THEGENTLEMEN Ransomware: 15 New Victims Posted — Targeting Manufacturing & Critical Infrastructure via Firewall Exploits

Aliases: Unknown (the group operates under the single moniker "THEGENTLEMEN").

Operational Model: Current intelligence suggests a sophisticated Ransomware-as-a-Service (RaaS) or highly organized closed-group operation. Their rapid victim posting cadence (15 victims in a single batch) indicates high automation in their encryption and exfiltration pipelines.

Tactics & Extortion: THEGENTLEMEN utilize a classic double-extortion model. They exfiltrate sensitive corporate data prior to encryption and leverage victim leak sites to pressure non-paying organizations. While ransom demands vary by victim revenue, recent posts suggest a minimum floor in the mid-six figures USD, scaling into millions for critical infrastructure targets.

Initial Access Vectors: The group is aggressively exploiting External Remote Services and Vulnerability Management gaps. Recent intelligence confirms active exploitation of:

• VPN/Perimeter Bypass: Check Point Security Gateway (CVE-2026-50751) and Cisco Secure Firewall FMC (CVE-2026-20131).
• Remote IT Tools: ConnectWise ScreenConnect (CVE-2024-1708).
• Supply Chain/Third-Party: Nx Console (CVE-2026-48027).

Dwell Time: Analysis of recent postings suggests an average dwell time of 3–5 days. The group moves laterally rapidly once initial access is established, often skipping traditional discovery phases in favor of immediate credential dumping and data staging.

Current Campaign Analysis

Sector Targeting: The latest batch of 15 victims reveals a distinct pivot toward high-availability operational environments:

• Manufacturing (26%): Buechel Stone, Cole Manufacturing, Traublinger, Buratti.
• Technology (13%): Times Software, SigmaControl.
• Agriculture & Food (13%): Fecovita, Mackay Sugar.
• Energy & Critical Infrastructure: Maine Oxy (Energy), Centre Medical Crowley (Healthcare), National Museum (Public Sector).

Geographic Concentration: The campaign is globally dispersed but heavily weighted toward Western economies:

• United States: 4 victims (27%)
• Europe: 6 victims (France, Germany, Poland, Italy, Denmark, Netherlands)
• Asia-Pacific: 2 victims (Singapore, Australia)
• Americas (Non-US): 2 victims (Argentina, Canada)

Victim Profile: THEGENTLEMEN are targeting mid-to-large market enterprises. Victims include public sector entities (National Museum DK), educational institutions (Kozminski University), and industrial conglomerates, suggesting a capability to navigate complex network architectures.

CVE Correlation: The correlation between the victim list and the CISA KEV list is alarming. The inclusion of CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC) indicates THEGENTLEMEN are actively scanning for and exploiting unpatched perimeter security appliances to bypass VPN and firewall controls entirely. The use of CVE-2024-1708 (ScreenConnect) allows them to hijack legitimate remote support sessions for internal access.

Detection Engineering

The following detection logic targets the specific TTPs observed in THEGENTLEMEN's recent campaigns, focusing on the exploitation of remote services and data staging.

---
title: Potential ConnectWise ScreenConnect Authentication Bypass (CVE-2024-1708)
id: 8a2c5e1d-3f4a-4b1c-8d0e-9f1a2b3c4d5e
description: Detects suspicious URL patterns and folder creation associated with ScreenConnect path traversal vulnerability exploitation.
status: experimental
date: 2026/06/19
author: Security Arsenal Intel
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '/.ashx'
            - 'Folder='
            - 'Host='
    condition: selection
falsepositives:
    - Legitimate administrative access via ScreenConnect
level: critical
tags:
    - cve.2024.1708
    - attack.initial_access
    - the-gentlemen
---
title: Suspicious Shadow Copy Deletion (Pre-Encryption Activity)
id: 9b3d6f2e-4g5h-5c2d-9e1f-0g2b3c4d5e6f
description: Detects commands used to delete Volume Shadow Copies, a common precursor to ransomware encryption used by THEGENTLEMEN.
status: experimental
date: 2026/06/19
author: Security Arsenal Intel
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\vssadmin.exe'
            - '\wmic.exe'
    selection_cli:
        CommandLine|contains:
            - 'delete shadows'
            - 'shadowcopy delete'
    condition: all of selection_*
falsepositives:
    - Legitimate system administration (rare)
level: high
tags:
    - attack.impact
    - the-gentlemen
---
title: Data Staging via High-Volume Compression Tools
id: 1c4e5g3h-5h6i-6e3f-0f2g-1h3i4j5k6l7m
description: Detects the use of 7-Zip or WinRAR to compress large volumes of data to local directories often used for exfiltration prior to encryption.
status: experimental
date: 2026/06/19
author: Security Arsenal Intel
logsource:
    category: process_creation
    product: windows
detection:
    selection_archiver:
        Image|endswith:
            - '\7z.exe'
            - '\winrar.exe'
            - '\zip.exe'
    selection_params:
        CommandLine|contains:
            - 'a -t'
            - '-mx9'
    filter_legit:
        ParentImage|contains:
            - '\Program Files\'
    condition: selection_archiver and selection_params and not filter_legit
falsepositives:
    - User backups
level: medium
tags:
    - attack.exfiltration
    - the-gentlemen


**KQL (Microsoft Sentinel) - Hunt for Lateral Movement & Staging**

kql
// Hunt for lateral movement via PsExec/WMI and large data transfers
let CommonLateralTools = Dynamic(["psexec.exe", "wmic.exe", "wmiexec.ps1", "powershell.exe"]);
let ArchivingTools = Dynamic(["7z.exe", "winrar.exe", "peazip.exe"]);
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName in (CommonLateralTools) or FileName in (ArchivingTools)
| where ProcessCommandLine has any("-accepteula", "process call", "invoke-command", "create")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, FolderPath
| extend AnomalyIndicator = iff(FileName in (ArchivingTools), "Data Staging", "Lateral Movement")
| order by Timestamp desc


**PowerShell - Rapid Response Hardening Script**

powershell
# THEGENTLEMEN Response Script: Check for RDP anomalies and recent Shadow Copy manipulation
Write-Host "[+] Starting THEGENTLEMEN IOC Check..." -ForegroundColor Cyan

# 1. Check for recent Shadow Copy deletion attempts (Event ID 1 from Sysmon or 4688 if command line logging enabled)
Write-Host "[+] Checking for vssadmin deletion attempts in last 24 hours..."
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | 
Where-Object {$_.Message -match 'vssadmin' -and $_.Message -match 'delete'} | 
Select-Object TimeCreated, Message | Format-List

# 2. Enumerate Scheduled Tasks created in the last 7 days (Persistence mechanism)
Write-Host "[+] Enumerating Scheduled Tasks created/modified in last 7 days..."
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | 
Select-Object TaskName, TaskPath, Date, Author

# 3. Identify RDP/Remote Logons from non-standard accounts
Write-Host "[+] Checking for recent RDP logons (Event ID 4624, Type 10)..."
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=(Get-Date).AddDays(-1)} -ErrorAction SilentlyContinue | 
Where-Object {$_.Message -match 'Logon Type:\s*10'} | 
Select-Object TimeCreated, @{n='User';e={$_.Properties[5].Value}}, @{n='IP';e={$_.Properties[19].Value}}

Write-Host "[!] Manual Review Required for any suspicious findings." -ForegroundColor Yellow


---

Incident Response Priorities

Based on THEGENTLEMEN's playbook, execute the following T-minus checklist immediately upon suspicion of compromise:

1. Perimeter Isolation: If utilizing Check Point or Cisco FMC appliances, immediately review IKEv1 logs (Check Point) and deserialization logs (Cisco). Isolate management interfaces from the internet if unpatched.
2. ScreenConnect Audit: Audit all ConnectWise ScreenConnect instances. Force-logoff all active sessions and rotate credentials. Patch to the latest version immediately.
3. Hunt for Web Shells: Given the exploitation of CVE-2026-50751 and CVE-2026-20131, scan web roots for recently modified ASP, ASPX, JSP, or PHP files.
4. Data Exfil Indicators: Look for massive egress traffic over non-standard ports (e.g., 80, 443, 21) or via large file upload sites. THEGENTLEMEN prioritize exfiltration of PII, CAD drawings (Manufacturing), and financial databases.
5. Containment: If a host is confirmed compromised, disconnect from the network but do not power off (if possible) to preserve memory artifacts of the initial access payload.

Hardening Recommendations

Immediate (24 Hours):

• Patch Critical CVEs: Apply patches for CVE-2026-50751 (Check Point), CVE-2026-20131 (Cisco FMC), and CVE-2024-1708 (ScreenConnect) globally.
• Disable IKEv1: If not required for legacy VPN compatibility, disable IKEv1 on Check Point gateways to mitigate the authentication bypass.
• MFA Enforcement: Enforce strict MFA on all remote access tools, including ScreenConnect, VPNs, and RDP.

Short-term (2 Weeks):

• Network Segmentation: Separate OT/IoT (Manufacturing/Energy) networks from IT administrative zones. THEGENTLEMEN often traverse from IT to OT.
• Egress Filtering: Implement strict egress filtering to block known cloud storage endpoints and non-business IP ranges from critical servers.
• Vulnerability Management: Re-scan all external-facing security appliances specifically for authentication and deserialization flaws.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub