Back to Intelligence

THEGENTLEMEN Ransomware: Global Surge in Manufacturing & Energy Sector Attacks

SA
Security Arsenal Team
June 18, 2026
5 min read

Aliases: The Gentlemen Club

Model: RaaS (Ransomware-as-a-Service). THEGENTLEMEN operates as a highly organized affiliate network, leveraging a "Human Resources" style dark web presence to recruit "partners" for initial access.

Ransom Demands: High. Typically ranges from $1M to $10M USD, with strict 72-hour deadlines before data leaks.

Initial Access: Heavily reliant on exploiting external-facing infrastructure. Primary vectors include vulnerabilities in VPNs (Check Point, Cisco), Remote Monitoring and Management (RMM) tools (ConnectWise ScreenConnect), and unsecured RDP.

TTPs: Uses double extortion. Dwell time is extremely short (often < 48 hours). They utilize Cobalt Strike beacons for lateral movement and custom PowerShell scripts for data discovery and exfiltration.

Current Campaign Analysis

Campaign Date: 2026-06-15 (Mass Posting)

Targeted Sectors:

  • Manufacturing: Buechel Stone, Cole Manufacturing, Traublinger, Buratti. (Dominant sector)
  • Energy: Maine Oxy
  • Construction: Constructions Piraino
  • Agriculture: Fecovita, Mackay Sugar
  • Healthcare: Centre Medical Crowley
  • Technology/Public Sector: Times Software, National Museum

Geographic Focus: The campaign is globally distributed but shows heavy concentration in North America (US) and Europe (DE, FR, IT, PL). Recent expansion includes Australia and Singapore.

Victimology: Targets mid-market to enterprise-level organizations ($50M - $2B revenue). There is a clear preference for organizations with high-value intellectual property (Manufacturing) or critical operational uptime requirements (Energy/Agriculture).

CVE Correlation: The activity correlates with the exploitation of CISA KEV-listed vulnerabilities:

  • CVE-2026-20131 (Cisco FMC): Suspected vector for the Energy and Technology victims.
  • CVE-2026-50751 (Check Point VPN): Likely used for perimeter breaches in Manufacturing.
  • CVE-2024-1708 (ScreenConnect): A facilitator for the Business Services and IT breaches.

Detection Engineering

Sigma Rules

YAML
title: Potential Cisco FMC Deserialization Exploit
id: 8f4e3b12-1a2b-4c5d-9e6f-1234567890ab
description: Detects potential exploitation of CVE-2026-20131 in Cisco Secure Firewall Management Center via suspicious API paths.
status: experimental
date: 2026/06/18
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/api/fmc_config/v1/domain'
            - '/api/fmc_platform/v1/auth/generatetoken'
        cs-method: 'POST'
    condition: selection
falsepositives:
    - Legitimate administrative API calls
level: critical
---
title: ScreenConnect Authentication Bypass / Path Traversal
id: 7d3e2c10-0b1a-3f4e-8d7c-0987654321za
description: Detects potential exploitation of CVE-2024-1708 (ScreenConnect) via suspicious URI patterns.
status: experimental
date: 2026/06/18
author: Security Arsenal Research
logsource:
    category: webserver
detection:
    selection:
        c-uri-query|contains:
            - '../'
            - '%2e%2e'
        cs-uri-stem|contains: 'Login'
    condition: selection
falsepositives:
    - Unknown
level: high
---
title: Suspicious VSSAdmin Shadow Copy Deletion
id: 6c2d1b09-z9y8-x2w3-v4b5-abcdef123456
description: Detects commands used to delete Volume Shadow Copies, a common precursor to ransomware encryption.
status: experimental
date: 2026/06/18
author: Security Arsenal Research
logsource:
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\vssadmin.exe'
            - '\wmic.exe'
        CommandLine|contains:
            - 'delete shadows'
            - 'shadowcopy delete'
    condition: selection
falsepositives:
    - System administration
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and credential dumping indicators
let TimeFrame = 3d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessCommandLine has_any ("invoke-expression", "iex", "downloadstring", "frombase64string")
| where FolderPath endswith "\System32\WindowsPowerShell\v1.0\powershell.exe" or FolderPath endswith "\System32\cmd.exe"
| where InitiatingProcessFileName !in ("explorer.exe", "services.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName
| order by Timestamp desc

PowerShell

PowerShell
# Rapid Response: Check for Suspicious Shadow Copy Deletion and New Services
# Usage: Run as Administrator on critical servers

Write-Host "[+] Checking for Shadow Copy Deletion in Event Logs (Last 24h)..." -ForegroundColor Cyan
$VSSEvents = Get-WinEvent -LogName 'Microsoft-Windows-ShadowCopy/Operational' -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-24) -and $_.Id -eq 14 }
if ($VSSEvents) { $VSSEvents | Select-Object TimeCreated, Message } else { Write-Host "No deletion events found." -ForegroundColor Green }

Write-Host "[+] Checking for newly created services (Last 24h)..." -ForegroundColor Cyan
$Services = Get-WmiObject Win32_Service | Where-Object { $_.InstallDate -gt (Get-Date).AddHours(-24) -and $_.PathName -match ".*\.exe.*" }
if ($Services) { $Services | Select-Object Name, PathName, StartName, State } else { Write-Host "No suspicious new services found." -ForegroundColor Green }

Write-Host "[+] Checking for unusual RDP logons (LogonType 10)..." -ForegroundColor Cyan
$RDP = Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4624)] and EventData[Data[@Name='LogonType']='10']]" -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-24) }
if ($RDP) { $RDP | Select-Object TimeCreated, Message } else { Write-Host "No recent RDP logons." -ForegroundColor Green }


---

# Incident Response Priorities

1.  **T-Minus Detection Checklist:**
    *   **Perimeter:** Immediate review of Check Point and Cisco Firewall logs for authentication anomalies or VPN spikes.
    *   **RMM:** Audit ConnectWise ScreenConnect logs for anonymous authentication or setup file downloads.
    *   **Endpoint:** Hunt for `vssadmin.exe` execution or sudden mass file modifications.

2.  **Critical Assets:**
    *   **Manufacturing:** CAD files, Intellectual Property, Proprietary Formulas.
    *   **Energy:** SCADA configurations, OT network diagrams.
    *   **Healthcare:** Patient PII, Billing records.

3.  **Containment Actions:**
    *   **IMMEDIATE:** Isolate Cisco FMC and Check Point gateways from the network; enforce out-of-band management only.
    *   **HIGH:** Disable external access to ScreenConnect and RDP; force password resets for all admin accounts.
    *   **MEDIUM:** Segment OT networks from corporate IT immediately.

---

# Hardening Recommendations

Immediate (24 Hours)

  • Patch Critical CVEs: Apply patches for CVE-2026-20131 (Cisco FMC), CVE-2026-50751 (Check Point), and CVE-2024-1708 (ScreenConnect) immediately.
  • Secure Remote Access: Disable VPN access for accounts without MFA. Block RDP (TCP 3389) at the firewall.
  • Disable Local Admins: Ensure local administrator accounts on critical servers have complex, unique passwords.

Short-term (2 Weeks)

  • Network Segmentation: Implement strict micro-segmentation between IT and OT environments.
  • Implement ZTNA: Move from VPN to Zero Trust Network Access for remote administrative access.
  • Backup Isolation: Ensure backups are immutable or offline (air-gapped) to prevent encryption.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangthegentlemenmanufacturingcve-2026-20131ransomware-as-a-servicecisa-kev

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action