Gentlemen Ransomware Uses 8 EDR Killer Variants to Disable Defenses

The Gentlemen ransomware-as-a-service (RaaS) operation is actively maintaining a sophisticated suite of endpoint detection and response (EDR) killers to help its affiliates evade detection during attacks. According to ESET researchers, the gang's flagship custom tool, dubbed GentleKiller, exists in at least eight variants that impersonate legitimate security products including Kaspersky, Valorant, Javelin, and WatchDog. These tools rely on the "bring your own vulnerable driver" (BYOVD) technique to escalate privileges and terminate security processes in the early phases of an attack, ensuring that data theft and encryption run unencumbered. Analysts should verify their exposure to compromised credentials with an email breach checker and audit open services using a port scanner to reduce the attack surface targeted by these kill chains.

Each GentleKiller variant uses a different vulnerable driver to achieve kernel-level privileges, but all share common strings, identical obfuscation techniques, and similar process-killing logic. The framework is modular by design, allowing the operators to swap drivers or weaponize newly disclosed flaws without major code changes. The tool targets more than 400 processes associated with roughly 48 security vendors and products, including Microsoft, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky. The binaries are protected by the commercial Enigma and Themida packers, and ESET notes that the threat actor also signs payloads with stolen digital certificates from legitimate software—though those signatures are invalid. Organizations exposed to credential theft should run stolen credentials through a password checker to identify at-risk accounts.

Beyond GentleKiller, the Gentlemen toolkit incorporates at least three external EDR-killing utilities: HexKiller (previously linked to the Warlock gang), ThrottleBlood (associated with MesudaLocker and DragonForce attacks), and HavocKiller, which has appeared in other ransomware operations. ESET suggests these are kept for redundancy, attribution complexity, or scenarios where GentleKiller is less effective. The group also deploys OxideHarvest, a Rust-based credential stealer that researchers believe was developed externally, likely chosen for its lower detection rates and memory safety. Notably, Gentlemen affiliates appear to select targets based on the configuration of their FortiGate endpoints, a tactic that intersects with the recent disclosure of FortiBleed, a vulnerability affecting roughly 74,000 FortiGate devices worldwide.

The Gentlemen gang's investment in a modular, multi-layered EDR-killing framework signals that ransomware operators are increasingly treating defense evasion as a standalone capability rather than an afterthought. With eight GentleKiller variants already in circulation and a roster of borrowed killers ready as backups, defenders cannot rely on signature-based detection of a single EDR killer to catch these intrusions. Hardening FortiGate configurations, monitoring for BYOVD driver loads, and validating endpoint security coverage against the targeted process list are now baseline requirements for organizations seeking to stay ahead of this evolving threat.