Aliases & Operations: THEGENTLEMEN operates as a sophisticated Ransomware-as-a-Service (RaaS) entity. While they project a "professional" persona, their operations are aggressive, leveraging high-severity vulnerabilities in edge networking equipment to bypass traditional perimeter defenses.
Ransom Model:
- Model: RaaS with affiliate network.
- Ransom Demands: Typically range from $500k to $5M USD, depending on victim revenue and encrypted data volume.
- Tactics: Strict double extortion. Victims' data is uploaded to dedicated leak sites before encryption deadlines expire. Recent leaks indicate aggressive naming-and-shaming tactics targeting public sector entities to increase pressure.
Initial Access & TTPs:
- Primary Vectors: Exploitation of VPNs and Firewall Management Consoles (CVE-2026-50751, CVE-2026-20131). They also heavily abuse remote monitoring tools like ConnectWise ScreenConnect (CVE-2024-1708).
- Lateral Movement: Known to utilize Cobalt Strike beacons for C2 and PsExec/WMI for internal propagation.
- Dwell Time: Average dwell time is approximately 3–5 days. The group moves rapidly from initial access to exfiltration to minimize detection windows.
Current Campaign Analysis
Sector Targeting (June 30 - July 2, 2026): The latest wave of 15 victims indicates a pivot toward Critical National Functions (CNF) and logistics:
- Public Sector: City of Boyne City (US).
- Energy: EMAS Group (CZ).
- Healthcare: Centre Ophtalmologique dErmont (FR).
- Transportation/Logistics: FAC Logistique (FR).
- Construction & Business Services: Melcor Developments (CA), Oron Law Firm (CH).
Geographic Concentration: While global, France is the primary target in this specific campaign wave (4/15 victims: SDEZ, FAC Logistique, OSP Holding, Centre Ophtalmologique). Secondary clusters exist in North America (US, CA) and Southeast Asia (TW, TH).
Victim Profile: Targeting has shifted slightly from pure random opportunity to mid-to-large enterprises with complex IT networks capable of hosting vulnerable perimeter appliances (Check Point, Cisco FMC). Revenue estimates for recent victims range from $50M to over $1B annually.
CVE Correlation & Escalation: The campaign heavily correlates with the active exploitation of:
- CVE-2026-50751 (Check Point Security Gateway): Likely used for initial access in the Transportation and Energy sectors.
- CVE-2026-20131 (Cisco Secure Firewall FMC): Targeting managed service providers and large enterprises.
- CVE-2024-1708 (ConnectWise ScreenConnect): Used for persistent access in MSP-supported targets (e.g., CUI Agency).
Escalation Pattern: The group maintains a high posting frequency (15 victims in 24 hours), suggesting automated exploitation tools for the listed CVEs.
Detection Engineering
Sigma Rules
---
title: Potential Check Point Security Gateway IKEv1 Exploitation
date: 2026/07/02
description: Detects potential exploitation attempts of CVE-2026-50751 involving unusual IKEv1 packet sizes or anomalies in VPN gateway logs indicative of the auth bypass.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
status: experimental
logsource:
category: firewall
detection:
selection:
dst_port: 500
protocol: 'UDP'
vpn_vendor|contains: 'Check Point'
filter_legit:
packets_per_second: '<= 50'
condition: selection and not filter_legit
falsepositives:
- Heavy VPN usage periods during business hours
level: high
---
title: Suspicious ConnectWise ScreenConnect Path Traversal
date: 2026/07/02
description: Detects path traversal attempts in ScreenConnect (CVE-2024-1708) often used for initial access by ransomware groups.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
status: experimental
logsource:
category: web
detection:
selection:
cs-method: 'GET'
c-uri|contains:
- '/bin/'
- '..%2f'
- '..\\'
sc-status: 200
condition: selection
falsepositives:
- Legitimate administrative testing (rare)
level: critical
---
title: PsExec Lateral Movement
id: 24b0f14c-736b-4e3f-bb49-432984f6fde1
date: 2026/07/02
description: Detects the usage of PsExec for lateral movement, a common TTP for THEGENTLEMEN affiliates.
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\psexec.exe'
- Image|endswith: '\psexec64.exe'
selection_cli:
CommandLine|contains:
- '-accepteula'
- '\\*'
condition: 1 of selection*
falsepositives:
- Administrative system maintenance
level: high
**KQL (Microsoft Sentinel) — Lateral Movement Hunt**
kql
// Hunt for lateral movement indicators commonly used post-exploitation
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("psexec", "wmic", "wmi", "powershell -enc", "iex")
| where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "powershell_ise.exe", "pwsh.exe")
| summarize count(), make_set(ProcessCommandLine) by DeviceName, AccountName, InitiatingProcessFileName
| where count_ > 5
**PowerShell — Rapid Response Hardening**
powershell
<#
.SYNOPSIS
Checks for recent scheduled task creation and exposed RDP sessions.
.DESCRIPTION
Response script to identify indicators of persistence often used by THEGENTLEMEN.
#>
Write-Host "[+] Checking for Scheduled Tasks created in the last 7 days..."
Get-ScheduledTask | Where-Object {
$_.Date -gt (Get-Date).AddDays(-7)
} | Select-Object TaskName, Date, Author, Action | Format-Table -AutoSize
Write-Host "[+] Checking for active RDP sessions (non-console)..."
$query = "SELECT * FROM Win32_LogonSession WHERE LogonType = 10"
Get-CimInstance -Query $query | ForEach-Object {
$logonId = $_.LogonId
$owner = Invoke-CimMethod -InputObject $_ -MethodName "GetOwner"
[PSCustomObject]@{
User = "$($owner.Domain)\$($owner.User)"
LogonId = $logonId
StartTime = $_.StartTime
}
} | Format-Table -AutoSize
Write-Host "[+] Verifying accessibility of Check Point / Cisco Services (Simulated)..."
Get-Service | Where-Object { $_.DisplayName -match "Check Point|Cisco" -and $_.Status -eq "Running" } | Select-Object DisplayName, Status
---
# Incident Response Priorities
**T-Minus Detection Checklist (Pre-Encryption):**
1. **VPN/Firewall Logs:** Review Check Point and Cisco FMC logs for anomalies on port 500 (IKE) or unexpected administrative logins on port 443/8305.
2. **Remote Access Tools:** Audit ConnectWise ScreenConnect logs for the "Setup.aspx" or "Banner.ashx" path traversal activity.
3. **Exchange Logs:** Check IIS logs for `Ecp/` or `OAB/` requests returning 500/200 status codes followed by PowerShell execution (Exchange exploitation).
**Critical Assets for Exfiltration:**
Based on the victim profile, prioritize securing:
- HR databases (Employee PII is high leverage).
- Financial systems (Oracle/SAP).
- CAD/Blueprint repositories (Construction/Engineering victims).
**Containment Actions (Order of Urgency):**
1. **Isolate:** Immediately disconnect Check Point and Cisco Management interfaces from the internet if patching cannot be verified.
2. **Disable:** Temporarily disable Internet-facing VPN concentrators if the IKEv1 vulnerability (CVE-2026-50751) cannot be mitigated via configuration immediately.
3. **Suspend:** Suspend all ConnectWise ScreenConnect services until patched to the latest secure build.
---
# Hardening Recommendations
**Immediate (24 Hours):**
- **Patch CVE-2026-50751:** Apply the hotfix for Check Point Security Gateways immediately. Enforce IKEv2 only where possible.
- **Patch CVE-2026-20131:** Update Cisco Secure Firewall FMC to the fixed version.
- **Patch CVE-2024-1708:** Ensure ScreenConnect is updated to the latest version; enforce MFA on all remote access portals.
**Short-Term (2 Weeks):**
- **Network Segmentation:** Move VPN and Firewall Management interfaces to a dedicated OOB (Out-of-Band) management VLAN not accessible from the general corporate network.
- **Geo-Blocking:** Restrict management interface access to known source IP addresses only.
- **Audit Credentials:** Force a password reset for all administrative accounts on firewall and VPN appliances, assuming credential theft may have occurred.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.