Aliases & Operational Model THEGENTLEMEN operate as a sophisticated Ransomware-as-a-Service (RaaS) affiliate network, though they maintain tight operational security, suggesting a closed group tier for high-value targets. They recently rebranded to refine their extortion image, focusing on "professional" data leak site designs.
TTPs & Dwell Time
- Ransom Demands: Typically range from $500,000 to $5 million, calibrated to victim revenue.
- Initial Access: Heavily relies on exploiting external-facing infrastructure. Current intelligence confirms the active weaponization of CISA KEV-listed vulnerabilities in perimeter security appliances (Check Point, Cisco FMC) and remote management tools (ScreenConnect).
- Double Extortion: Aggressive timeline. Data is staged within 24-48 hours of access. Victims have 72 hours to negotiate before leak site publication.
- Dwell Time: Short average of 3-5 days from initial foothold to encryption, indicating automated deployment tools post-access.
Current Campaign Analysis
Campaign Snapshot: "Perimeter Breach" (2026-06-30 to 2026-07-02)
Sectors Targeted The latest dump of 15+ victims indicates a shift toward critical services and logistics:
- Transportation/Logistics: FAC Logistique (FR), Pou Sheng International (TW).
- Public Sector: The City of Boyne City (US).
- Healthcare: Centre Ophtalmologique dErmont (FR).
- Construction/Real Estate: Melcor Developments Ltd (CA).
Geographic Concentration
- Primary: France (FR) – 40% of recent victims.
- Secondary: United States (US), Canada (CA), Taiwan (TW).
Victim Profile The gang is targeting mid-to-large enterprise entities. Victims like Melcor Developments (revenue ~$300M) and Pou Sheng International (billions in revenue) suggest THEGENTLEMEN affiliates conduct significant financial pre-attack reconnaissance.
CVE Connection & Vectors The concurrent appearance of victims in sectors relying on legacy VPNs and RMM tools correlates with the active exploitation of:
- CVE-2024-1708 (ScreenConnect): Likely used for initial access in Business Services and Technology sectors (e.g., MakoLab, Oron Law Firm).
- CVE-2026-50751 (Check Point): suspected vector for the cluster of French victims, potentially bypassing perimeter IPS to gain VPN access.
- CVE-2026-20131 (Cisco FMC): A critical vector allowing attackers to modify firewall rules to establish covert C2 channels before detonation.
Detection Engineering
Sigma Rules
---
title: Potential ScreenConnect Authentication Bypass
description: Detects potential exploitation of CVE-2024-1708 involving path traversal or suspicious authentication sequences on ScreenConnect servers.
id: 9e5b7e0c-3d2a-4c5a-9b1d-4c2e8f7a1b3c
status: experimental
date: 2026/07/02
author: Security Arsenal Research
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..\'
- '%2e%2e'
- 'WebService.ashx'
condition: selection
falsepositives:
- Misconfigured scanners
level: critical
---
title: Check Point IKEv1 Anomaly Detection
description: Identifies suspicious IKEv1 key exchange failures or successful authentications from unusual geolocations, potentially indicating exploitation of CVE-2026-50751.
id: a1b2c3d4-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
date: 2026/07/02
author: Security Arsenal Research
logsource:
product: firewall
detection:
selection:
dst_port: 500
protocol: udp
app: 'ike'
action: 'accept'
filter_legit:
src_ip_in_geo:
- 'Internal_Range'
condition: selection and not filter_legit
falsepositives:
- Legitimate remote employee VPN connections
level: high
---
title: Ransomware Preparation - VSS Deletion via System Tools
description: Detects commands used to delete Volume Shadow Copies, a common step before encryption by THEGENTLEMEN affiliates.
id: f1e2d3c4-b5a6-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
date: 2026/07/02
author: Security Arsenal Research
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- '\vssadmin.exe'
- '\wbadmin.exe'
cmdline:
CommandLine|contains:
- 'delete shadows'
- 'delete catalog'
condition: selection
falsepositives:
- System administration tasks (rare)
level: critical
**KQL (Microsoft Sentinel)**
Hunt for lateral movement patterns associated with this group's use of Cobalt Strike and RDP hijacking post-initial access.
kql
let timeframe = 1d;
DeviceProcessEvents
| where Timestamp > ago(timeframe)
// Suspicious execution paths often used by ransomware operators
| where (FolderPath has "C:\\Windows\\Temp\\" and ProcessVersionInfoOriginalFileName in ("powershell.exe", "cmd.exe", "rundll32.exe"))
or (ProcessCommandLine has any("-enc", "DownloadString", "IEX") and FileName == "powershell.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(timeframe)
| where RemotePort in (443, 80) and ActionType == "ConnectionSuccess"
| summarize Count=count() by DeviceId, RemoteUrl
| where Count > 100 // High frequency beaconing
) on DeviceId
**PowerShell Response Script**
Rapid triage script to enumerate scheduled tasks and check for the specific vulnerable services noted in this campaign.
powershell
<#
.SYNOPSIS
THEGENTLEMEN Ransomware Triage Script
.DESCRIPTION
Checks for signs of ransomware preparation and checks for vulnerable service versions.
#>
Write-Host "[+] Starting THEGENTLEMEN Triage..." -ForegroundColor Cyan
# 1. Check for Scheduled Tasks created in the last 24 hours
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddHours(-24) }
if ($suspiciousTasks) {
Write-Host "[!] WARNING: Recently Scheduled Tasks found (Potential Persistence):" -ForegroundColor Red
$suspiciousTasks | Select-Object TaskName, Date, Author | Format-Table
} else {
Write-Host "[-] No suspicious recent scheduled tasks found." -ForegroundColor Green
}
# 2. Check for Modified VSS Shadows (Indication of deletion attempts)
try {
$vssState = vssadmin list shadows 2>&1
if ($vssState -match "No shadow copies found") {
Write-Host "[!] CRITICAL: No Volume Shadow Copies found. Possible deletion event." -ForegroundColor Red
}
} catch {
Write-Host "[-] Could not query VSS state." -ForegroundColor Yellow
}
# 3. Check ScreenConnect Version (CVE-2024-1708)
$scPath = "C:\Program Files (x86)\ScreenConnect\App\ScreenConnect.Service.exe"
if (Test-Path $scPath) {
$version = (Get-Item $scPath).VersionInfo.FileVersion
Write-Host "[*] ScreenConnect Found. Version: $version" -ForegroundColor Yellow
# Note: Update this logic with specific vulnerable version ranges as they are released
if ($version -lt "23.9.8") {
Write-Host "[!] VULNERABLE ScreenConnect version detected." -ForegroundColor Red
}
}
Write-Host "[+] Triage Complete. Review output." -ForegroundColor Cyan
---
# Incident Response Priorities
**T-Minus Detection Checklist**
1. **Hunt for Webshells:** Search web directories (IIS/Apache) for recently modified `.aspx`, `.php`, or `.ashx` files (ScreenConnect indicators).
2. **Audit Firewall Logs:** Review Check Point and Cisco FMC logs for abnormal administrative logins or rule changes during non-business hours.
3. **Privileged Identity:** Audit Active Directory for accounts recently added to Domain Admins or Enterprise Admins groups.
**Critical Assets for Exfiltration**
THEGENTLEMEN historically prioritize:
* **PII/PHI:** Databases containing customer records (high value in Consumer Services/Healthcare).
* **Financial Data:** Accounting software backups and transaction logs.
* **Intellectual Property:** CAD files (Construction/Engineering) and source code.
**Containment Actions**
1. **Isolate:** Immediately disconnect internet-facing RMM (ScreenConnect) and VPN concentrators from the internal network if patch status is unknown.
2. **Disable:** suspend non-essential service accounts (specifically those with VPN access).
3. **Block:** Firewall rules blocking egress on non-standard ports (often used for Cobalt Strike C2).
---
# Hardening Recommendations
**Immediate (24 Hours)**
* **Patch Critical CVEs:** Apply patches for **CVE-2024-1708 (ScreenConnect)**, **CVE-2026-50751 (Check Point)**, and **CVE-2026-20131 (Cisco FMC)** immediately.
* **MFA Enforcement:** Enforce hardware-token MFA for all VPN and administrative console access.
* **Disable RDP:** Disable Internet-facing RDP immediately; enforce ZTNA or VPN-only access.
**Short-term (2 Weeks)**
* **Network Segmentation:** Separate OT/IoT networks (Energy/Logistics sectors) from IT management planes.
* **EDR Rollout:** Ensure 100% coverage on management servers and jump hosts.
* **Geo-Blocking:** Restrict VPN access to countries where the organization does **not** operate (targeting the TW/NI/CH/CZ anomalies seen in this campaign).
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.