The Gentlemen ransomware-as-a-service operation is actively developing and maintaining a suite of endpoint detection and response killers to help its affiliates evade detection during attacks. The gang’s primary tool, dubbed GentleKiller by researchers, has at least eight known variants, each impersonating legitimate security products including Kaspersky, Valorant, Javelin, and WatchDog.
Attackers typically deploy EDR killers in the early phase of an attack to disable security defenses, ensuring data theft or encryption processes run unencumbered afterward. These tools work by exploiting the bring your own vulnerable driver technique, which elevates privileges and disables security engines from within the operating system’s kernel.
According to ESET researchers, each GentleKiller variant uses a different vulnerable driver to achieve kernel-level privileges, but all variants share common code strings, identical obfuscation techniques, and similar process-killing logic and targeting scope. The shared framework design allows the gang to swap drivers or weaponize newly disclosed vulnerabilities quickly, without requiring major code rewrites. ESET found that GentleKiller targets more than 400 processes tied to roughly 48 security vendors and products, including Microsoft, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky. Commercial Enigma and Themida packing software protects the tool’s binaries, and the threat actor further disguises them using stolen, though invalid, digital signatures from legitimate software.
Beyond GentleKiller, ESET documented that the Gentlemen gang incorporates at least three external EDR-killing tools into its operations: HexKiller, previously linked to the Warlock ransomware gang; ThrottleBlood, associated with MesudaLocker and DragonForce attacks; and HavocKiller, also observed in other ransomware operations. Researchers believe the gang added these tools for redundancy, to complicate attribution, or for cases where GentleKiller alone proves insufficient. ESET separately identified OxideHarvest, a Rust-based credential-stealing tool likely developed by a third party given its programming language choice.
Researchers found that Gentlemen ransomware selects targets partly based on the configuration of their FortiGate VPN endpoints, a detail that takes on added significance following the recent discovery of FortiBleed, a leak exposing nearly 74,000 FortiGate VPN credentials.
The Gentlemen group has previously compromised Romanian energy provider Oltenia and has been linked to a SystemBC proxy malware botnet spanning more than 1,570 hosts believed to be corporate victims.
