The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for impairing system defenses before deploying the encryptor.
This mature portfolio of EDR-terminating tools is centered around a framework that’s known as GentleKiller.
“They also incorporate third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller,” ESET security researcher Jakub Souček said in a report shared with The Hacker News. “These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied legitimate certificates and icons.”
The Slovakian cybersecurity company also called out the ransomware crew for its ability to “unusually quickly operationalize” newly disclosed proof-of-concept (PoC) exploits related to an attack technique called the bring your own vulnerable driver (BYOVD) technique, in many cases within days of their public release.
Since its emergence in March 2025, The Gentlemen has swiftly risen up the ranks and made a name for itself as one of the most active ransomware groups. Per data from Ransomware.live, the group has claimed 504 victims to date, with most of them located in Southeast Asia, South America, and Western Europe.
Recent reports from cybersecurity journalist Brian Krebs and PRODAFT have revealed that a 36-year-old Russian national named Alexander Andreevich Yapaev (aka hastalamuerte) has been leading the operation, after acting as an affiliate for other ransomware schemes, including Qilin.
ESET has described The Gentlemen as one of the most technically agile RaaS groups, using a set of techniques to ensure that the compiled EDR killer samples sidestep detection. This includes binary protection using Enigma or Themida and using file names that resemble well-known cybersecurity vendors, right down to their version information, digital signatures, and icons.
The most prevalent of them is GentleKiller, which comes in eight different variants, each mimicking a different legitimate product and abusing a different vulnerable or malicious driver as part of the BYOVD attack. GentleKiller specifically looks for 400 processes associated with 48 distinct security programs from a number of vendors.
The list of drivers exploited by each of the variants is as follows –
- Kaspersky (“eb.sys”)
- FACEIT Anti-Cheat (“nseckrnl.sys”)
- Valorant (“GameDriverX64.sys”)
- Javelin (“stpm_old.sys” or “stpm_new.sys”)
- WatchDog (“dmx.sys”)
- Network Blocker (“360netmon_wfp.sys”)
- Cleaner (“IMFForceDelete.sys”)
- G11 (“PoisonX.sys”)
It’s worth noting that the abuse of “PoisonX.sys” has been recorded in recent months in connection with various BYOVD attacks, one of which was used to kill CrowdStrike Falcon EDR. A second campaign, detailed by Huntress, involved an intrusion in which unknown threat actors leveraged BeyondTrust Remote…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
