THEGENTLEMEN Ransomware: Global Healthcare & Logistics Assault — Detection Engineering

Aliases & Affiliation: Based on current infrastructure and victimology, THEGENTLEMEN appears to be a rebranding or a sub-operation of a seasoned RaaS (Ransomware-as-a-Service) syndicate, potentially sharing codebases with entities previously targeting enterprise management interfaces.

Operational Model: They operate on a high-volume RaaS model, utilizing a dual-extortion strategy. Recent data indicates a "spray and pray" approach regarding initial access vectors, leveraging known vulnerabilities in remote management software, but a "sniper" approach in victim selection, specifically targeting high-revenue sectors like Healthcare and Logistics.

Tactics & Procedures:

• Initial Access: Heavy reliance on internet-facing appliance exploitation (ConnectWise ScreenConnect, Microsoft Exchange, Cisco FMC). No significant evidence of pure phishing in this specific campaign; access is primarily gained through unpatched perimeter services.
• Dwell Time: Short. The group moves rapidly from initial foothold to exfiltration, averaging 3–5 days before detonation.
• Encryption: They utilize a custom variant that targets both Windows and Linux file systems, with a focus on network shares and backup servers.

Current Campaign Analysis

Sector Targeting (Last 100 Postings):

• Healthcare (High Priority): 4 out of 15 recent victims are US-based surgical or medical centers (Michigan Surgical Center, Edgewood Surgical Hospital, Downriver Medical Associates, Soniva Dental).
• Transportation/Logistics: Major hits include Thoresen Thai Agencies (TH), indicating a focus on supply chain disruption.
• Manufacturing & Agriculture: Distributed attacks in Guatemala (Liztex), Portugal (Soja de Portugal), and India (National Industries).

Geographic Concentration: The campaign is aggressively transcontinental but heavily weighted towards the United States (5 victims) and the APAC region (Thailand, India, Singapore, Pakistan). European presence is noted in Germany and Portugal.

Victim Profile: Targets are mid-to-large enterprise entities. The inclusion of "Thoresen Thai Agencies" (a major logistics provider) and "Computime Group" (Technology) suggests they are targeting organizations with high operational downtime costs and complex network environments.

Escalation Patterns: Posting frequency has spiked, with 15 victims published between June 1 and June 3. This surge correlates directly with the widespread exploitation of CVE-2024-1708 (ConnectWise ScreenConnect).

CVE Correlation: The recent victims are almost certainly linked to the exploitation of the following CISA KEVs:

• CVE-2024-1708 (ConnectWise ScreenConnect): The primary driver for the Healthcare and Logistics verticals, where ScreenConnect is ubiquitous for remote IT support.
• CVE-2023-21529 (Microsoft Exchange): Likely used for initial access in Tech and Business Services sectors.
• CVE-2026-20131 (Cisco Secure Firewall): A concerning addition suggesting the group is actively bypassing perimeter defenses to gain persistence.

Detection Engineering

Sigma Rules

---
title: Potential ConnectWise ScreenConnect Path Traversal Exploit (CVE-2024-1708)
id: 488530d8-1c0d-48e0-9c34-b9b7e123c456
status: experimental
description: Detects potential exploitation of CVE-2024-1708 in ConnectWise ScreenConnect via suspicious URI patterns in web logs.
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/06/05
tags:
    - attack.initial_access
    - cve.2024.1708
    - ransomware.thegentlemen
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '/Bin/ScreenConnect.ashx'
            - 'Host='
            - 'Token='
    condition: selection
falsepositives:
    - Legitimate ScreenConnect administration access
level: high
---
title: Suspicious PowerShell Command Line Encoded Payload
id: 9920bfb1-5a1a-4f91-8860-4541ac92b5d7
status: experimental
description: Detects suspicious PowerShell command lines with encoded payloads, often used post-exploitation by ransomware gangs.
author: Security Arsenal Research
date: 2026/06/05
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\powershell.exe'
        - OriginalFileName: 'PowerShell.EXE'
    selection_cli:
        CommandLine|contains:
            - ' -Enc '
            - ' -EncodedCommand '
            - 'FromBase64String'
    condition: all of selection_*
falsepositives:
    - System administration scripts
level: medium
---
title: Mass Data Staging via Rclone or Large File Copies
id: 7710b0a1-3f92-4a8c-9b12-3245ab12c987
status: experimental
description: Detects potential data exfiltration staging using tools like Rclone or rapid large file copies characteristic of ransomware prep.
author: Security Arsenal Research
date: 2026/06/05
tags:
    - attack.exfiltration
    - attack.t1041
logsource:
    category: process_creation
    product: windows
detection:
    selection_tool:
        Image|endswith:
            - '\rclone.exe'
            - '\robocopy.exe'
    selection_params:
        CommandLine|contains:
            - 'sync'
            - 'copy'
            - '/E' # Robocopy copy subdirectories, including empty ones.
            - '/ZB' # Robocopy restartable mode; skip files marked as "busy".
    condition: all of selection_*
falsepositives:
    - Legitimate backup operations
level: high

KQL (Microsoft Sentinel)

// Hunt for lateral movement and service abuse indicative of THEGENTLEMEN activity
// Focuses on WMI/Win32_Process creation and PsExec usage
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessCommandLine contains "wmic" and ProcessCommandLine contains "process call create") or 
       (ProcessCommandLine contains "psexec" and ProcessCommandLine contains "-accepteula") or
       (FileName == "wmiaprpl.dll" or FileName == "wmiprvse.exe")
| where InitiatingProcessFileName != "C:\\Windows\\System32\\svchost.exe" // Reduce noise from system init
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc

PowerShell Hardening Script

<#
.SYNOPSIS
    Rapid Response Hardening Script for THEGENTLEMEN Campaign.
.DESCRIPTION
    Checks for Scheduled Tasks created in the last 7 days (common persistence)
    and audits ScreenConnect services for known vulnerable versions.
#>

Write-Host "[+] Checking for recently created Scheduled Tasks (Persistence)" -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, Date, Author, Action

Write-Host "[+] Auditing ConnectWise ScreenConnect Services" -ForegroundColor Cyan
$screenConnectService = Get-Service | Where-Object {$_.DisplayName -like "*ScreenConnect*"}
if ($screenConnectService) {
    Write-Host "[!] ScreenConnect Service Found:" $screenConnectService.Name -ForegroundColor Yellow
    Write-Host "[!] ACTION REQUIRED: Verify patch status for CVE-2024-1708 immediately." -ForegroundColor Red
} else {
    Write-Host "[-] No ScreenConnect services detected." -ForegroundColor Green
}

Write-Host "[+] Checking for exposed RDP Sessions (Non-Local)" -ForegroundColor Cyan
$query = "query user"
$users = query user
if ($users) { $users } else { Write-Host "[-] No active RDP sessions found." }


---

Incident Response Priorities

T-Minus Detection Checklist:

1. Web Shell Hunt: Immediately scan IIS logs and Exchange directories for the signature of CVE-2024-1708 and CVE-2023-21529.
2. ScreenConnect Audit: Identify all instances of ConnectWise ScreenConnect. If vulnerable versions (prior to the May 2024 patches) are running, isolate the host immediately—do not just patch, as the actor may already have persistence.
3. MFA Bypass Review: THEGENTLEMEN frequently bypasses MFA via session hijacking on vulnerable appliances. Review VPN and Remote Access logs for concurrent sessions from disparate geolocations.

Critical Assets Prioritized for Exfiltration:

• Patient Records (PHI): High value for resale on the dark web.
• Logistics Schedules/Manifests: Used for supply chain disruption extortion.
• Executive Email Archives: Sourced via Exchange exploits for business email compromise (BEC).

Containment Actions:

1. Isolate: Disconnect identified VPN concentrators and ScreenConnect servers from the network.
2. Reset: Force a password reset for all privileged accounts that have logged into the exposed ConnectWise or Exchange servers in the last 30 days.
3. Suspend: Suspend active user accounts showing signs of lateral movement (multiple failed logins or successful logins from impossible travel routes).

Hardening Recommendations

Immediate (24h):

• Patch CVE-2024-1708: Apply the ConnectWise ScreenConnect security update immediately. This is the #1 initial access vector in this campaign.
• Patch CVE-2023-21529: Apply the latest Cumulative Update (CU) or Security Update (SU) for Microsoft Exchange Server.
• Block Internet Access to Management Interfaces: Restrict access to ScreenConnect, RDP (3389), and Exchange (443/80) management interfaces via firewall policies to specific IP ranges or require VPN connectivity.

Short-term (2 weeks):

• Network Segmentation: Ensure that OT (Operational Technology) and IoT systems in manufacturing and logistics sectors are logically separated from IT networks to prevent spread from a workstation to production lines.
• Implementation of PAM: Enforce Privileged Access Management (PAM) solutions to prevent the use of local admin accounts for lateral movement.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub