Aliases: None confirmed (recently emerged). Model: Likely RaaS (Ransomware-as-a-Service) or highly organized affiliate network based on volume and sector diversity. Ransom Demands: Not publicly disclosed, but typically range from $500k to $5M depending on victim revenue. Initial Access: This group is aggressively exploiting perimeter vulnerabilities. Recent intelligence confirms the use of CVE-2024-1708 (ConnectWise ScreenConnect), CVE-2026-50751 (Check Point Security Gateway), and CVE-2026-20131 (Cisco Secure Firewall FMC). They are pivoting from external-facing remote access tools and VPN appliances rather than relying solely on phishing. Tactics: Double extortion is standard. They exfiltrate sensitive data prior to encryption and utilize a leak site to pressure victims. Dwell Time: Estimated 3–7 days. The speed of recent postings (multiple per day) suggests automated discovery and rapid deployment once initial access is secured.
Current Campaign Analysis
Geographic Concentration: The current campaign shows a distinct bias towards France (33% of recent victims), with significant activity in the US and Italy. Other impacted regions include Taiwan, Canada, Switzerland, and Poland.
Sectors Under Fire: While opportunistic, the group has a high hit rate in:
- Transportation & Logistics: FAC Logistique (FR), Comp Trading (TH)
- Public Sector: The City of Boyne City (US)
- Healthcare: Centre Ophtalmologique dErmont (FR)
- Construction/Real Estate: Melcor Developments (CA)
- Professional Services: Oron Law Firm (CH)
Victim Profile: The target list includes a mix of mid-market to large enterprises. Victims like Pou Sheng International (Consumer Services) and EMAS Group (Energy) suggest the group targets organizations with high revenue complexity and operational downtime sensitivity.
Escalation Patterns: There is a high volume of postings published on 2026-06-30, indicating a "mass dump" strategy or a scheduled batch release following a period of unsuccessful negotiations.
CVE Correlation: The inclusion of CVE-2024-1708 (ConnectWise) and CVE-2026-50751 (Check Point) in the CISA KEV list confirms that THEGENTLEMEN affiliates are weaponizing known remote access vulnerabilities to bypass perimeter defenses, specifically targeting management interfaces and VPN gateways.
Detection Engineering
SIGMA Rules
---
title: Potential ConnectWise ScreenConnect Authentication Bypass (CVE-2024-1708)
id: 62a1b1e0-8f3a-4b1a-9c1d-2e3f4a5b6c7d
status: experimental
description: Detects potential path traversal and authentication bypass attempts on ConnectWise ScreenConnect web servers indicative of CVE-2024-1708 exploitation.
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/07/03
logsource:
category: webserver
product: apache
detection:
selection:
cs-uri-query|contains:
- '/Bin/ScreenConnect.ashx'
- '../'
cs-method: 'POST'
condition: selection
falsepositives:
- Legitimate administrative access (rare for this pattern)
level: critical
tags:
- cve.2024.1708
- attack.initial_access
- thegentlemen
---
title: Ransomware Shadow Copy Deletion via VSSAdmin
id: 77c2d2f1-9g4b-5c2b-0d2e-3f4g5a6b7c8d
status: experimental
description: Detects the deletion of Volume Shadow Copies using vssadmin, a common precursor to ransomware encryption used by THEGENTLEMEN affiliates.
author: Security Arsenal
date: 2026/07/03
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\vssadmin.exe'
CommandLine|contains: 'delete shadows'
condition: selection
falsepositives:
- System administration maintenance
level: high
tags:
- attack.impact
- thegentlemen
---
title: Suspicious PowerShell Encoded Command Pattern
title: Suspicious PowerShell Encoded Command Pattern
id: 88d3e3g2-0h5c-6d3c-1e2f-4g5h6i7j8k9l
status: experimental
description: Detects PowerShell commands with high entropy encoded payloads, often used for post-exploitation and launcher stages.
author: Security Arsenal
date: 2026/07/03
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' -e '
- ' -Enc '
- 'EncodedCommand'
condition: selection
falsepositives:
- Legitimate scripting automation
level: medium
tags:
- attack.execution
- thegentlemen
KQL (Microsoft Sentinel)
// Hunt for suspicious ScreenConnect or Check Point Gateway log anomalies
// and subsequent lateral movement
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
// Look for web server processes spawning shells (web shell behavior)
| where InitiatingProcessFileName in~ ("httpd.exe", "nginx.exe", "Apache.exe")
| where ProcessCommandLine has any("cmd.exe", "powershell.exe", "whoami", "net user")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName, FolderPath
| union (
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
// Look for internal SMB traffic to non-standard workstations
| where RemotePort == 445
| where InitiatingProcessFileName !in~ ("System", "svchost.exe", "explorer.exe", "lsass.exe")
| summarize count() by DeviceName, RemoteUrl, InitiatingProcessFileName
)
PowerShell Response Script
<#
.SYNOPSIS
THEGENTLEMEN Ransomware Hardening & Hunt Script
.DESCRIPTION
Checks for signs of CVE-2024-1708 exploitation (IIS logs if present),
enumerates suspicious scheduled tasks, and identifies recently shadow copy deletions.
#>
Write-Host "[+] Starting Security Arsenal Hardening Check for THEGENTLEMEN IOCs..."
# 1. Check for Scheduled Tasks created in the last 7 days (Persistence)
Write-Host "[+] Checking for Scheduled Tasks created in the last 7 days..."
$getTask = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($getTask) {
Write-Host "[!] WARNING: Found recently created scheduled tasks:" -ForegroundColor Red
$getTask | Select-Object TaskName, Date, Author, State | Format-Table
} else {
Write-Host "[-] No suspicious recent scheduled tasks found." -ForegroundColor Green
}
# 2. Check Volume Shadow Copy State (Impact)
Write-Host "[+] Checking Volume Shadow Copy availability..."
$vss = vssadmin list shadows
if ($vss -match "No shadow copies found") {
Write-Host "[!] WARNING: No Volume Shadow Copies exist. Possible deletion or lack of protection." -ForegroundColor Red
} else {
Write-Host "[-] Volume Shadow Copies detected." -ForegroundColor Green
}
# 3. Network Check (Basic exposure)
Write-Host "[+] Checking for active RDP sessions (Lateral Movement)..."
$rdp = query user
if ($rdp.Count -gt 1) {
Write-Host "[!] Active RDP sessions detected:" -ForegroundColor Yellow
Write-Host $rdp
}
Write-Host "[+] Scan complete. If warnings are found, isolate the host and initiate IR protocol."
---
# Incident Response Priorities
1. **T-Minus Detection Checklist:**
* **Perimeter Logs:** Immediate review of **Check Point Security Gateway** logs for IKEv1 anomalies and **ConnectWise ScreenConnect** logs for path traversal (`..\`) in the URI query.
* **Web Shells:** Hunt for `apache.exe` or `httpd.exe` spawning cmd.exe or powershell.exe.
* **LSASS Memory:** Dumping of LSASS memory is a common precursor for credential dumping.
2. **Critical Assets for Exfiltration:**
* Based on victimology (Law, Healthcare, City Gov), prioritize protecting **PII/PHI databases**, **Legal contracts/client files**, and **Municipal financial records**.
3. **Containment Actions (Urgency Order):**
* **CRITICAL:** Disconnect unpatched **ConnectWise ScreenConnect** instances from the network immediately.
* **HIGH:** Force-reset credentials for accounts that have accessed the management interfaces of **Cisco FMC** or **Check Point** gateways in the last 30 days.
* **MEDIUM:** Isolate systems with abnormal Scheduled Task creation patterns.
---
# Hardening Recommendations
**Immediate (24 Hours):**
* **Patch CVE-2024-1708:** Apply the ScreenConnect patch immediately. If patching is delayed, restrict access to the `/Bin` and `/Guest` paths to internal IP ranges only via WAF.
* **Patch CVE-2026-50751:** Update Check Point Security Gateways to the latest version to mitigate IKEv1 authentication bypass.
* **MFA Enforcement:** Ensure all remote access tools (VPN, RDP, ScreenConnect) have phishing-resistant MFA enforced strictly.
**Short-Term (2 Weeks):**
* **Network Segmentation:** Move management interfaces (ScreenConnect, Cisco FMC, Check Point) to a dedicated, isolated management VLAN that is not accessible from the open internet without a bastion host.
* **Audit Remote Access Tools:** Conduct a full audit of all SaaS and on-premise remote access software. Remove any unused instances.
* **EDR Tuning:** Update EDR policies to detect high-frequency file modification (mass encryption) and unauthorized VSS shadow copy deletion attempts.
---
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.