Gentelman Ransomware Surges Against Healthcare — 15 Victims in 72 Hours

What Happened

A ransomware group tracked by Microsoft as Storm-2697, and self-identified as “Gentelman,” has claimed at least 15 victims in a surge of attacks spanning 1 to 3 June 2026. Nine of those victims are healthcare providers or professional services firms in North America. The group gained access by exploiting vulnerabilities in remote monitoring and management software — specifically tools used by IT teams to remotely manage computers and servers across distributed sites. Once inside a network, the ransomware deploys a self-spreading module that automatically encrypts files across the organisation’s systems and steals data before encryption.

Business Impact

Healthcare organisations struck by ransomware typically experience immediate disruption to clinical systems — electronic health records, pharmacy systems, and diagnostic equipment that depend on the IT network. Historical ransomware events in healthcare have required redirection of emergency patients, cancellation of elective procedures, and reversion to manual (paper-based) processes for days to weeks. Data exfiltration prior to encryption means patient medical records, billing data, and personally identifiable information may be published if the ransom is not paid. The group’s ransom demands range from USD 250,000 to USD 2,000,000 depending on the victim organisation’s size.

Regulatory Implications

Healthcare organisations operating under HIPAA are required to report ransomware incidents that involve access to protected health information (PHI) to the Department of Health and Human Services. The 60-day notification clock begins from the date the breach is discovered. European healthcare providers under NIS2 must notify their national competent authority within 24 hours of becoming aware of a significant incident affecting critical infrastructure. The data exfiltration component of the Gentelman attack typically constitutes a reportable breach in both regimes.

Board-Ready Summary

• A ransomware group is actively targeting healthcare providers using security gaps in remote management software that has been known to be vulnerable since 2024
• A successful attack against this organisation could result in clinical disruption for days to weeks, mandatory regulatory notification, and potential publication of patient data
• Leadership should direct the security team to immediately audit and patch all remote management software and verify that backups are isolated from the primary network

Recommended Actions

1. Immediate (0–24 hours): Identify all remote monitoring and management (RMM) tools deployed in the environment. Verify that ConnectWise ScreenConnect is updated to version 23.9.8 or later (this patches CVE-2024-1708, a known Gentelman initial access vector). Restrict RMM console ports to internal networks only — they should not be internet-accessible without VPN.

2. Immediate (0–24 hours): Verify that backup systems are not accessible from the primary production network. Backups on network-attached storage accessible to production servers will be encrypted in a ransomware event. Air-gapped or immutable backup copies are the critical safety net.

3. Short-term (this week): Review managed service provider (MSP) access to the environment. Confirm that all MSPs with remote access to clinical or administrative systems are using current, patched RMM tooling. Request confirmation in writing.

4. Short-term (this week): Enable enhanced monitoring for lateral movement indicators — specifically, unusual file access patterns across network shares, unexpected administrative account logins outside business hours, and processes executing from temporary or user profile directories.

5. Ongoing: Establish a minimum patch cadence for RMM tools that matches the cadence applied to internet-facing infrastructure — within 14 days of a security patch release.