Back to Intelligence

THEGENTLEMEN Ransomware: 15+ Victims Posted — Analysis of Multi-Vector CVE Exploitation

SA
Security Arsenal Team
July 1, 2026
6 min read

Aliases & Operational Model THEGENTLEMEN operate as a sophisticated Ransomware-as-a-Service (RaaS) affiliate network, though they maintain tight operational security, suggesting a closed group tier for high-value targets. They recently rebranded to refine their extortion image, focusing on "professional" data leak site designs.

TTPs & Dwell Time

  • Ransom Demands: Typically range from $500,000 to $5 million, calibrated to victim revenue.
  • Initial Access: Heavily relies on exploiting external-facing infrastructure. Current intelligence confirms the active weaponization of CISA KEV-listed vulnerabilities in perimeter security appliances (Check Point, Cisco FMC) and remote management tools (ScreenConnect).
  • Double Extortion: Aggressive timeline. Data is staged within 24-48 hours of access. Victims have 72 hours to negotiate before leak site publication.
  • Dwell Time: Short average of 3-5 days from initial foothold to encryption, indicating automated deployment tools post-access.

Current Campaign Analysis

Campaign Snapshot: "Perimeter Breach" (2026-06-30 to 2026-07-02)

Sectors Targeted The latest dump of 15+ victims indicates a shift toward critical services and logistics:

  • Transportation/Logistics: FAC Logistique (FR), Pou Sheng International (TW).
  • Public Sector: The City of Boyne City (US).
  • Healthcare: Centre Ophtalmologique dErmont (FR).
  • Construction/Real Estate: Melcor Developments Ltd (CA).

Geographic Concentration

  • Primary: France (FR) – 40% of recent victims.
  • Secondary: United States (US), Canada (CA), Taiwan (TW).

Victim Profile The gang is targeting mid-to-large enterprise entities. Victims like Melcor Developments (revenue ~$300M) and Pou Sheng International (billions in revenue) suggest THEGENTLEMEN affiliates conduct significant financial pre-attack reconnaissance.

CVE Connection & Vectors The concurrent appearance of victims in sectors relying on legacy VPNs and RMM tools correlates with the active exploitation of:

  • CVE-2024-1708 (ScreenConnect): Likely used for initial access in Business Services and Technology sectors (e.g., MakoLab, Oron Law Firm).
  • CVE-2026-50751 (Check Point): suspected vector for the cluster of French victims, potentially bypassing perimeter IPS to gain VPN access.
  • CVE-2026-20131 (Cisco FMC): A critical vector allowing attackers to modify firewall rules to establish covert C2 channels before detonation.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ScreenConnect Authentication Bypass
description: Detects potential exploitation of CVE-2024-1708 involving path traversal or suspicious authentication sequences on ScreenConnect servers.
id: 9e5b7e0c-3d2a-4c5a-9b1d-4c2e8f7a1b3c
status: experimental
date: 2026/07/02
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '..\'
            - '%2e%2e'
            - 'WebService.ashx'
    condition: selection
falsepositives:
    - Misconfigured scanners
level: critical
---
title: Check Point IKEv1 Anomaly Detection
description: Identifies suspicious IKEv1 key exchange failures or successful authentications from unusual geolocations, potentially indicating exploitation of CVE-2026-50751.
id: a1b2c3d4-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
date: 2026/07/02
author: Security Arsenal Research
logsource:
    product: firewall
detection:
    selection:
        dst_port: 500
        protocol: udp
        app: 'ike'
        action: 'accept'
    filter_legit:
        src_ip_in_geo:
            - 'Internal_Range'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate remote employee VPN connections
level: high
---
title: Ransomware Preparation - VSS Deletion via System Tools
description: Detects commands used to delete Volume Shadow Copies, a common step before encryption by THEGENTLEMEN affiliates.
id: f1e2d3c4-b5a6-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
date: 2026/07/02
author: Security Arsenal Research
logsource:
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\vssadmin.exe'
            - '\wbadmin.exe'
    cmdline:
        CommandLine|contains:
            - 'delete shadows'
            - 'delete catalog'
    condition: selection
falsepositives:
    - System administration tasks (rare)
level: critical


**KQL (Microsoft Sentinel)**
Hunt for lateral movement patterns associated with this group's use of Cobalt Strike and RDP hijacking post-initial access.

kql
let timeframe = 1d;
DeviceProcessEvents
| where Timestamp > ago(timeframe)
// Suspicious execution paths often used by ransomware operators
| where (FolderPath has "C:\\Windows\\Temp\\" and ProcessVersionInfoOriginalFileName in ("powershell.exe", "cmd.exe", "rundll32.exe"))
   or (ProcessCommandLine has any("-enc", "DownloadString", "IEX") and FileName == "powershell.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(timeframe)
    | where RemotePort in (443, 80) and ActionType == "ConnectionSuccess"
    | summarize Count=count() by DeviceId, RemoteUrl
    | where Count > 100 // High frequency beaconing
) on DeviceId


**PowerShell Response Script**
Rapid triage script to enumerate scheduled tasks and check for the specific vulnerable services noted in this campaign.

powershell
<#
.SYNOPSIS
    THEGENTLEMEN Ransomware Triage Script
.DESCRIPTION
    Checks for signs of ransomware preparation and checks for vulnerable service versions.
#>

Write-Host "[+] Starting THEGENTLEMEN Triage..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in the last 24 hours
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddHours(-24) }
if ($suspiciousTasks) {
    Write-Host "[!] WARNING: Recently Scheduled Tasks found (Potential Persistence):" -ForegroundColor Red
    $suspiciousTasks | Select-Object TaskName, Date, Author | Format-Table
} else {
    Write-Host "[-] No suspicious recent scheduled tasks found." -ForegroundColor Green
}

# 2. Check for Modified VSS Shadows (Indication of deletion attempts)
try {
    $vssState = vssadmin list shadows 2>&1
    if ($vssState -match "No shadow copies found") {
        Write-Host "[!] CRITICAL: No Volume Shadow Copies found. Possible deletion event." -ForegroundColor Red
    }
} catch {
    Write-Host "[-] Could not query VSS state." -ForegroundColor Yellow
}

# 3. Check ScreenConnect Version (CVE-2024-1708)
$scPath = "C:\Program Files (x86)\ScreenConnect\App\ScreenConnect.Service.exe"
if (Test-Path $scPath) {
    $version = (Get-Item $scPath).VersionInfo.FileVersion
    Write-Host "[*] ScreenConnect Found. Version: $version" -ForegroundColor Yellow
    # Note: Update this logic with specific vulnerable version ranges as they are released
    if ($version -lt "23.9.8") {
        Write-Host "[!] VULNERABLE ScreenConnect version detected." -ForegroundColor Red
    }
}

Write-Host "[+] Triage Complete. Review output." -ForegroundColor Cyan


---

# Incident Response Priorities

**T-Minus Detection Checklist**
1.  **Hunt for Webshells:** Search web directories (IIS/Apache) for recently modified `.aspx`, `.php`, or `.ashx` files (ScreenConnect indicators).
2.  **Audit Firewall Logs:** Review Check Point and Cisco FMC logs for abnormal administrative logins or rule changes during non-business hours.
3.  **Privileged Identity:** Audit Active Directory for accounts recently added to Domain Admins or Enterprise Admins groups.

**Critical Assets for Exfiltration**
THEGENTLEMEN historically prioritize:
*   **PII/PHI:** Databases containing customer records (high value in Consumer Services/Healthcare).
*   **Financial Data:** Accounting software backups and transaction logs.
*   **Intellectual Property:** CAD files (Construction/Engineering) and source code.

**Containment Actions**
1.  **Isolate:** Immediately disconnect internet-facing RMM (ScreenConnect) and VPN concentrators from the internal network if patch status is unknown.
2.  **Disable:** suspend non-essential service accounts (specifically those with VPN access).
3.  **Block:** Firewall rules blocking egress on non-standard ports (often used for Cobalt Strike C2).

---

# Hardening Recommendations

**Immediate (24 Hours)**
*   **Patch Critical CVEs:** Apply patches for **CVE-2024-1708 (ScreenConnect)**, **CVE-2026-50751 (Check Point)**, and **CVE-2026-20131 (Cisco FMC)** immediately.
*   **MFA Enforcement:** Enforce hardware-token MFA for all VPN and administrative console access.
*   **Disable RDP:** Disable Internet-facing RDP immediately; enforce ZTNA or VPN-only access.

**Short-term (2 Weeks)**
*   **Network Segmentation:** Separate OT/IoT networks (Energy/Logistics sectors) from IT management planes.
*   **EDR Rollout:** Ensure 100% coverage on management servers and jump hosts.
*   **Geo-Blocking:** Restrict VPN access to countries where the organization does **not** operate (targeting the TW/NI/CH/CZ anomalies seen in this campaign).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangthegentlemenransomwarecve-2024-1708cve-2026-50751initial-accesscisa-kev

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.