Back to Intelligence

THEGENTLEMEN Ransomware: Critical Infrastructure Exploitation Surge — 15 New Victims in 6 Days

SA
Security Arsenal Team
May 24, 2026
6 min read

Overview: THEGENTLEMEN is a aggressive Ransomware-as-a-Service (RaaS) operation characterized by high-velocity posting and a distinct focus on exploiting internet-facing infrastructure. Unlike gangs relying primarily on initial access brokers (IABs) for phishing, THEGENTLEMEN exhibits strong capability in weaponizing newly disclosed critical vulnerabilities (CVEs) in enterprise edge devices and communication servers.

TTPs & Behavior:

  • Model: RaaS with suspected affiliate network driving diverse geographic targeting.
  • Initial Access: Heavy reliance on exploitation of public-facing applications (VPNs, Firewalls, Mail Servers, Remote IT tools). Recent activity directly correlates with CISA KEV-listed vulnerabilities in ConnectWise ScreenConnect and Cisco Secure Firewall FMC.
  • Ransom Demands: Estimated range of $500k - $5M USD, calibrated to victim revenue.
  • Double Extortion: Standard practice involving data theft prior to encryption. Leak site activity suggests failure to pay results in rapid publication (average 3-5 days from deadline).
  • Dwell Time: Short. Intelligence suggests a dwell time of 3-7 days between initial access and encryption, favoring speed over stealth.

Current Campaign Analysis

Sector Targeting: The current campaign shows a pivot towards Manufacturing and Transportation/Logistics, which account for 40% of the recent victim list. However, Technology and Healthcare remain consistent targets.

  • Manufacturing: Koa Glass (JP), ACAM Systemautomation (AT), Modern Display (US)
  • Transportation/Logistics: TRANSSYSTEM Group (PL), Caka Grup Lojistik (TR), Hussey Seatway (GB)
  • Technology: Openmind Networks (?), DEVO-Tech (CH)

Geographic Spread: Highly dispersed attack surface. Recent victims span JP, PL, TR, GB, AR, AU, US, FR, AT, EC, and CZ. This suggests automated vulnerability scanning rather than geo-targeted spear-phishing.

CVE Correlation & Attack Vector: The spike in postings (3 victims on 2026-05-24 alone) strongly correlates with the weaponization of the following CISA KEVs:

  1. CVE-2024-1708 (ConnectWise ScreenConnect): Allows remote code execution. Targeting IT management firms and managed service providers (MSPs) to gain downstream access to clients.
  2. CVE-2026-20131 (Cisco Secure Firewall FMC): Deserialization flaw allowing attackers to bypass authentication and execute code on firewall management consoles, a critical breach of the network perimeter.
  3. CVE-2025-52691 / CVE-2026-23760 (SmarterTools SmarterMail): File upload and auth bypass flaws providing a web shell for initial access.

Observed Frequency: The group is posting victims in clusters of 3, indicating automated batch processing of successful compromises.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ScreenConnect Path Traversal Exploit CVE-2024-1708
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects suspicious process execution patterns associated with ConnectWise ScreenConnect authentication bypass and path traversal vulnerability.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/24
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2024.1708
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\Web.exe' # ScreenConnect web server process
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - Legitimate administrative use via ScreenConnect
level: critical
---
title: SmarterMail Suspicious File Upload - CVE-2025-52691
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects creation of ASPX files in web directories characteristic of SmarterMail exploitation.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/24
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2025.52691
logsource:
    product: windows
    category: file_create
detection:
    selection:
        TargetFilename|contains: '\Mail App\'
        TargetFilename|endswith: '.aspx'
    condition: selection
falsepositives:
    - Legitimate software updates
level: high
---
title: Large Volume Data Staging Prior to Encryption
id: c3d4e5f6-7890-12bc-def0-3456789012cd
status: experimental
description: Detects rapid archiving of multiple files typical of ransomware data staging/exfiltration preparation.
references:
    - https://attack.mitre.org/techniques/T1560/
author: Security Arsenal Research
date: 2026/05/24
tags:
    - attack.collection
    - attack.exfiltration
logsource:
    product: windows
    category: file_create
detection:
    selection:
        Image|endswith:
            - '\winrar.exe'
            - '\7z.exe'
            - '\winzip.exe'
        FileName|contains:
            - '.zip'
            - '.rar'
            - '.7z'
    timeframe: 5m
    condition: selection | count() > 10
falsepositives:
    - System backups
    - Legitimate user archiving
level: high

KQL (Microsoft Sentinel)

Hunts for lateral movement and webshell activity associated with the exploited vulnerabilities:

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious process spawns from Web Servers (IIS/SmarterMail/ScreenConnect)
Process
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("w3wp.exe", "Web.exe", "MailService.exe")
| where ProcessFileName in ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessFileName, ProcessCommandLine
| extend TimestampFormat = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')
| order by TimestampFormat desc

PowerShell Rapid Response Script

Audit system for recent scheduled tasks (common persistence mechanism) and check for specific indicators of the SmarterMail and ScreenConnect exploits.

PowerShell
# Check for Scheduled Tasks created in the last 7 days
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, Date, Author, Actions

# Check for suspicious ScreenConnect log patterns (if accessible)
$screenConnectPath = "C:\Program Files (x86)\ConnectWise\ScreenConnect"
if (Test-Path $screenConnectPath) {
    Write-Host "[!] ScreenConnect Detected. Reviewing recent error logs..."
    Get-ChildItem -Path "$screenConnectPath\Web Server\Logs" -Recurse -Filter "*.txt" | 
    Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(24)} | 
    Select-String -Pattern "assembly loading|path traversal" | Select-Object -First 10
}

# Check for SmarterMail ASPX shells in App_Data
$mailPath = "C:\Program Files (x86)\SmarterTools\SmarterMail"
if (Test-Path $mailPath) {
    Write-Host "[!] SmarterMail Detected. Scanning for recent ASPX modifications..."
    Get-ChildItem -Path $mailPath -Recurse -Filter "*.aspx" | 
    Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(1)} | 
    Select-Object FullName, LastWriteTime
}


# Incident Response Priorities

**T-Minus Detection Checklist (Pre-Encryption):**
1.  **Audit Internet-Facing Assets:** Immediately scan for Cisco FMC, ConnectWise ScreenConnect, and SmarterMail instances. Check logs for the specific exploit signatures for CVE-2024-1708, CVE-2026-20131, and CVE-2025-52691.
2.  **Process Monitoring:** Look for `w3wp.exe` or `Web.exe` spawning `cmd.exe` or `powershell.exe`.
3.  **Network Traffic:** Identify large outbound data transfers (SSL/TLS) to non-corporate IP addresses occurring outside business hours.

**Critical Assets Prioritized for Exfiltration:**
*   Intellectual Property (CAD drawings, Source code)
*   Employee PII & HR Records (SSNs, Contracts)
*   Financial Data (Tax info, Audit reports)
*   Client Databases (CRM, ERP exports)

**Containment Actions:**
1.  **Isolate:** Disconnect compromised management interfaces (Cisco FMC, ScreenConnect) from the network immediately.
2.  **Suspend:** Suspend service accounts associated with the vulnerable applications.
3.  **Preserve:** Snapshot memory of affected web servers to capture webshell artifacts.

# Hardening Recommendations

**Immediate (24 Hours):**
*   **Patch:** Apply patches for CVE-2024-1708 (ScreenConnect), CVE-2026-20131 (Cisco FMC), and CVE-2025-52691/23760 (SmarterMail) globally.
*   **Disable:** If patching is not possible, disable external access to ScreenConnect and SmarterMail web interfaces via firewall ACLs. Enforce VPN access for management.
*   **MFA:** Enforce MFA on all remote access solutions, including ScreenConnect and VPN gateways.

**Short-term (2 Weeks):**
*   **Network Segmentation:** Isolate management interfaces (OoB management) from the internal production network.
*   **WAF:** Deploy Web Application Firewall rules to block known path traversal attempts on web servers.
*   **Storage Audit:** Implement strict auditing on Volume Shadow Copy (VSS) creation/deletion to prevent ransomware from wiping backups.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangthegentlemenransomwarecve-2024-1708cve-2026-20131smartermailexfiltration

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action