Gentlemen Ransomware Uses Multiple EDR Killers to Disable Defenses

Overview

The Gentlemen ransomware‑as‑a‑service (RaaS) operation is evolving fast. Researchers report the group maintains a modular suite of EDR‑killing tools—most notably a family dubbed GentleKiller—designed to neutralize endpoint defenses, elevate privileges, and give affiliates a clear path to steal data or deploy ransomware. This is not a single exploit; it’s a flexible toolkit built for scale, stealth, and rapid adaptation.

At a glance

Attribute	Detail
Threat	Gentlemen RaaS (EDR‑killer toolkit)
Primary EDR killer	GentleKiller (≥8 variants)
Technique	BYOVD (Bring Your Own Vulnerable Driver) for kernel privileges
Targets	~400 processes across ~48 security vendors
Notable vendors targeted	Microsoft; CrowdStrike; SentinelOne; Palo Alto; Sophos; Trend Micro; ESET; Bitdefender; McAfee/Trellix; Kaspersky
Additional tools observed	HexKiller; ThrottleBlood; HavocKiller; OxideHarvest (Rust‑based stealer)
Operational note	Uses commercial packers (Enigma, Themida) and stolen digital signatures

How GentleKiller and friends work

GentleKiller is a purpose‑built EDR killer that uses vulnerable drivers to gain kernel‑level privileges and then disables or kills security processes. Each variant swaps drivers or tweaks targeting lists, but the core logic—code obfuscation, process termination, and driver abuse—remains consistent. That modularity means the operators can weaponize newly disclosed driver flaws quickly without rewriting the whole toolset.

Why this matters: once EDR is neutralized, data theft and encryption run with little resistance. In ransomware incidents, that early window of freedom is where attackers exfiltrate sensitive files and deploy encryption payloads.

Variants, toolchain, and ecosystem

GentleKiller variants: impersonate legitimate products (Kaspersky, Valorant, Javelin, WatchDog) to evade cursory checks.
External EDR killers in use: HexKiller (Warlock lineage), ThrottleBlood (MesudaLocker/DragonForce), HavocKiller (ransomware ops). These give redundancy and attribution confusion.
Credential theft: OxideHarvest, a Rust‑based stealer, appears alongside the EDR killers—suggesting the group mixes in third‑party tooling for specific tasks.
Packing & signing: binaries are wrapped with Enigma/Themida; attackers reuse stolen (but invalid) digital signatures to appear legitimate.

Impact and targeting

ESET’s analysis shows GentleKiller targets hundreds of processes tied to dozens of security vendors—this is broad, deliberate, and designed to work in enterprise environments. The group’s targeting logic appears to include FortiGate configurations, which ties into recent FortiBleed credential collections and highlights how credential leaks and exposed management interfaces can feed ransomware targeting. Past victims and infrastructure links include energy providers and SystemBC‑linked proxy botnets.

Practical mitigation and response (for CISOs and security teams)

Immediate actions

Harden driver policies. Block unsigned or untrusted kernel drivers; enforce code‑signing policies. ca://s?q=Harden_driver_policies
Restrict management interfaces. Limit FortiGate and other appliance management to trusted IPs and VPNs. ca://s?q=Restrict_management_interfaces
Monitor for driver installs. Alert on new kernel driver loads and unusual driver swap activity. ca://s?q=Monitor_kernel_driver_installs
Detect process‑kill patterns. Create detections for mass process termination patterns and the specific process lists GentleKiller targets. ca://s?q=Detect_process_kill_patterns

Medium‑term controls

Implement least privilege and application allow‑listing. Reduce the attack surface for BYOVD techniques. ca://s?q=Implement_application_allowlisting
Harden EDR resilience. Use tamper‑protection, kernel‑level integrity checks, and out‑of‑band telemetry to detect EDR interference. ca://s?q=Harden_EDR_resilience
Rotate and protect credentials. Assume credential theft is possible; rotate keys, enforce MFA, and monitor for lateral movement. ca://s?q=Rotate_and_protect_credentials

Incident response playbook

Isolate suspected hosts and preserve memory images. ca://s?q=Isolate_and_preserve_memory_images
Hunt for unusual driver loads, packed binaries, and stolen signature artifacts. ca://s?q=Hunt_for_driver_and_packed_binaries
Rebuild from known‑good images where kernel integrity is in doubt. ca://s?q=Rebuild_from_known_good_images
Share IoCs with trusted partners and law enforcement. ca://s?q=Share_IOCs_with_partners

What leaders should say to their teams

This is a moment for calm, decisive leadership. Gentlemen’s toolkit is engineered to remove your safety net; your job is to make that toolkit ineffective. Tell your teams you’re prioritising driver‑policy hardening, EDR resilience, and rapid detection of process‑kill behavior. Reassure staff that containment and recovery plans are in motion, and that you’ll communicate clearly if any systems are impacted. People respond to clarity and competence—lead with both.

Expert in the Cloud Insight

Gentlemen RaaS shows the industry a simple truth: attackers will weaponize whatever gives them kernel access. The defensive shift required is not just better signatures or faster patching; it’s architectural: reduce the number of ways kernel code can be introduced, make EDR tamper‑resistant, and treat driver installs as high‑risk events. Combine technical controls with clear playbooks and you turn a fast, noisy attacker into a slow, detectable one.