Active Development and Utilization of EDR Killers by Ransomware Gang Gentlemen
Ransomware-as-a-service (RaaS) group Gentlemen has significantly advanced its operations since its emergence in late 2025, notably through the deployment of a suite of endpoint detection and response killers tailored for affiliates. This assessment draws on research conducted by ESET, which leverages incident-level visibility and data leaks to analyze the tools and operational strategies of Gentlemen, particularly their EDR-killing capabilities.
ESET researchers highlight that Gentlemen employs both proprietary and third-party tools, including an in-house framework named GentleKiller. This suite consists of at least eight variants that exploit a range of vulnerable or malicious drivers while conforming to a standardized evasion strategy that utilizes impersonation techniques to disguise malicious files as legitimate software. This comprehensive approach, coupled with a rapid adaptation of newly disclosed vulnerabilities, enables the group to effectively evade detection.
A noteworthy aspect of Gentlemen’s strategy is their targeting methodology. Unlike many ransomware organizations that typically focus on US victims, Gentlemen has adopted a geographically diverse victimology, primarily focusing on Southeast Asia, South America, and Western Europe. This suggests a broader operational scope and a calculated approach to victim selection based on specific vulnerabilities rather than geographical factors.
Defensive Context
The tactics implemented by Gentlemen reflect a notable shift in the ransomware landscape, revealing a preference for providing affiliates with comprehensive support, including access to EDR-killers. This poses significant risks particularly for organizations in regions that Gentlemen targets, as these tools are specifically designed to neutralize defenses against ransomware deployment without requiring considerable technical proficiency from affiliates.
Why This Matters
Organizations, particularly those with a presence in Southeast Asia, South America, and Western Europe, should be acutely aware of this trend. The ability of Gentlemen to rapidly operationalize newly released POCs and their sophisticated evasion tactics pose a real threat to those who may not anticipate targeted exploitation of their systems.
Defender Considerations
Typically, victims of ransomware, especially those impacted by groups like Gentlemen, often rely on EDR solutions for defense. However, the integration of EDR killers such as GentleKiller and tools like HexKiller and ThrottleBlood complicates detection and response efforts. Understanding the operational strategies and characteristics of these EDR killers is critical for developing robust defensive measures against potential threats.
Indicators of Compromise (IOCs)
- Kasps.exe (SHA-1: 8AE6BD18B129061F63642531F1B684CF0383C75) – GentleKiller (Kaspersky variant)
- FaceIT1.exe (SHA-1: D605994FC72A2BB59B5CFB1624A1B9170ECA73A2) – GentleKiller (FACEIT Anti-Cheat variant, Enigma-protected)
- Valorant2.exe (SHA-1: 5AA3124E5C4921E5EDFC60133B5D71DA21B07DA3) – GentleKiller (Valorant variant, Themida-protected)
- HexKiller (SHA-1: EC2969501AD71E430810CB5CDC38D954D4BA536) – Incorporated into Gentlemen’s modus operandi.
- ThrottleBlood (SHA-1: 7131B377E96016DC1911020C9F95B1B4D042D7B4) – Incorporated into Gentlemen’s modus operandi.
- OxideHarvest (SHA-1: A5CF917EC4A7DFBDFA43621398604805D860C718) – Credential stealer utilized by an affiliate.
This analysis demonstrates Gentlemen’s technical proficiency and adaptive strategies which pose ongoing risks to diverse enterprises.
