Gentelman Ransomware Surges: 9 Healthcare and Professional Services Victims in 72 Hours

The Gentelman ransomware group — tracked by Microsoft Threat Intelligence as Storm-2697 — recorded at least 15 confirmed victims between 1 and 3 June 2026, with 9 of those victims in healthcare and professional services sectors. The volume represents a significant acceleration from the group’s typical cadence and follows patterns consistent with exploitation of remote monitoring and management (RMM) tool vulnerabilities as an initial access vector.

Healthcare organisations, in particular, should treat this surge as an active threat signal requiring immediate review of internet-exposed remote access infrastructure.

Storm-2697 / Gentelman Profile

Gentelman emerged in late 2025 and has operated as a ransomware-as-a-service (RaaS) platform with a small number of affiliate operators. The group’s distinguishing technical characteristic is a self-spreading worm module embedded in the ransomware payload that enables lateral movement within target networks without requiring additional attacker tooling — the ransomware itself performs the spread across Windows file shares and mapped drives.

Technical characteristics:

• Custom hybrid encryption: RSA-4096 key wrapping over ChaCha20 per-file encryption
• Self-spreading worm module: SMB share enumeration and file copy propagation
• Initial access: primarily through exploitation of RMM tools and exposed remote desktop services
• Ransom demand range: USD 250,000–2,000,000 depending on victim revenue
• Data exfiltration: dual extortion (files encrypted AND exfiltrated before encryption)

The June 1–3 surge correlates with exploitation of CVE-2024-1708, a path traversal vulnerability in ConnectWise ScreenConnect that was patched in February 2024 but remains unpatched in a significant population of installations. Security researchers have confirmed Storm-2697 is actively exploiting this vulnerability as an initial access vector.

Why Healthcare Is the Primary Target

Healthcare organisations present a combination of factors that make them attractive to ransomware operators:

High willingness to pay: Healthcare providers face immediate patient safety implications if clinical systems are unavailable. The operational pressure to restore access quickly, combined with the reputational and regulatory consequences of a prolonged outage, creates a payer population more likely to meet ransom demands than many other sectors.

Legacy system prevalence: Healthcare IT environments commonly include Windows Server versions and clinical application infrastructure that lags behind commercial enterprise patch cadence. Legacy systems are frequently excluded from standard enterprise patching programmes due to vendor certification requirements or clinical downtime risks.

Broad RMM footprint: Healthcare organisations routinely deploy multiple RMM tools across clinical and administrative environments for remote management of distributed sites. The RMM tool attack surface — particularly third-party managed service providers (MSPs) that support multiple healthcare clients — is a force multiplier for ransomware groups. One compromised MSP can produce multiple healthcare victims.

Immediate Actions for Healthcare Organisations

• Inventory all RMM tools: Identify every remote management and support tool in the environment (ConnectWise ScreenConnect, TeamViewer, AnyDesk, Kaseya VSA, N-able RMM, and others). Verify current patch status for each.
• Patch CVE-2024-1708 immediately: If ConnectWise ScreenConnect is deployed, apply the February 2024 patch if not already done. Check the installed version against the vendor’s security advisory. Any installation prior to 23.9.8 is vulnerable.
• Restrict RMM internet exposure: RMM console ports should not be directly accessible from the internet without VPN or network-layer access controls. Review firewall rules for RMM management ports (ConnectWise ScreenConnect default: TCP 8040/8041).
• Review MSP access paths: If a managed service provider has access to the environment, verify the provider’s own security posture and patch status for tools used to manage your environment. An MSP compromise is an indirect path to your systems.
• Activate enhanced monitoring: Enable EDR alerting for SMB share enumeration patterns, unexpected process spawning from web server or RMM agent processes, and lateral movement indicators consistent with the Gentelman worm module (rapid sequential file access across mapped drives).
• Verify backup integrity: Confirm that backup systems are isolated from primary network segments and that recent backups are restorable. Gentelman’s worm module will encrypt accessible backup locations if they are network-mounted.