Gentlemen ransomware deploys 8 EDR killer variants

Key Takeaways

• Gentlemen ransomware-as-a-service maintains at least 8 variants of GentleKiller, each impersonating legitimate security software
• The EDR killer tool targets over 400 processes from 48 security vendors including Microsoft, CrowdStrike, and SentinelOne
• The gang selects targets based on FortiGate endpoint configurations, coinciding with the FortiBleed credential dump of 74,000 VPN credentials

A ransomware-as-a-service operation called Gentlemen is actively maintaining a toolkit of EDR killers designed to neutralize endpoint security before deploying ransomware. ESET researchers identified at least eight variants of the group's primary tool, which they've named GentleKiller. Each variant impersonates legitimate software from Kaspersky, Valorant, Javelin, or WatchDog to avoid raising immediate suspicion.

The finding underscores a worrying trend: ransomware gangs are investing serious development resources into defeating the very tools organizations deploy to stop them. This isn't a one-off bypass. It's a modular framework built for sustained operations.

How GentleKiller disables security software

GentleKiller uses the BYOVD technique, short for "bring your own vulnerable driver." The attack works by loading a legitimate but vulnerable kernel driver onto the target system, then exploiting that driver to gain kernel-level privileges. From there, the malware can terminate security processes that would normally be protected from user-mode interference.

Each GentleKiller variant uses a different vulnerable driver, but ESET found they share common strings, identical code obfuscation, and similar process-killing logic. The architecture suggests the framework was designed for quick driver swaps. When a driver gets patched or blocklisted, the gang can swap in a new vulnerable driver without rewriting the core malware.

The tool targets more than 400 processes across 48 security vendors. The hit list includes Microsoft Defender, CrowdStrike Falcon, SentinelOne, Palo Alto Networks, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky. If your organization runs endpoint security from a major vendor, GentleKiller has a kill routine for it.

Commercial packers and stolen signatures

The GentleKiller binaries are protected by Enigma and Themida, commercial packing tools that make reverse engineering more difficult. ESET also noted the threat actors use stolen digital signatures from legitimate software. The signatures are invalid, meaning they won't pass strict verification, but some security products may still give signed binaries more trust during initial inspection.

Beyond their custom tool, the Gentlemen gang incorporates three external EDR killers into their operations: HexKiller, previously associated with the Warlock gang; ThrottleBlood, linked to MesudaLocker and DragonForce attacks; and HavocKiller, seen in other ransomware operations. The redundancy suggests the gang wants options if one tool fails or gets detected.

FortiGate targeting and the FortiBleed connection

ESET's analysis found that Gentlemen ransomware selects targets based on FortiGate endpoint configurations. This timing is notable. Researchers recently disclosed "FortiBleed," a collection of nearly 74,000 FortiGate VPN credentials. Organizations running FortiGate VPNs should assume attackers are actively working through that credential list.

The gang also uses OxideHarvest, a Rust-based credential stealer that ESET believes was developed externally based on the programming language choice. Rust remains less common in ransomware tooling, and the Gentlemen developers appear to favor C++ for their internal tools.

Known victims and infrastructure

Gentlemen previously compromised Oltenia, a Romanian energy provider. The gang has been linked to a SystemBC proxy malware botnet spanning over 1,570 hosts, which ESET believes are corporate victims. SystemBC provides attackers with persistent backdoor access and proxy capabilities, letting them route malicious traffic through compromised machines.

The scale of the botnet suggests Gentlemen operations extend well beyond publicly disclosed incidents. Most ransomware victims never make headlines.

Why EDR killers keep working

BYOVD attacks exploit a fundamental Windows design choice. The operating system trusts signed kernel drivers, even when those drivers contain known vulnerabilities. Microsoft maintains a blocklist of vulnerable drivers, but keeping it current requires constant updates. Attackers only need to find one vulnerable driver that isn't yet blocklisted.

Research from Sophos found BYOVD attacks increased 400% between 2022 and 2024. The technique has become standard in ransomware operations because it works. EDR products can detect many attacks, but they struggle to protect themselves once an attacker has kernel access.

Frequently Asked Questions

What is an EDR killer?

An EDR killer is malware designed to disable endpoint detection and response software. These tools typically exploit vulnerable kernel drivers to gain elevated privileges, then terminate security processes before deploying ransomware or stealing data.

How does the BYOVD technique work?

BYOVD stands for "bring your own vulnerable driver." Attackers load a legitimate but vulnerable signed driver onto the target system, exploit the vulnerability to gain kernel privileges, then use those privileges to disable security software.

Which security products does GentleKiller target?

GentleKiller targets over 400 processes from 48 vendors, including Microsoft Defender, CrowdStrike, SentinelOne, Palo Alto Networks, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky.

What is the connection between Gentlemen ransomware and FortiBleed?

ESET found Gentlemen selects targets based on FortiGate endpoint configurations. This coincides with the FortiBleed disclosure of 74,000 FortiGate VPN credentials, suggesting the gang may be leveraging compromised credentials for initial access.

How can organizations defend against EDR killers?

Enable Microsoft's vulnerable driver blocklist, monitor for unexpected driver installations, implement application whitelisting for kernel drivers, and ensure EDR products have self-protection features enabled. No single measure is sufficient.

Source: BleepingComputer