Threat Actor Profile — THEGENTLEMEN
Affiliation & Model: THEGENTLEMEN operates as a sophisticated Ransomware-as-a-Service (RaaS) enterprise. While they maintain a veneer of "professionalism" in their negotiations, their operational security is aggressive. They leverage a wide network of affiliates to conduct initial access brokering, while the core team manages the encryption payload and leak site operations.
Tactics & Initial Access: Historically, THEGENTLEMEN affiliates prioritize external remote services. The current campaign shows a heavy reliance on exploiting vulnerabilities in remote management and networking appliances (ConnectWise ScreenConnect, Cisco FMC) to bypass perimeter defenses. Phishing is used less frequently but is typically targeted (Spear-phishing) when gaps in external exploits are found.
Extortion Strategy: They follow a strict double-extortion playbook. Data is exfiltrated prior to encryption, often using legitimate tools like Rclone or WinSCP to blend in with administrative traffic. If the ransom is not paid within the stipulated timeframe (usually 3-5 days), victim data is published on their dedicated .onion portal.
Dwell Time: Average dwell time is estimated between 3 to 7 days. The group moves quickly from initial access (often via CVE exploitation) to lateral movement, likely to minimize the chance of detection by EDR solutions.
Current Campaign Analysis
Sector Targeting: The data from 2026-06-01 to 2026-06-03 reveals a distinct shift towards high-value, time-sensitive sectors.
- Healthcare (Primary Target): 4 out of the 15 recent victims are healthcare providers (Michigan Surgical Center, Edgewood Surgical Hospital, Downriver Medical Associates, Soniva Dental). This suggests a deliberate strategy to maximize pressure on victims.
- Transportation/Logistics: Targeting Thoresen Thai Agencies (Thailand) indicates an interest in disrupting supply chains.
- Manufacturing & Agriculture: Attacks on Liztex (Guatemala) and Soja de Portugal (Portugal) show a global reach targeting critical production infrastructure.
Geographic Concentration: While the US remains the primary target (33% of recent victims), the campaign is notably globalized, with confirmed victims in Thailand, India, Germany, Portugal, Singapore, and Pakistan. This suggests the affiliate network is geographically dispersed or using opportunistic scanning across the globe.
Observed Posting Frequency: THEGENTLEMEN is maintaining a high velocity of operations, posting batches of 5-6 victims at a time. This "bulk publishing" tactic often overwhelms security teams' ability to track brand reputation risk simultaneously.
CVE Correlation: The victims correlate strongly with the KEV list provided. The targeting of Technology (Computime Group) and Business Services (3E Accounting) often stems from supply chain attacks via vulnerable managed service providers (MSPs) using CVE-2024-1708 (ConnectWise ScreenConnect). Furthermore, the targeting of entities with complex network perimeters (Healthcare/Logistics) aligns with the exploitation of CVE-2026-20131 (Cisco Secure Firewall FMC), allowing the attackers to disable or pivot around firewall rules.
Detection Engineering
SIGMA Rules
---
title: Potential ScreenConnect Path Traversal Exploit CVE-2024-1708
id: 4e1b3b6c-7f8a-4b3c-9a2d-1b3c4d5e6f7a
status: experimental
description: Detects potential exploitation of CVE-2024-1708 (ConnectWise ScreenConnect Path Traversal) via web server logs.
author: Security Arsenal Research
date: 2026/06/05
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '../'
- '%2e%2e%2f'
- 'Redirect='
filter:
cs-uri-query|contains: 'Session.ashx'
condition: selection and filter
falsepositives:
- Legitimate misconfigurations (rare)
level: critical
---
title: Cisco FMC Deserialization Anomaly CVE-2026-20131
id: 5f2c4d7e-0g9b-5c4d-0b3e-2c4d5e6f7g8a
status: experimental
description: Detects suspicious web requests indicative of deserialization attacks targeting Cisco Secure Firewall Management Center.
author: Security Arsenal Research
date: 2026/06/05
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
category: firewall
detection:
selection:
sc_bytes|gt: 5000
c_app|contains: 'http'
request|contains:
- '%'
- ' Serialization'
condition: selection
falsepositives:
- Large standard API calls
level: high
---
title: Ransomware Pre-Encryption VSS Admin Usage
id: 6g3d5e8f-1h0c-6d5e-1c4f-3d5e6f7g8h9b
status: experimental
description: Detects commands used by ransomware operators to delete Volume Shadow Copies to prevent recovery.
author: Security Arsenal Research
date: 2026/06/05
logsource:
category: process_creation
product: windows
detection:
selection_cli:
CommandLine|contains:
- 'vssadmin delete shadows'
- 'wmic shadowcopy delete'
- 'wbadmin delete catalog'
selection_img:
Image|endswith:
- '\vssadmin.exe'
- '\wmic.exe'
- '\wbadmin.exe'
condition: 1 of selection*
falsepositives:
- System administrator maintenance (verify context)
level: critical
Microsoft Sentinel KQL (Hunting)
// Hunt for lateral movement and potential THEGENTLEMEN staging activity
// Looks for unusual administrative share access and PowerShell execution
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "pwsh.exe")
| where ProcessCommandLine has "Invoke-" or ProcessCommandLine has "EncryptedCommand"
| extend HostName = DeviceName
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort in (445, 135, 139, 3389)
| where ActionType == "InboundConnectionAccepted"
| summarize RemoteIPCount = dcount(RemoteIP), RemoteIPs = make_set(RemoteIP) by DeviceName, Timestamp
) on HostName
| project Timestamp, HostName, ProcessCommandLine, InitiatingProcessFileName, RemoteIPCount, RemoteIPs
| where RemoteIPCount > 2 // Suspicious multiple inbound connections coinciding with script exec
PowerShell Response Script
<#
.SYNOPSIS
Rapid Response Hardening Script for THEGENTLEMEN Campaign Indicators.
.DESCRIPTION
Checks for signs of CVE-2024-1708 exploitation in IIS logs and checks for VSS admin usage.
#>
Write-Host "[+] Initiating THEGENTLEMEN Triage..." -ForegroundColor Cyan
# 1. Check for recent VSS shadow copy deletions
Write-Host "[+] Checking Event Log for VSS Deletions (Event ID 8224) ..." -ForegroundColor Yellow
$VSSEvents = Get-WinEvent -LogName Application -FilterXPath "*[System[(EventID=8224)]]" -ErrorAction SilentlyContinue -MaxEvents 5
if ($VSSEvents) {
Write-Host "[!] CRITICAL: VSS Deletion events found." -ForegroundColor Red
$VSSEvents | Select-Object TimeCreated, Message | Format-List
} else {
Write-Host "[-] No VSS deletion events found." -ForegroundColor Green
}
# 2. Check for ScreenConnect Web Shell Artifacts (Basic check for recently modified aspx files)
Write-Host "[+] Scanning for recently modified .aspx files in C:\inetpub..." -ForegroundColor Yellow
$DateThreshold = (Get-Date).AddHours(-24)
$WebShells = Get-ChildItem -Path "C:\inetpub" -Recurse -Filter "*.aspx" -ErrorAction SilentlyContinue | Where-Object { $_.LastWriteTime -gt $DateThreshold }
if ($WebShells) {
Write-Host "[!] WARNING: Recently modified .aspx files found (Potential Web Shell)." -ForegroundColor Red
$WebShells | Select-Object FullName, LastWriteTime
} else {
Write-Host "[-] No suspicious recent web files found." -ForegroundColor Green
}
Write-Host "[+] Triage Complete." -ForegroundColor Cyan
---
Incident Response Priorities
T-Minus Detection Checklist (Pre-Encryption):
- ScreenConnect Audit: Immediately review logs for
Session.ashxpath traversal attempts. If vulnerable (CVE-2024-1708), assume credential theft and force-reset all service account passwords used by the platform. - Cisco FMC Configuration Check: Review configuration change logs on Cisco Firewalls. Look for unauthorized rule modifications or user creation correlating with CVE-2026-20131 indicators.
- Exchange EWS Logs: Hunt for high-volume EWS (Exchange Web Services) usage via PowerShell (CVE-2023-21529), indicating mailbox scraping for data exfiltration.
Critical Assets for Exfiltration: THEGENTLEMEN focuses on data that disrupts operations or carries high privacy penalties.
- Healthcare: Patient PHI (HL7/EMR databases), Surgery schedules.
- Logistics: Shipping manifests, Waybill data, Customs documentation.
- Legal/Finance: M&A data, Client ledgers.
Containment Actions:
- Isolate VPN/RD Gateway: If ScreenConnect or Cisco FMC exploitation is suspected, isolate management interfaces from the internal network immediately.
- Suspend Active Directory: Suspend accounts with high privileges (Domain Admins) that have logged into the vulnerable management consoles in the last 48 hours.
- Block Egress RDP: Implement emergency firewall rules blocking outbound RDP (TCP 3389) and SMB (TCP 445) to prevent lateral movement to non-segmented environments.
Hardening Recommendations
Immediate (24 Hours):
- Patch Critical CVEs: Deploy patches for CVE-2024-1708 (ConnectWise) and CVE-2026-20131 (Cisco FMC) immediately. If patching is impossible, shut down the services to the internet.
- MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) on all remote management interfaces, specifically VPNs and ScreenConnect portals.
- Block Macro Execution: Microsoft Exchange exploitation often leads to macro delivery. Set GPO to block macros from the internet.
Short-term (2 Weeks):
- Network Segmentation: Ensure that OT/IoT devices (common in Agriculture and Manufacturing victims) are on isolated VLANs, unreachable from the IT management network.
- EDR Coverage Audit: Verify that EDR sensors are active and reporting on all management servers, including jump boxes and hypervisors.
- Remote Access Governance: Revoke all persistent local admin rights on jump servers; transition to Just-in-Time (JIT) access via PAM.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.