Back to Intelligence

THEGENTLEMEN Ransomware: Global Surge in Manufacturing & Telecom — Active Exploitation of Exchange, Cisco & SmarterMail Flaws

SA
Security Arsenal Team
May 9, 2026
6 min read

Operational Model: THEGENTLEMEN operates as a Ransomware-as-a-Service (RaaS) entity, distinguishing themselves through a "professional" victim negotiation interface and strict adherence to published deadlines. Unlike chaotic affiliates, this group maintains a curated leak site with structured data dumps.

TTPs & Initial Access: Intelligence suggests a shift toward exploiting internet-facing infrastructure rather than pure phishing. The group aggressively targets remote access solutions and email gateways. Based on recent victimology and the CVEs currently in their rotation, they are leveraging:

  • Deserialization Vulnerabilities: Specifically targeting Microsoft Exchange and Cisco firewall management consoles to gain a foothold.
  • Email Gateway Exploits: Active exploitation of SmarterMail to bypass authentication and upload webshells.

Ransom & Extortion: Known demands range from $500k to $5m USD depending on victim revenue. They employ a double-extortion model, exfiltrating sensitive PII and intellectual property before encrypting. Average dwell time is estimated at 4–7 days, during which they perform extensive reconnaissance and lateral movement.

Current Campaign Analysis

Campaign Velocity: Between 2026-05-06 and 2026-05-08, THEGENTLEMEN posted 15 victims, indicating a high-velocity campaign or the release of a backlog of successful compromises. The spike on May 8th (8 victims) suggests an automated posting script or a coordinated "dump day."

Sector Targeting:

  • Manufacturing (30%): The hardest hit sector (Misr Chemical Industries, Hillside Lumber, Clark Fixture Technologies). These targets suggest a focus on supply chain disruption and IP theft.
  • Telecommunication & Construction: Significant attacks on TDS (US) and construction firms (McCarthy, Arizona Professional Painting) indicate a pivot to critical infrastructure and high-revenue commercial projects.

Geographic Distribution:

  • Primary: United States (7 victims — TDS, McCarthy, Hillside Lumber, etc.)
  • Secondary: Germany, Egypt, Poland, and Venezuela.
  • Assessment: The US-centric focus combined with global outliers suggests an opportunistic scanning of vulnerable internet-facing assets (Exchange/SmarterMail) rather than geo-political targeting.

CVE Correlation: There is a strong correlation between the identified victims and the listed CISA Known Exploited Vulnerabilities (KEVs):

  • CVE-2023-21529 (Exchange): Likely used against US-based Manufacturing and Business Services victims maintaining on-prem Exchange servers.
  • CVE-2026-20131 (Cisco FMC): A probable vector for the Telecommunication sector (TDS) and larger enterprise targets where centralized firewall management is exposed.
  • CVE-2025-52691 / CVE-2026-23760 (SmarterMail): Likely initial access for smaller victims (e.g., Arizona Professional Painting, Manhattan Fire Safety) utilizing hosted email solutions.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Exchange Server Deserialization Exploit (CVE-2023-21529)
id: a1b2c3d4-5678-90ab-cdef-123456789012
description: Detects potential exploitation of CVE-2023-21529 via suspicious w3wp.exe child processes typical of deserialization RCEs.
status: experimental
author: Security Arsenal
date: 2026/05/09
references:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\w3wp.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\pwsh.exe'
    filter_legit:
        CommandLine|contains: 'appcmd' # Filter legitimate appcmd usage
    condition: selection and not filter_legit
falsepositives:
    - Administrator debugging
level: high
---
title: SmarterMail Webshell Upload Activity (CVE-2025-52691)
id: b2c3d4e5-6789-01bc-def2-345678901234
description: Detects suspicious file creation in SmarterMail web directories indicative of unrestricted file upload exploitation.
status: experimental
author: Security Arsenal
date: 2026/05/09
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\SmarterTools\SmarterMail\Web\'
        TargetFilename|endswith:
            - '.aspx'
            - '.ashx'
    timeframe: 5m
    condition: selection
falsepositives:
    - Legitimate software update
level: critical
---
title: Cobalt Strike SMB Beacon Activity (Lateral Movement)
id: c3d4e5f6-7890-12cd-ef34-567890123456
description: Detects SMB Named Pipe creation indicative of Cobalt Strike beacons, frequently used by THEGENTLEMEN affiliates for lateral movement.
status: experimental
author: Security Arsenal
date: 2026/05/09
logsource:
    category: pipe_created
    product: windows
detection:
    selection:
        PipeName|contains:
            - 'mojo.5688.8052.123456789'
            - 'msagent-'
    condition: selection
falsepositives:
    - Legitimate software using similar pipes (rare)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Suspicious PowerShell Execution often used post-exploitation
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine contains "powershell" or ProcessCommandLine contains "pwsh"
| where ProcessCommandLine contains "EncodedCommand" or ProcessCommandLine contains "DownloadString" or ProcessCommandLine contains "IEX"
| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

PowerShell - Rapid Response Hardening Script

PowerShell
# THEGENTLEMEN Response Script: Check for Indicators of Compromise
# Usage: Run as Administrator on potentially compromised Exchange or Mail servers

Write-Host "[!] Checking for scheduled tasks created in the last 7 days (Persistence)..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, Author, Date, Action, State

Write-Host "[!] Checking for Shadow Copy Deletion attempts (Event ID 140)..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=140; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | Select-Object TimeCreated, Message

Write-Host "[!] Checking for Exchange IIS Worker Process spawning shells (RCE Indicator)..." -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | Where-Object {$_.Message -match "w3wp.exe" -and $_.Message -match "(powershell.exe|cmd.exe)"} | Select-Object TimeCreated, Message

Write-Host "[!] Enumerating SmarterMail Web Directory for recent .aspx/.ashx changes..." -ForegroundColor Yellow
$WebPath = "C:\Program Files (x86)\SmarterTools\SmarterMail\Web\"
if (Test-Path $WebPath) {
    Get-ChildItem -Path $WebPath -Recurse -Include *.aspx, *.ashx | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-1)} | Select-Object FullName, LastWriteTime
}


---

Incident Response Priorities

T-Minus Detection Checklist:

  1. Webshell Scan: Scan C:\inetpub\wwwroot and SmarterMail directories for recently modified .aspx, .ashx, or .php files (last 48 hours).
  2. Exchange Logs: Review IIS logs (u_exYYMMDD.log) for POST requests to /owa/ or /ecp/ containing unusual patterns or high volumes of 500 errors.
  3. Firewall Audits: Check Cisco FMC logs for deserialization spikes or unexpected administrative logins related to CVE-2026-20131.

Critical Assets (Exfiltration Targets): THEGENTLEMEN prioritizes:

  • Manufacturing: CAD designs, Intellectual Property, Supply Chain schedules.
  • Healthcare: PII/PHI (DermaPharm victim suggests active targeting).
  • Telecom: Customer call records and network topology maps.

Containment Actions (Ordered by Urgency):

  1. Isolate: Disconnect vulnerable Exchange servers and Cisco FMC appliances from the network immediately if patching is not complete.
  2. Disable Accounts: Suspend service accounts associated with IIS AppPools and SmarterMail services.
  3. Block Outbound: Block C2 IPs and domains associated with Cobalt Strike beacons at the perimeter firewall.

Hardening Recommendations

Immediate (24h):

  • Patch Management: Apply security patches for CVE-2023-21529 (Exchange), CVE-2026-20131 (Cisco), and the SmarterMail authentication bypass/upload flaws immediately.
  • URL Rewrite: Deploy Microsoft IIS URL Rewrite rules to block known malicious paths associated with Exchange deserialization.
  • External Access: Disable external access (VPN/RDP) for non-essential administrative accounts on mail servers.

Short-term (2 weeks):

  • Network Segmentation: Move Email and Firewall Management interfaces to a dedicated management VLAN, inaccessible from the general corporate LAN.
  • EDR Deployment: Ensure dedicated EDR agents are installed on mail gateway servers (often unprotected).
  • Zero Trust: Implement strict Conditional Access policies preventing direct RDP/SSH from the internet.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangthegentlementhe-gentlemenransomwaremanufacturingtelecomcve-2023-21529

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action