Back to Intelligence

THEGENTLEMEN Ransomware: 15 New Victims Posted — Manufacturing & Telecom Targeting Spike

SA
Security Arsenal Team
May 10, 2026
6 min read

Aliases: Unknown / No public rebrands observed. Model: Closed-group operation (suspected RaaS-offshoot). Ransom Demands: Highly variable; estimated range $500k – $5M based on victim revenue tiers. TTPs Overview: THEGENTLEMEN distinguish themselves through aggressive exploitation of internet-facing infrastructure rather than traditional phishing. Their playbook emphasizes double extortion, exfiltrating sensitive data (PII, IP, blueprints) prior to encryption. The group typically maintains a short dwell time (3–7 days) between initial access and detonation, reducing the window for defenders to detect egress activity.

  • Initial Access: Heavy reliance on unpatched edge services (Microsoft Exchange, Email gateways, Firewalls).
  • Lateral Movement: Usage of Cobalt Strike beacons and legitimate admin tools (PsExec, WMI) for internal propagation.
  • Exfil: Large-scale data transfer to cloud storage and FTP endpoints.

Current Campaign Analysis

Campaign Dates: 2026-05-06 to 2026-05-08 (Surge activity) Victim Count: 15 posted in the last 4 days; 19 in the last 100 postings.

Sector Targeting

The recent surge indicates a pivot towards Manufacturing and Telecommunication sectors, alongside continued opportunistic attacks on Construction and Business Services.

  • Manufacturing: Misr Chemical Industries (EG), Hillside Lumber (US), Clark Fixture Technologies (US).
  • Telecommunication: TDS (US).
  • Construction: McCarthy (US), Arizona Professional Painting (US).

Geographic Concentration

While global, there is a heavy emphasis on the United States (7 victims), followed by significant hits in Egypt, Germany, and the Netherlands.

Victim Profile

The gang is targeting mid-to-large enterprises. Victims like McCarthy (major construction firm) and TDS (Telecom) suggest a preference for organizations with high revenue operational dependency, maximizing pressure to pay.

CVE Correlation & Access Vectors

We assess with high confidence that the recent victim surge is fueled by the exploitation of specific vulnerabilities added to the CISA KEV list in early 2026:

  1. CVE-2023-21529 (Microsoft Exchange): Deserialization vulnerability. Likely used for initial access in environments like TDS and Misr Chemical Industries.
  2. CVE-2026-20131 (Cisco Secure Firewall Management Center): Deserialization flaw. Critical for bypassing perimeter defenses in sectors like Telecom and Construction.
  3. CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): File upload and Auth Bypass. THEGENTLEMEN are actively scanning for exposed email gateways to gain a foothold.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Exchange Server Deserialization Exploit (CVE-2023-21529)
id: 8c7e8b0c-4a3b-4f9d-8c6a-1e4b2c3d4e5f
description: Detects potential exploitation of Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability.
status: experimental
date: 2026/05/10
author: Security Arsenal Research
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: windows
    service: exchange
detection:
    selection:
        EventID: 4 # Or specific Exchange log ID for backend errors
        Message|contains:
            - 'deserialization'
            - 'ObjectDeserializer'
            - 'LosFormatter'
    condition: selection
falsepositives:
    - Legitimate Exchange administration scripts
level: critical
---
title: SmarterMail Suspicious File Upload Activity (CVE-2025-52691)
id: 9d8f9c1d-5b4c-0e1e-9d7b-2f5c3d4e5f6a
description: Detects potential exploitation of SmarterMail Unrestricted Upload of File with Dangerous Type.
status: experimental
date: 2026/05/10
author: Security Arsenal Research
logsource:
    category: web
detection:
    selection_uri:
        cs-uri-stem|contains: '/Mail/'
    selection_ext:
        cs-uri-extension|contains:
            - 'aspx'
            - 'ashx'
            - 'asmx'
    selection_method:
        cs-method: 'POST'
    selection_status:
        sc-status: 200
    condition: all of selection_
falsepositives:
    - Legitimate file attachments via web interface
level: high
---
title: Cisco FMC Management Center Anomaly (CVE-2026-20131)
id: 0e1f2a3b-6c5d-7e8f-9a0b-1c2d3e4f5a6b
description: Detects suspicious process execution or management access patterns associated with Cisco FMC exploitation.
status: experimental
date: 2026/05/10
author: Security Arsenal Research
logsource:
    product: cisco
    service: fmc
detection:
    selection_cli:
        CommandLine|contains:
            - 'inject'
            - 'deserialize'
    selection_access:
        EventID|contains:
            - '112005' # User logged in
            - '112006' # User logged out
    timeframe: 1m
    condition: selection_cli or selection_access
falsepositives:
    - Administrative configuration changes
level: critical

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for SmarterMail and Exchange Anomalies associated with THEGENTLEMEN access
// Focus on unusual POST requests and user agents
union withsource = TableName *
| where TimeGenerated > ago(7d)
| where isnotempty(SrcIpAddress) and isnotempty(DstIpAddress)
// Filter for known vulnerable paths
| where Uri has "/Mail/" or Uri has "/ecp/" or Uri has "/owa/" 
| where HttpMethod in ("POST", "PUT")
// Look for indicators of exploitation attempts (Shell extensions, Deserialization strings)
| where Uri has ".aspx" or Uri has ".ashx" or Uri has ".jsp" or Uri has "LosFormatter"
// Exclude known internal scanners
| where SrcIpAddress !in ("192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12") 
| summarize RequestCount = count(), UniqueUserAgents = dcount(UserAgent) by Bin(TimeGenerated, 1h), SrcIpAddress, DstIpAddress, Uri, UserAgent
| where RequestCount > 5 or UniqueUserAgents > 1
| order by RequestCount desc
| extend Reason = "High frequency POST to vulnerable mail path"

Rapid Response PowerShell Script

PowerShell
<#
.SYNOPSIS
    Checks for evidence of ransomware precursors and recent access anomalies.
.DESCRIPTION
    This script checks for recent scheduled tasks (lateral movement),
    VSS shadow copy deletions (anti-forensics), and unusual network connections.
#>

Write-Host "[+] Initiating T-Minus Ransomware Hunt..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in the last 24 hours
$Date = (Get-Date).AddDays(-1)
Write-Host "[!] Checking for Scheduled Tasks created/modified since $Date..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.Date -gt $Date -or $_.LastRunTime -gt $Date} | Select-Object TaskName, TaskPath, Date, LastRunTime, Author

# 2. Check Volume Shadow Copy Service Status (VSS) Events
Write-Host "[!] Checking for VSS Shadow Copy Deletion Events (Event ID 140)..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=140; StartTime=$Date} -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message | Format-List

# 3. Check for established PowerShell network connections (potential C2)
Write-Host "[!] Checking for established PowerShell network connections..." -ForegroundColor Yellow
Get-NetTCPConnection -State Established -OwningProcess (Get-Process powershell -ErrorAction SilentlyContinue).Id | Select-Object LocalAddress, LocalPort, RemoteAddress, RemoteAddress, OwningProcess

Write-Host "[+] Hunt Complete." -ForegroundColor Green


---

Incident Response Priorities

T-Minus Detection Checklist

  • Immediate: Isolate Microsoft Exchange and SmarterMail servers from the network immediately. Check C:\inetpub\wwwroot for aspx web shells.
  • Urgent: Review logs for Cisco FMC for unauthorized management access or configuration changes linked to CVE-2026-20131.
  • Pre-Encryption: Look for mass Robocopy or Rclone processes indicating data staging prior to exfiltration.

Critical Assets at Risk

  • Active Directory Domain Controllers: (Highest priority for lateral movement containment).
  • Email Servers: Used for initial access; likely to be the first point of encryption to disrupt communications.
  • Backup Servers: THEGENTLEMEN actively target VSS to prevent recovery.

Containment Actions

  1. Segmentation: Enforce strict Layer 3 isolation between the DMZ (Mail/Web) and the internal LAN.
  2. Credential Reset: Force a reset of all privileged admin credentials, specifically for Exchange and Firewall admins.
  3. Account Suspension: Suspend service accounts associated with scheduled tasks identified in the hunt script.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Management: Apply patches for CVE-2023-21529 (Exchange), CVE-2026-20131 (Cisco FMC), and SmarterMail CVE-2025-52691 / CVE-2026-23760 immediately. These are actively being exploited in the wild.
  • External Attack Surface Reduction: Block inbound access to /Services/ and /Mail/ endpoints on SmarterMail from unknown IPs via WAF or firewall rules.
  • MFA Enforcement: Ensure strict MFA is enforced on all VPN, Exchange OWA, and firewall management interfaces.

Short-term (2 Weeks)

  • Network Segmentation: Implement a "Zero Trust" architecture for administrative jump hosts. Do not allow direct RDP/HTTPS management from the internet to critical assets.
  • EDR Coverage: Ensure full EDR coverage is active on all email gateway and perimeter management servers.
  • Offline Backups: Validate that critical backups are immutable and offline.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangthegentlemenransomwaremanufacturingtelecommunicationcve-2023-21529initial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action