Back to Intelligence

THEGENTLEMEN Ransomware: Global Surge Exploiting Exchange & Mail Server Flaws

SA
Security Arsenal Team
May 10, 2026
6 min read

Date: 2026-05-10 Source: Ransomware.live Dark Web Leak Site Monitoring Analyst: Security Arsenal Intel Unit

Threat Actor Profile — THEGENTLEMEN

Operating Model: THEGENTLEMEN operate as a aggressive Ransomware-as-a-Service (RaaS) entity. They have recently ramped up operations, posting 19 victims in their last 100 listings, indicating a high-velocity campaign.

Ransom Demands: Demands typically range from $500,000 to $5 million USD, calculated based on victim revenue and the sensitivity of exfiltrated data.

TTPs & Initial Access: Unlike groups relying solely on phishing, THEGENTLEMEN heavily leverages critical internet-facing vulnerabilities. Their current campaign shows a distinct preference for exploiting unpatched email infrastructure (Microsoft Exchange, SmarterTools) and firewall management interfaces (Cisco FMC). They employ a double-extortion model, exfiltrating data 3–7 days before encryption to maximize pressure.

Dwell Time: Short. Evidence suggests dwell times of 3–5 days between initial exploit and detonation, emphasizing the need for rapid detection.

Current Campaign Analysis

Sectors Targeted: The gang is indiscriminately targeting critical operational sectors. The latest posting wave (2026-05-06 to 2026-05-08) includes:

  • Manufacturing: 4 victims (e.g., Misr Chemical Industries, Hillside Lumber)
  • Construction: 2 victims
  • Telecommunications: 1 high-value target (TDS)
  • Healthcare: 1 victim (DermaPharm)
  • Business Services: 3 victims

Geographic Spread: The operation is globally distributed, with a slight concentration in the United States. Recent targets span Egypt (EG), United States (US), Germany (DE), Netherlands (NL), Venezuela (VE), Poland (PL), Denmark (DK), Mexico (MX), and New Zealand (NZ).

Victim Profile: The victims range from mid-market businesses (e.g., Arizona Professional Painting) to large industrial entities (Misr Chemical Industries). Revenue estimates for the recent batch range from $10M to over $500M.

Observed Posting Frequency: THEGENTLEMEN is executing "burst" posting strategies, releasing batches of 5-8 victim sites simultaneously. This suggests automated or semi-automated site operation and high operational tempo.

CVE Connection: The intelligence strongly links the recent surge to the exploitation of specific CISA KEV-listed vulnerabilities. The presence of Telecommunication and Technology victims correlates directly with:

  • CVE-2023-21529 (Microsoft Exchange)
  • CVE-2025-52691 / CVE-2026-23760 (SmarterTools SmarterMail)
  • CVE-2026-20131 (Cisco Secure Firewall)

Detection Engineering

The following detection logic is tailored to the specific CVEs and TTPs observed in THEGENTLEMEN's current campaign.

YAML
title: Suspicious Process Spawn by Microsoft Exchange (THEGENTLEMEN Initial Access)
id: 52f8f2a1-9b1a-4f1c-8b2c-3d4e5f6a7b8c
description: Detects suspicious processes spawned by Microsoft Exchange w3wp or MSExchange backend processes, often associated with deserialization exploits like CVE-2023-21529.
status: experimental
date: 2026/05/10
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            '\w3wp.exe'
            '\MSExchangeOWAAppPool.exe'
            '\MSExchangeECPAppPool.exe'
    filter_legit:
        Image|endswith:
            '\powershell.exe'
            '\cmd.exe'
            '\whoami.exe'
            '\net.exe'
            '\net1.exe'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administration by Exchange admins (rare)
level: critical
---
title: SmarterMail Web Shell Upload Indicators (CVE-2025-52691)
id: 88c7d6e1-2a3b-4c5d-9e0f-1a2b3c4d5e6f
description: Detects file creation patterns associated with the SmarterMail unrestricted upload vulnerability (CVE-2025-52691) exploited by THEGENTLEMEN.
status: experimental
date: 2026/05/10
author: Security Arsenal
logsource:
    category: file_creation
    product: windows
detection:
    selection_path:
        TargetFilename|contains: 
            '\\Mails\\'
            '\\Services\\'
    selection_extension:
        TargetFilename|endswith:
            '.aspx'
            '.ashx'
            '.asmx'
    selection_user:
        User|contains: 
            'IUSR'
            'IIS_IUSRS'
    condition: all of selection_*
falsepositives:
    - Legitimate software updates (verify timing)
level: high
---
title: Large Volume Data Staging Pre-Encryption
description: Identifies rapid file creation and modification in a short timeframe, typical of ransomware data staging before encryption.
status: experimental
date: 2026/05/10
author: Security Arsenal
logsource:
    product: windows
    category: file_create
detection:
    selection:
        FileName|contains:
            '.zip'
            '.rar'
            '.7z'
    condition: selection | count() > 50 by TargetFilename within 5m
level: medium


**KQL (Microsoft Sentinel) — Lateral Movement Hunt**
Hunts for SMB and WMI lateral movement often used by THEGENTLEMEN operators after exploiting Exchange or Mail servers.

kql
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ ("powershell.exe", "cmd.exe", "wmic.exe", "psexec.exe", "psexec64.exe")
| where ProcessCommandLine contains "-enc" or 
      ProcessCommandLine contains "Invoke-Command" or
      ProcessCommandLine contains "New-SmbMapping" or
      ProcessCommandLine contains "net use"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine
| summarize count() by DeviceName, FileName
| where count_ > 5


**PowerShell — Rapid Response Hardening**
This script checks for common persistence mechanisms used by THEGENTLEMEN and verifies if critical services are exposed.

powershell
# THEGENTLEMEN Response Script
Write-Host "Checking for THEGENTLEMEN Indicators of Compromise..." -ForegroundColor Cyan

# 1. Check for recently created Scheduled Tasks (Persistence)
$suspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date.LastTaskTime -gt (Get-Date).AddDays(-2) }
if ($suspiciousTasks) {
    Write-Host "[ALERT] Recently modified Scheduled Tasks found:" -ForegroundColor Red
    $suspiciousTasks | Select-Object TaskName, LastTaskTime, Author
} else {
    Write-Host "[OK] No suspicious recent scheduled tasks." -ForegroundColor Green
}

# 2. Check for Exchange IIS Logs Exploitation (CVE-2023-21529 check)
$exchangePath = "C:\inetpub\logs\LogFiles\W3SVC1"
if (Test-Path $exchangePath) {
    $recentLogs = Get-ChildItem $exchangePath | Sort-Object LastWriteTime -Descending | Select-Object -First 1
    $exploitPattern = Select-String -Path $recentLogs.FullName -Pattern "\".*autodiscover.*\"|.*POST.*200" -Context 0,2
    if ($exploitPattern) {
        Write-Host "[ALERT] Potential Autodiscover exploitation patterns found in IIS logs." -ForegroundColor Red
    }
}

Write-Host "Response script complete. Review RDP and VPN logs manually."


---

Incident Response Priorities

T-Minus Detection Checklist:

  1. Exchange Mailbox Audit Logs: Hunt for MailItemsAccessed operations by non-standard service accounts.
  2. Web Server Logs: Check IIS/SmarterMail logs for POST requests to .aspx endpoints resulting in 200 OK status from unusual IPs.
  3. Firewall Management Logs: Review Cisco FMC logs for unauthorized configuration changes or authentication failures (CVE-2026-20131).

Critical Assets for Exfil:

  • Intellectual Property: CAD designs (Manufacturing victims).
  • Customer PII: Client lists and SSNs (Business Services/Telecom).
  • Employee Data: HR databases and payroll files.

Containment Actions (Urgency: High):

  1. Isolate Exchange and Email gateway servers from the network immediately.
  2. Revoke credentials for admin accounts that logged into the Cisco FMC or SmarterMail consoles in the last 7 days.
  3. Block inbound SMB/RDP traffic from external IPs at the perimeter firewall.

Hardening Recommendations

Immediate (24h):

  • Patch Management: Apply patches for CVE-2023-21529 (Exchange), CVE-2025-52691 (SmarterMail), and CVE-2026-20131 (Cisco FMC) immediately. These are confirmed active exploitation vectors.
  • Network Segmentation: Ensure email servers and firewall management panels are not reachable from the open internet without a VPN or Zero-Trust access solution.

Short-term (2 weeks):

  • Implement MFA: Enforce phishing-resistant MFA for all admin consoles, specifically Cisco Secure Firewall and SmarterMail admin panels.
  • Web Application Firewall (WAF): Deploy strict WAF rules to block known exploit patterns for Exchange Autodiscover and SmarterMail upload endpoints.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangthegentlementhe-gentlemenransomwarecve-2023-21529smartermailmanufacturing

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action