Ethical Hacking News
The Gentlemen is a ransomware operation that has been making headlines in recent months due to its sophisticated tactics and innovative approach. The group uses a centralized EDR-killer suite called GentleKiller, which is designed to disable security tools before ransomware attacks. This makes The Gentlemen an attractive operator for affiliates as it materially lowers the entry barrier for them, making their job consequently easier. But what sets The Gentlemen apart from other ransomware operations? Read on to find out.
The Gentlemen is a sophisticated ransomware operation using a centralized EDR-killer suite called GentleKiller. GentleKiller has eight variants, each impersonating a legitimate product and abusing vulnerable kernel drivers through BYOVD. The Gentlemen's approach centralizes EDR killing, making it easier for affiliates to use. The group adapts quickly, incorporating new exploits into operations within days of public release. The Gentlemen targets victims in Southeast Asia, South America, and Western Europe based on FortiGate misconfiguration rather than geography. ESET found a Rust-based credential stealer called OxideHarvest attributed to an affiliate named quant.
The Gentlemen is a ransomware operation that has been making headlines in recent months due to its sophisticated tactics and innovative approach. According to a report by ESET, The Gentlemen has been using a centralized EDR-killer suite called GentleKiller, which is designed to disable security tools before ransomware attacks.
GentleKiller is an in-house framework with at least eight distinct variants, each impersonating a different legitimate product and abusing a different vulnerable or malicious kernel driver through the technique known as Bring Your Own Vulnerable Driver (BYOVD). The suite is able to hunt for over 400 processes belonging to 48 distinct security products, including CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Carbon Black, and ESET itself.
The Gentlemen's approach to EDR killing is unique in that it centralizes this function, offering affiliates a ready-to-use, standardized EDR-killer suite. This decision makes The Gentlemen an attractive operator for affiliates as it materially lowers the entry barrier for them, making their job consequently easier.
The report also reveals that The Gentlemen's speed of adaptation is another defining characteristic. It was able to incorporate vulnerable driver exploits into operations within days of public release. For example, UnknownKiller and PoisonKiller, two proof-of-concepts that were publicly released in a matter of days, were both adopted by The Gentlemen soon after their release.
Furthermore, the report highlights that The Gentlemen's victimology breaks a pattern that defines most major ransomware operations. While other groups tend to have heavy US concentration, The Gentlemen's list skews toward Southeast Asia, South America, and Western Europe. This is not random, as the group selects victims primarily based on FortiGate misconfiguration rather than geography.
The report also mentions that ESET found a Rust-based credential stealer called OxideHarvest, which targets Chrome, Edge, Firefox, Brave, Opera, Opera GX, Vivaldi, Waterfox, and a dozen other browsers. This stealer is attributed to an affiliate named quant rather than the core operators.
In conclusion, The Gentlemen's approach to ransomware operations is unlike anything seen before. Its use of GentleKiller and BYOVD exploits makes it a formidable opponent in the world of cybersecurity. As defenders, this report provides valuable insights into how to design monitoring and detection strategies that can remain effective even against variants that haven’t been built yet.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Gentlemen-A-Ransomware-Operation-Like-No-Other-ehn.shtml
https://securityaffairs.com/193941/uncategorized/inside-gentlekiller-the-edr-killer-powering-the-gentlemen.html
Published: Sat Jun 20 11:01:59 2026 by llama3.2 3B Q4_K_M
