red
        Write-Host \"    Process: $($Proc.Name) | PID: $($Proc.ProcessId) | Parent: $($Parent.Name)\"
    }
}
Write-Host \"[*] Scan Complete.\" -ForegroundColor Green


---

Incident Response Priorities

T-Minus Detection Checklist

  • VPN Logs: Immediately review Check Point and Cisco FMC logs for failed IKEv1 handshakes or successful authentications from unusual ASN/geolocations (Indicator: CVE-2026-50751, CVE-2026-20131).
  • RMM/ScreenConnect: Audit ScreenConnect access logs for authentication anomalies or web session creation from impossible travel locations.
  • User Accounts: Look for sudden creation of new local administrators on domain controllers or file servers.

Critical Assets for Exfil

THEGENTLEMEN historically targets:

  1. PII/HR Databases: For high-leverage extortion.
  2. CAD/PLM Designs: specifically in Manufacturing victims (e.g., Buechel Stone, Traublinger).
  3. Financial Records: 2026 tax documents and banking info.

Containment Actions

  1. Isolate VPN Concentrators: Disconnect Check Point/Cisco management interfaces from the internet immediately if unpatched.
  2. Disable RMM Tools: Temporarily halt ScreenConnect services until the CVE-2024-1708 patch is verified.
  3. Segment OT Networks: Ensure Manufacturing/OT VLANs are air-gapped from IT networks exploited via VPN.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Management: Apply patches for CVE-2026-50751 (Check Point) and CVE-2024-1708 (ScreenConnect) immediately.
  • Access Control: Enforce MFA on all VPN and RMM portals. Disable accounts of third-party vendors not currently working.
  • Network Blocking: Block inbound IKEv1 traffic at the perimeter if VPNs are not actively using it (mitigates CVE-2026-50751).

Short-Term (2 Weeks)

  • Zero Trust Network Access (ZTNA): Begin migration from traditional VPN to ZTNA solutions to reduce broad network access.
  • Egress Filtering: Implement strict firewall rules to prevent outbound connections to known ransomware C2 infrastructure and file-sharing sites (Mega, Anonfiles).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangthegentlemenransomwaremanufacturingcve-2026-50751screenconnectvpn-exploitation

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action