Gentlemen ransomware deploys multiple EDR killers to evade defenses
▼ Summary
– The Gentlemen ransomware group uses a suite of custom EDR-killing tools, most notably GentleKiller, which has at least eight variants that impersonate legitimate security products like Kaspersky and Valorant.
– GentleKiller leverages the ‘bring your own vulnerable driver’ (BYOVD) technique to gain kernel-level privileges and disable security engines, targeting over 400 processes from 48 security vendors.
– The EDR killer binaries are protected by commercial packing tools (Enigma and Themida) and use stolen, invalid digital signatures.
– The group also employs three external EDR-killing tools—HexKiller, ThrottleBlood, and HavocKiller—for redundancy or when GentleKiller is less effective.
– Gentlemen ransomware selects targets based on FortiGate endpoint configurations, and has previously compromised a Romanian energy provider and been linked to a SystemBC proxy malware botnet.
The Gentlemen ransomware-as-a-service (RaaS) operation is actively expanding its arsenal with multiple EDR killer tools, designed to help affiliates bypass endpoint defenses during attacks. This development signals a growing sophistication in the group’s evasion tactics.
The gang’s primary weapon in this area is a custom utility researchers have named GentleKiller, which now exists in at least eight distinct variants. Each variant impersonates legitimate security products, including Kaspersky, Valorant, Javelin, and WatchDog. These tools are deployed early in the attack chain to disable defenses, ensuring that data theft and file encryption proceed without interruption.
An EDR killer typically exploits the “bring your own vulnerable driver” (BYOVD) technique to gain kernel-level privileges and shut down security engines. According to ESET researchers, each GentleKiller variant relies on different vulnerable drivers to achieve this, yet they share common strings, identical code obfuscation methods, and similar process-killing logic. This design suggests the framework allows for easy driver swaps or the rapid integration of newly disclosed vulnerabilities without major code rewrites.
The tool targets over 400 processes associated with approximately 48 security vendors, including major names like Microsoft, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky. The binaries themselves are protected by the commercial packers Enigma and Themida, and ESET notes that the threat actor also uses stolen digital signatures from legitimate software, though these are invalid.
Beyond GentleKiller, the group has incorporated at least three external tools into its collection: HexKiller (previously used by the Warlock gang), ThrottleBlood (linked to MesudaLocker and DragonForce attacks), and HavocKiller (also seen in other ransomware operations). ESET suggests these additions may provide redundancy, complicate attribution, or serve as backups in scenarios where GentleKiller is less effective.
ESET also documented the use of OxideHarvest, a Rust-based credential stealer that researchers believe was developed externally, given the choice of programming language. The analysis further indicates that Gentlemen ransomware selects targets based on the configuration of their FortiGate endpoints. This is a notable finding, especially in light of the recent “FortiBleed” incident, which exposed nearly 74,000 FortiGate VPN credentials.
The Gentlemen RaaS previously compromised the Romanian energy provider Oltenia and has been linked to a SystemBC proxy malware botnet with over 1,570 hosts, believed to be corporate victims.
(Source: BleepingComputer)