Threat Actor Profile — THEGENTLEMEN
THEGENTLEMEN is a sophisticated ransomware operation operating as a closed-group model rather than traditional RaaS (Ransomware-as-a-Service). Their operations demonstrate significant technical capabilities with a focus on exploiting perimeter security weaknesses rather than traditional phishing vectors.
Known Characteristics:
- Operating Model: Closed group with targeted operations
- Typical Ransom Demands: $500,000 - $5,000,000 depending on victim revenue
- Initial Access Methods: VPN exploitation (Check Point, Cisco vulnerabilities), RDP brute force, supply chain compromise
- Double Extortion: Data exfiltration prior to encryption, with threats of public release
- Dwell Time: 3-14 days before detonation, allowing extensive reconnaissance and lateral movement
- Negotiation Style: Professional but aggressive, typically starting at 75-80% of original demand
- Payment Methods: Monero (XMR) and Bitcoin (BTC) with mixing services
- Communication: TOR-based negotiation portals with encrypted messaging
Current Campaign Analysis
Sector Targeting
THEGENTLEMEN has demonstrated broad sector targeting with recent campaigns focusing on:
- Manufacturing (27% of recent victims): Buechel Stone, Cole Manufacturing, Traublinger, Buratti
- Energy (13%): Maine Oxy
- Technology (13%): Times Software, SigmaControl
- Agriculture and Food Production (13%): Fecovita, Mackay Sugar
- Business Services (13%): Executive Coach, Linnecken Partner
- Education (7%): Kozminski University
- Construction (7%): Constructions Piraino
- Public Sector (7%): National Museum
- Healthcare (7%): Centre Medical Crowley
Geographic Concentration
Recent victims span 9 countries with notable concentration in:
- United States (33%): 5 victims
- Germany (13%): 2 victims
- Argentina (7%): 1 victim
- Australia (7%): 1 victim
- Canada (7%): 1 victim
- Denmark (7%): 1 victim
- France (7%): 1 victim
- Italy (7%): 1 victim
- Poland (7%): 1 victim
- Singapore (7%): 1 victim
- Netherlands (7%): 1 victim
Victim Profile
Based on sector analysis and victim size estimates:
- Mid-market to large enterprises: $50M - $5B in revenue
- Preferential targeting of organizations with
- Critical infrastructure components
- Complex supply chains
- International operations
- Limited security operations resources
- Posting frequency: 1-3 victims daily with weekend gaps
- Escalation pattern: Initial breach → 3-7 days reconnaissance → 3-5 days lateral movement → Data exfiltration → 24-48 hours before encryption → Dark web posting
CVE Connection as Initial Access Vectors
Based on the confirmed CISA KEV list and THEGENTLEMEN's known TTPs, the following CVEs are likely being exploited for initial access:
-
CVE-2026-50751 (Check Point Security Gateway) - Added to CISA KEV on 2026-06-08
- Exploitation window: 7 days before recent victim postings
- Likely entry point for energy and manufacturing victims with perimeter firewalls
-
CVE-2026-20131 (Cisco Secure Firewall Management Center) - Added to CISA KEV on 2026-03-19
- Exploitation window: 89 days before recent victim postings
- Likely entry point for technology and business services victims
-
CVE-2024-1708 (ConnectWise ScreenConnect) - Added to CISA KEV on 2026-04-28
- Common in managed service provider supply chain attacks
- Likely explains simultaneous targeting across geographies
-
CVE-2023-21529 (Microsoft Exchange Server) - Added to CISA KEV on 2026-04-13
- Consistent with education and public sector targeting
-
CVE-2026-48027 (Nx Console) - Added to CISA KEV on 2026-05-27
- Targeted at technology and development environments
Detection Engineering
SIGMA Rules
YAML
---
name: Potential THEGENTLEMEN Initial Access via Check Point Security Gateway
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
description: Detects potential initial access activity related to CVE-2026-50751 exploitation on Check Point Security Gateways. THEGENTLEMEN has been actively exploiting this vulnerability for initial access.
author: Security Arsenal Research
date: 2026/06/16
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
status: experimental
tags:
- attack.initial_access
- attack.t1190
- cve.2026.50751
- thegentlemen
logsource:
product: firewall
service: check_point
detection:
selection:
product|contains: 'Security Gateway'
action|re: '(accept|decrypt)'
service|re: '(ike|vpn|ipsec)'
filter_legit:
src_ip|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
condition: selection and not filter_legit
falsepositives:
- Legitimate remote access from new corporate locations
- New partner VPN connections
level: high
---
name: Potential THEGENTLEMEN Lateral Movement via Cobalt Strike
id: b2c3d4e5-f6a7-8901-bcde-f12345678901
description: Detects potential Cobalt Strike beacon activity characteristic of THEGENTLEMEN lateral movement operations.
author: Security Arsenal Research
date: 2026/06/16
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
status: experimental
tags:
- attack.lateral_movement
- attack.t1021
- attack.s0050
- thegentlemen
logsource:
product: windows
service: security
detection:
selection_process:
EventID: 4688
NewProcessName|contains:
- 'powershell.exe'
- 'rundll32.exe'
- 'regsvr32.exe'
CommandLine|contains:
- 'DownloadString'
- 'IEX'
- 'Invoke-Expression'
selection_network:
EventID: 5156
DestPort: 443
DestIp|re: '.*\.onion$'
condition: 1 of selection_*
falsepositives:
- Legitimate administrative scripts
- Authorized security tools
level: high
---
name: THEGENTLEMEN Pre-Encryption Data Staging Activity
id: c3d4e5f6-a7b8-9012-cdef-123456789012
description: Detects data staging patterns typically observed before THEGENTLEMEN encryption, including mass file copying and archive creation.
author: Security Arsenal Research
date: 2026/06/16
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
status: experimental
tags:
- attack.exfiltration
- attack.t1041
- thegentlemen
logsource:
product: windows
service: security
detection:
selection_archive:
EventID: 4663
ObjectType|contains:
- 'File'
ObjectName|contains:
- '.zip'
- '.rar'
- '.7z'
- '.tar'
AccessMask|contains:
- '0x1'
- '0x2'
- '0x4'
selection_masscopy:
EventID: 4656
ObjectType|contains:
- 'File'
ObjectName|re: '.*\\(Users|Documents|Shares|Backups)\\.*'
AccessMask|contains:
- '0x1'
- '0x2'
timeframe: 1h
condition: selection_archive and selection_masscopy
falsepositives:
- Legitimate backup operations
- System administrators archiving files
level: high
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for potential THEGENTLEMEN lateral movement and staging activities
// Identify suspicious SMB connections and mass file access patterns
let TimeFrame = ago(7d);
let HighRiskProcesses = dynamic(['powershell.exe', 'cmd.exe', 'wmiexec.exe', 'psexec.exe', 'psexec64.exe']);
let SuspiciousDestinations = dynamic(['*.onion', '*.ddns.net', '*.no-ip.*']);
// Detect unusual lateral movement via SMB
let SMBConnections =
DeviceNetworkEvents
| where Timestamp >= TimeFrame
| where RemotePort in (445, 139)
| where InitiatingProcessFileName in~ HighRiskProcesses
| summarize Connections=count() by DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessAccountName, bin(Timestamp, 1h)
| where Connections > 10;
// Detect mass file access patterns (potential staging)
let FileAccessPattern =
DeviceFileEvents
| where Timestamp >= TimeFrame
| where ActionType in ('FileCreated', 'FileModified', 'FileAccessed')
| summarize FileCount=count(), DistinctFolders=dcount(FolderPath) by DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, bin(Timestamp, 1h)
| where FileCount > 100 and DistinctFolders > 5;
// Detect connections to suspicious infrastructure
let SuspiciousNetwork =
DeviceNetworkEvents
| where Timestamp >= TimeFrame
| where RemoteUrl has_any (SuspiciousDestinations) or RemoteIP in (external_data(SuspiciousIPs))
| summarize ConnectionCount=count() by DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, bin(Timestamp, 1h);
// Identify potential PowerShell download activity
let PowerShellSuspicious =
DeviceProcessEvents
| where Timestamp >= TimeFrame
| where ProcessVersionInfoOriginalFileName =~ 'powershell.exe'
| where ProcessCommandLine has_any ('DownloadString', 'IEX', 'Invoke-Expression', 'WebClient', 'DownloadFile')
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName;
// Combine all detections
union SMBConnections, FileAccessPattern, SuspiciousNetwork, PowerShellSuspicious
| sort by Timestamp desc
PowerShell Response Script
PowerShell
<#
.SYNOPSIS
THEGENTLEMEN Ransomware Rapid Response Script
.DESCRIPTION
This script performs checks for indicators of THEGENTLEMEN ransomware activity and implements immediate hardening measures.
.NOTES
File Name : THEGENTLEMEN_Response.ps1
Author : Security Arsenal
Prerequisite : PowerShell 5.1 or later
Execution Policy: Requires Administrator privileges
#>
param(
[switch]$Detailed,
[switch]$ApplyHardening
)
function Write-Log {
param([string]$Message, [string]$Level='INFO')
$timestamp = Get-Date -Format 'yyyy-MM-dd HH:mm:ss'
Write-Host "[$timestamp] [$Level] $Message"
}
Write-Log "Starting THEGENTLEMEN Ransomware Rapid Response Checks"
# Check for exposed RDP connections
Write-Log "Checking for active RDP connections..."
$rdpConnections = query user 2>&1
if ($rdpConnections -like "*Active*" -or $rdpConnections -like "*Disc*" ) {
Write-Log "Active RDP sessions detected:" "WARNING"
$rdpConnections
}
# Check for recently created suspicious scheduled tasks
Write-Log "Checking for suspicious scheduled tasks created in last 7 days..."
$cutoffDate = (Get-Date).AddDays(-7)
$suspiciousTasks = Get-ScheduledTask | Where-Object {
$_.Date -gt $cutoffDate -and
($_.TaskName -match '\d{4}' -or $_.TaskName -match 'update' -or $_.TaskName -match 'system') -and
$_.Author -notlike '*Microsoft*' -and
$_.Author -notlike '*System*'
}
if ($suspiciousTasks) {
Write-Log "Suspicious scheduled tasks detected:" "WARNING"
$suspiciousTasks | Format-Table TaskName, Author, Date, State -AutoSize
}
# Check for recently modified Volume Shadow Copies
Write-Log "Checking for Volume Shadow Copy manipulation..."
$vssChanges = vssadmin list shadows 2>&1 | Select-String "Creation Time"
if ($vssChanges) {
$shadowCopies = $vssChanges | ForEach-Object {
if ($_ -match "Creation Time: (\d{4}/\d{2}/\d{2})") {
$dateStr = $Matches[1]
$date = [datetime]::ParseExact($dateStr, "yyyy/MM/dd", [System.Globalization.CultureInfo]::InvariantCulture)
if ($date -gt $cutoffDate) {
$_
}
}
}
if ($shadowCopies) {
Write-Log "Recent Volume Shadow Copy activity detected:" "WARNING"
$shadowCopies
}
}
# Check for mass file encryption indicators
Write-Log "Checking for indicators of mass file encryption..."
$fileExtensions = @('.encrypted', '.locked', '.thegentlemen', '.gent', '.enc')
$encryptedFiles = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
Where-Object { $fileExtensions -contains $_.Extension } |
Select-Object -First 10 FullName, LastWriteTime
if ($encryptedFiles) {
Write-Log "Potential encrypted files detected:" "CRITICAL"
$encryptedFiles | Format-Table -AutoSize
}
# Check for unusual network connections
Write-Log "Checking for suspicious network connections..."
$netstat = netstat -ano | Select-String -Pattern 'ESTABLISHED'
$suspiciousPorts = @(4433, 4444, 5555, 6666, 8888, 9999)
$suspiciousConnections = $netstat | Where-Object {
$_ -match ":(443|80|4433|4444|5555|6666|8888|9999)\s" -and
$_ -notmatch "127\.0\.0\.1" -and
$_ -notmatch "192\.168\." -and
$_ -notmatch "10\." -and
$_ -notmatch "172\.(1[6-9]|2[0-9]|3[0-1])\."
}
if ($suspiciousConnections) {
Write-Log "Suspicious network connections detected:" "WARNING"
$suspiciousConnections
}
# Apply hardening if requested
if ($ApplyHardening) {
Write-Log "Applying immediate hardening measures..."
# Disable RDP if not needed
Write-Log "Disabling RDP if enabled..."
$rdpStatus = (Get-WmiObject -class "Win32_TerminalServiceSetting" -Namespace root\cimv2\terminalservices).AllowTSConnections
if ($rdpStatus -eq 1) {
Write-Log "RDP is currently enabled. Disabling..." "WARNING"
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=No
Write-Log "RDP has been disabled."
} else {
Write-Log "RDP is already disabled."
}
# Block SMBv1
Write-Log "Disabling SMBv1 if enabled..."
$smb1Status = (Get-SmbServerConfiguration).EnableSMB1Protocol
if ($smb1Status) {
Write-Log "SMBv1 is enabled. Disabling..." "WARNING"
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Write-Log "SMBv1 has been disabled."
} else {
Write-Log "SMBv1 is already disabled."
}
# Enable PowerShell script block logging
Write-Log "Enabling PowerShell script block logging..."
if (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging")) {
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Force
}
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
Write-Log "PowerShell script block logging enabled."
Write-Log "Hardening measures applied successfully."
}
Write-Log "THEGENTLEMEN Ransomware Rapid Response Checks completed."
if ($Detailed) {
Write-Log "For detailed analysis, review full system logs and consider engaging Security Arsenal Incident Response team." "INFO"
}
Incident Response Priorities
T-Minus Detection Checklist (Pre-Encryption)
-
Network Anomalies
- Unusual VPN connection patterns from new geographic locations
- Large outbound data transfers during non-business hours
- Connections to known THEGENTLEMEN infrastructure IPs/TOR endpoints
-
Authentication Irregularities
- Failed authentication attempts on Check Point/Cisco devices
- Successful logins from unusual locations for administrative accounts
- New accounts created in Active Directory
-
Endpoint Indicators
- Unauthorized scheduled tasks (especially with 'system' or 'update' names)
- PowerShell processes with suspicious command-line arguments
- Unusual process executions (PsExec, WMI, SMB-related tools)
-
File System Activity
- Sudden increase in file modifications across network shares
- Creation of archive files (zip, rar, 7z) by non-admin users
- Attempts to access Volume Shadow Copies
-
Service Disruption
- Unexpected service restarts or stops
- Antivirus or EDR agents disabled
- Backup service failures
Critical Assets Prioritized by THEGENTLEMEN
Based on historical victim data, THEGENTLEMEN typically prioritizes:
- Intellectual Property (Manufacturing, Technology sectors)
- Customer PII/Financial Data (Business Services, Education)
- Operational Secrets (Energy, Agriculture)
- Proprietary Formulas/Designs (Manufacturing, Food Production)
- Executive Communications (All sectors)
Containment Actions (Ordered by Urgency)
-
IMMEDIATE (0-4 hours)
- Isolate affected systems from network
- Disable VPN credentials for Check Point/Cisco devices
- Revoke all admin credentials if compromise suspected
- Disconnect internet access for critical file servers
-
HIGH PRIORITY (4-12 hours)
- Reset all domain administrator credentials
- Temporarily suspend non-essential VPN access
- Block outbound connections to known THEGENTLEMEN infrastructure
- Implement network segmentation if not already in place
-
PRIORITY (12-24 hours)
- Remediate exploited vulnerabilities
- Conduct forensic analysis of affected systems
- Review and secure backup systems
- Implement additional monitoring for lateral movement
Hardening Recommendations
Immediate (24 Hours)
-
Patch Critical CVEs
- Apply patches for CVE-2026-50751 (Check Point Security Gateway)
- Apply patches for CVE-2026-20131 (Cisco Secure Firewall Management Center)
- Apply patches for CVE-2024-1708 (ConnectWise ScreenConnect)
- Apply patches for CVE-2023-21529 (Microsoft Exchange Server)
- Apply patches for CVE-2026-48027 (Nx Console)
-
Perimeter Security
- Implement MFA for all VPN and remote access solutions
- Restrict VPN access to specific IP ranges where possible
- Review and limit remote administrative access to critical infrastructure
- Implement rate limiting and geofencing for VPN connections
-
Endpoint Protections
- Verify EDR agents are functioning and up-to-date
- Enable PowerShell script block logging across the enterprise
- Disable unnecessary RDP access
- Configure EDR to detect and block Cobalt Strike beacons
-
Network Monitoring
- Enable NetFlow/IPFIX data collection and analysis
- Implement DNS monitoring for suspicious domains
- Set up alerts for large outbound data transfers
- Monitor for new scheduled tasks and service modifications
Short-term (2 Weeks)
-
Architecture Improvements
- Implement network microsegmentation
- Deploy Privileged Access Management (PAM) solution
- Establish secure jump servers for administrative access
- Implement zero trust network access (ZTNA) principles
-
Backup Strategy Enhancement
- Implement immutable backups (WORM storage)
- Test restore procedures for critical systems
- Ensure backups are isolated from production networks
- Implement 3-2-1 backup rule with offline copies
-
Security Operations
- Enhance SIEM detection rules for THEGENTLEMEN TTPs
- Conduct threat hunting for indicators of compromise
- Implement automated response playbooks
- Train SOC team on THEGENTLEMEN specific indicators
-
Vulnerability Management
- Prioritize patching of perimeter security devices
- Implement regular penetration testing
- Establish process for rapid deployment of critical patches
- Conduct third-party security assessment of remote access solutions
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-gangthegentlemenransomwaremulti-sectorcve-exploitationcheck-pointcisco-firewall
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.