The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in attacks.
The gang employs a collection of EDR-killing tools, most notably a utility that researchers dubbed GentleKiller. The tool has at least eight variants and impersonates various legitimate security products, including Kaspersky, Valorant, Javelin, and WatchDog.
The gang is using a suite of EDR killers, the most frequently used being a custom tool that researchers named GentleKiller, which has at least eight variants impersonating various legitimate products.
An EDR killer is typically used to disable defenses in the early phases of an attack, and in ransomware incidents, they ensure that data theft or encryption processes run unencumbered.
These tools work by leveraging the ‘bring your own vulnerable driver’ (BYOVD) technique to elevate privileges and disable security engines.
According to ESET researchers, each GentleKiller variant uses different vulnerable drivers to achieve kernel-level privileges. However, they all share common strings, identical code obfuscation techniques, and similar process-killing logic and targeting scope.
The analysis of the variants indicates that the framework is designed to allow easy driver swaps or weaponization of newly disclosed flaws without requiring major code changes.
Source: ESET
ESET states that GentleKiller targets more than 400 processes associated with approximately 48 security vendors/products, such as Microsoft, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky.
Source: ESET
The binaries for the EDR killer tool are protected by the commercial Enigma and Themida packing and code-protection tools. ESET notes that the threat actor also uses stolen digital signatures from legitimate software, although they are invalid.
Although GentleKiller is a standardized tool used in Gentlemen ransomware attacks, ESET reports that the threat group’s collection of EDR killers also incorporates at least three external tools:
- HexKiller, previously used by the Warlock gang
- ThrottleBlood, linked to MesudaLocker and DragonForce attacks
- HavocKiller, also seen in ransomware operations
Gentleman RaaS may have added them for redundancy, attribution complexity, or for use in specific cases where the effectiveness of GentleKiller might be limited.
Additionally, ESET documented the use of OxideHarvest, a Rust-based credential-stealer tool that the researchers believe, based on the programming language choice, was developed externally.
The researchers’ analysis indicates that Gentlemen ransomware picks targets based on the configuration of their FortiGate endpoints. This is particularly interesting given the recent discovery of “FortiBleed,” a collection of nearly 74,000 FortiGate VPN credentials.
The Gentlemen RaaS previously compromised the Romanian energy provider Oltenia and has been linked to a SystemBC proxy malware botnet with over 1,570 hosts, believed to be corporate victims.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
