Multiple news sources reported on April 28, 2026 that TheGentlemen ransomware gang targeted Lawson Software in an attack tracked under the DeXpose label. Lawson Software provides ERP and human capital management solutions to mid-market and large enterprises across multiple sectors including manufacturing, distribution, healthcare, and government. The attack was first observed at 08:13 UTC and remained active as of 17:42 UTC the same day.
Why this matters: Lawson deployments typically run mission-critical financial, procurement, and payroll functions. Unlike consumer-facing systems, compromise of ERP infrastructure can cascade across supply chains—affecting procurement timelines, payment processing, and inventory management for downstream customers. The ransomware landscape has shifted toward targeting software providers themselves rather than end-users, a strategy that multiplies potential impact across hundreds of client organizations.
TheGentlemen appears to operate under an extortion model, publishing stolen data through the DeXpose leak channel to pressure victims. Organizations running Lawson instances should assume potential exposure of financial records, employee data, and transaction histories if backups or network segmentation were inadequate.
What to watch: Monitor Lawson's official communications and your organization's managed service provider advisories for indicators of compromise. If your organization runs Lawson, priority actions include verifying backup integrity (offline, tested restores), reviewing access logs for lateral movement indicators, and validating that multi-factor authentication is enforced on administrative accounts. Do not assume patching alone resolves ransomware intrusions—assume breach and verify. Organizations relying on Lawson should also stress-test manual financial processes in case system recovery extends beyond acceptable timelines.
