Bottom Line: Gentlemen gang uses at least eight variants of GentleKiller to disable EDR protection from 48 different security vendors before executing ransomware attacks.
The ransomware group Gentlemen deploys specialized tools to disable endpoint detection and response systems and subsequently encrypt data. The approach relies on kernel access via fraudulent drivers and targets over 400 security processes.
The ransomware-as-a-service group Gentlemen has developed an arsenal of specialized EDR killers to neutralize endpoint detection and response systems on target machines. Central to these attacks is the tool GentleKiller, of which ESET analysts have documented at least eight variants. These variants disguise themselves by mimicking legitimate applications such as Kaspersky, Valorant, Javelin, or WatchDog to avoid detection by security tools.
GentleKiller uses the so-called bring-your-own-vulnerable-driver technique to exploit known vulnerabilities in legitimate drivers and gain kernel privileges. The tool targets over 400 processes from approximately 48 different security vendors – including Microsoft, CrowdStrike, SentinelOne, Palo Alto, and Sophos. This broad attack surface enables the group to disable EDR protection across the board before the actual data encryption takes place.
The developers obfuscate GentleKiller executable files using commercial packing tools such as Enigma and Themida and employ stolen, though invalid, but legitimate-looking digital signatures. For redundancy and to complicate attribution, Gentlemen additionally leverages external EDR killers: including HexKiller (previously used by the Warlock gang), ThrottleBlood (associated with DragonForce), and HavocKiller. For credential theft, the group uses OxideHarvest, a stealer tool developed in Rust that was presumably purchased from external developers.
According to research findings, Gentlemen selects attack targets based on the configuration of FortiGate endpoints. There is a direct link to the recently published FortiBleed data dump, which contains approximately 74,000 VPN credentials for FortiGate systems. Documented victims of the group include Romanian energy provider Oltenia. Furthermore, Gentlemen controls a SystemBC proxy botnet with over 1,570 compromised systems, primarily enterprise networks.
Source: www.it-daily.net · Published June 19, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.7.1.