Back to Intelligence

THEGENTLEMEN Ransomware: Aggressive Campaign Targeting Manufacturing & Telecom via Email Gateway Exploits

SA
Security Arsenal Team
May 9, 2026
6 min read

Date: 2026-05-09
Source: Ransomware.live / Dark Web Leak Site Monitoring
Analyst: Security Arsenal Intel Unit

Threat Actor Profile — THEGENTLEMEN

Affiliation & Model: THEGENTLEMEN operate as a Ransomware-as-a-Service (RaaS) entity. While they present a curated "gentlemanly" persona on their leak site, their operational tactics are aggressive. They utilize a double-extortion model, encrypting systems and exfiltrating sensitive data (CAD drawings, client DBs, employee PII) to pressure victims into payment.

Ransom Demands: Historically range from $300,000 to $5 million USD, scaling strictly with victim revenue.

Initial Access Vectors: Recent telemetry confirms a heavy reliance on exploiting public-facing email infrastructure. Specifically, the gang is leveraging deserialization vulnerabilities in Microsoft Exchange and SmarterTools SmarterMail. Once inside, they pivot via credential dumping and standard lateral movement tools (Cobalt Strike beacons, custom PowerShell loaders).

Dwell Time: Short. Average time between initial exploitation (Exchange/SmarterMail) and detonation is 3–5 days.

Current Campaign Analysis

Victimology Overview

In the last 48 hours, THEGENTLEMEN has posted 15 new victims, indicating a significant operational tempo spike.

  • Top Targeted Sectors:
    • Manufacturing: Misr Chemical Industries, Hillside Lumber, Clark Fixture Technologies.
    • Telecommunication: TDS (US).
    • Construction: McCarthy, Arizona Professional Painting.
  • Geographic Spread: While US-based entities remain the primary target (60% of recent victims), the campaign has gone global, hitting Egypt (EG), Germany (DE), Netherlands (NL), Poland (PL), and Venezuela (VE).

CVEs & Initial Access

This campaign is directly correlated with the recent exploitation of specific CISA Known Exploited Vulnerabilities (KEVs):

  1. SmarterMail RCE Chain (CVE-2025-52691 & CVE-2026-23760): The gang is exploiting unrestricted file upload and auth bypass to drop webshells on mail servers. This appears to be the primary entry point for the Manufacturing and Construction victims.
  2. Microsoft Exchange (CVE-2023-21529): Added to KEV in April 2026, this deserialization flaw is being used to access Telecom and Business Services sectors.

Trend: Attackers are bypassing traditional perimeter firewalls (Cisco CVE-2026-20131) by hitting the collaboration/email layer directly.

Detection Engineering

SIGMA Rules

YAML
title: Potential SmarterMail Webshell Upload Activity
id: 8a7f9c1e-5b6d-4a8e-9f1c-2b3c4d5e6f78
description: Detects potential webshell upload activity via SmarterMail vulnerabilities (CVE-2025-52691). Monitor for suspicious file creation in the web root.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: 
            - 'MRS\'
            - 'Mail\'
        TargetFilename|endswith:
            - '.aspx'
            - '.ashx'
            - '.asp'
    condition: selection
falsepositives:
    - Legitimate administrator updates
level: high

title: Microsoft Exchange Deserialization Anomaly
id: 9b8g0h2i-6c7e-5b9f-0g2d-3c4d5e6f7g8h
description: Detects exploitation attempts of Microsoft Exchange Deserialization Vulnerability (CVE-2023-21529) via suspicious backend process execution.
status: experimental
date: 2026/05/09
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName|contains: 'Exchange'
        RelativeTargetName|contains: '.dll'
        AccessMask|contains: 
            - '0x80'
            - '0x100'
    filter:
        SubjectUserName|contains: 
            - 'ADMIN$'
            - 'SYSTEM'
    condition: selection and not filter
falsepositives:
    - Normal Exchange maintenance
level: critical

title: Lateral Movement via PsExec Ransomware Pattern
id: 1c2d3e4f-7d8e-6f0a-1h2i-4d5e6f7g8h9i
description: Detects typical lateral movement patterns used by THEGENTLEMEN affiliates (PsExec usage creating services).
status: experimental
date: 2026/05/09
author: Security Arsenal
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        Image|endswith: '\psexec.exe'
        CommandLine|contains: 'accepteula'
    selection_service:
        EventID: 6
        ImageLoaded|endswith: '\psexesvc.exe'
    condition: 1 of selection*
falsepositives:
    - Administrative IT maintenance
level: high

KQL (Microsoft Sentinel)

Hunts for rapid creation of services (often used for Cobalt Strike or lateral movement tools) and anomalous processes spawned from IIS/Exchange worker processes.

KQL — Microsoft Sentinel / Defender
let TimeFrame = 1h;
// Hunt for Service Creations not initiated by standard admin tools
ServiceCreationEvents
| where TimeGenerated > ago(TimeFrame)
| where ServiceName !in_contains ("WinDefend", "Schedule", "wuauserv")
| project TimeGenerated, Computer, ServiceName, AccountName, ImagePath
| join kind=inner (
    ProcessCreationEvents  
    | where TimeGenerated > ago(TimeFrame)
    | project TimeGenerated, Computer, ProcessName, ParentProcessName, CommandLine
) on Computer
| where ParentProcessName has "w3wp.exe" or ParentProcessName has "MSExchange"
| distinct TimeGenerated, Computer, ServiceName, ImagePath, CommandLine

PowerShell Rapid Response Script

Use this script on critical servers (Exchange/SmarterMail/Domain Controllers) to check for webshell indicators and suspicious scheduled tasks added in the last 7 days.

PowerShell
# THEGENTLEMEN Response Script - v1.0
# Checks for recent Scheduled Tasks and Webshell Indicators

Write-Host "[*] Initiating THEGENTLEMEN Hunt..." -ForegroundColor Cyan

# 1. Check for recently created Scheduled Tasks (Last 7 Days)
$DateCutoff = (Get-Date).AddDays(-7)
Write-Host "[+] Checking for Scheduled Tasks created since: $DateCutoff" -ForegroundColor Yellow

Get-ScheduledTask | Where-Object {$_.Date -gt $DateCutoff} | ForEach-Object {
    $TaskInfo = Get-ScheduledTaskInfo -TaskName $_.TaskName -TaskPath $_.TaskPath
    Write-Host "[!] Suspicious Task Found: $($_.TaskName)" -ForegroundColor Red
    Write-Host "    Path: $($_.TaskPath)"
    Write-Host "    Last Run: $($TaskInfo.LastRunTime)"
    Write-Host "    Command: $($_.Actions.Execute)"
}

# 2. Check for SmarterMail Webshell Indicators (Example paths)
Write-Host "[+] Scanning common SmarterMail directories for web shells..." -ForegroundColor Yellow
$WebPaths = @("C:\Program Files (x86)\SmarterTools\SmarterMail\MRS", "C:\SmarterMail\MRS")
$SuspiciousExtensions = @("*.aspx", "*.ashx", "*.config")

foreach ($Path in $WebPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -Include $SuspiciousExtensions -ErrorAction SilentlyContinue | 
        Where-Object { $_.LastWriteTime -gt $DateCutoff } | 
        Select-Object FullName, LastWriteTime, Length | Format-Table -AutoSize
    }
}

Write-Host "[*] Hunt Complete." -ForegroundColor Green


---

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption)

  1. IIS/Exchange Logs: Immediate grep for POST requests to /ecp/, /owa/, or /MRS/ ending in .aspx or containing异常字符 (abnormal characters).
  2. Memory: Dump memory on Exchange/SmarterMail servers. Look for powershell.exe spawned by w3wp.exe.
  3. MFT/Timeline: Check for massive file renames (e.g., original.doc -> original.doc.locked) in VSS shadow copies.

Critical Assets for Exfiltration

Based on THEGENTLEMEN's leak site patterns, they prioritize:

  • Manufacturing: CAD designs, proprietary formulas, client supply chain lists.
  • Telecom: Customer call records, SSN/Tax ID databases, billing records.

Containment Actions

  1. Isolate: Disconnect Exchange and SmarterMail servers from the network immediately. Do not power down (preserve memory).
  2. Revoke: Revoke all privileged credentials (Domain Admin) used on the compromised mail servers.
  3. Block: Block inbound traffic to public IPs associated with recent CISA KEVs at the perimeter firewall.

Hardening Recommendations

Immediate (Within 24 Hours)

  • Patch: Immediately patch SmarterMail to address CVE-2025-52691 and Microsoft Exchange for CVE-2023-21529.
  • Perimeter: Disable external access to RDP (TCP 3389) and enforce VPN with MFA for all remote admin access.
  • Account Audit: Disable accounts with "Password Never Expires" set, specifically for service accounts tied to email infrastructure.

Short-Term (Within 2 Weeks)

  • Network Segmentation: Move Email servers to a dedicated VLAN with strict egress rules (allow only SMTP/HTTPs out, block all other).
  • EDR Deployment: Ensure EDR sensors are installed on all public-facing infrastructure, not just endpoints.
  • Web Application Firewall (WAF): Implement specific signatures for SmarterMail deserialization attacks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangthegentlemenransomwaremanufacturingtelecommunicationexchange-rcesmartermail

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action