CrowdStrike, SentinelOne, ESET, Microsoft and Kaspersky: Gentlemen Ransomware Builds Modular EDR Killer Suite From Rival Gang Tools

CrowdStrike, SentinelOne, ESET, Microsoft and Kaspersky: Gentlemen Ransomware Builds Modular EDR Killer Suite From Rival Gang Tools

Gentlemen Ransomware Deploys Modular EDR-Killing Framework with Cross-Gang Tools

The Gentlemen ransomware operation has adopted a sophisticated, modular approach to evading endpoint detection and response (EDR) systems, leveraging tools sourced from multiple criminal groups. According to an analysis by cybersecurity firm ESET, the gang’s arsenal includes GentleKiller a custom-built EDR killer with at least eight variants alongside borrowed tools like HexKiller, ThrottleBlood, and HavocKiller, previously used by other ransomware gangs.

GentleKiller employs the bring your own vulnerable driver (BYOVD) technique, using eight distinct vulnerable drivers to gain kernel-level privileges. Its target list spans over 400 processes across 48 security vendors, including Microsoft, CrowdStrike, SentinelOne, and ESET itself. The tool impersonates legitimate software, such as Kaspersky and Valorant, and uses commercial packers like Enigma and Themida for obfuscation. The modular design allows affiliates to swap drivers without rewriting core code, complicating defenses static blocklists may catch one variant while leaving others operational.

Beyond GentleKiller, the gang incorporates tools from rival groups, including HexKiller (linked to Warlock), ThrottleBlood (used by MesudaLocker and DragonForce), and HavocKiller (seen in multiple ransomware campaigns). This tool-sharing creates redundancy, attribution challenges, and tactical flexibility for affiliates. ESET also identified OxideHarvest, a Rust-based credential stealer likely developed externally.

The gang’s targeting strategy includes exploiting FortiGate configurations, as seen in the compromise of Romanian energy provider Oltenia. A SystemBC proxy botnet, comprising over 1,570 corporate hosts, provides persistent access for EDR-killer-assisted attacks. The overlap between SystemBC detections and Gentlemen ransomware activity suggests energy-sector defenders should treat such infections as potential indicators of compromise.

ESET’s findings highlight the gang’s operational persistence, with 478 victims documented before the modular framework was fully analyzed. The interchangeable nature of the tools combined with stolen digital signatures and rapid driver swaps makes detection and attribution increasingly difficult. Defenders are advised to audit driver blocklists against all eight GentleKiller variants, flag multi-gang EDR killer signatures in incidents, and harden FortiGate configurations to reduce exposure.

Source: https://www.cybersecurity-insiders.com/gentlemen-ransomware-edr-killer-suite/

CrowdStrike TPRM report: https://www.rankiteo.com/company/crowdstrike

SentinelOne TPRM report: https://www.rankiteo.com/company/sentinelone

ESET TPRM report: https://www.rankiteo.com/company/eset

Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security

Kaspersky TPRM report: https://www.rankiteo.com/company/kaspersky

"id": "micsenkasesecro1782073479",
"linkid": "microsoft-security, sentinelone, kaspersky, eset, crowdstrike",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Energy',
                        'location': 'Romania',
                        'name': 'Oltenia (Romanian energy provider)',
                        'type': 'Organization'},
                       {'size': '1,570+ hosts (SystemBC botnet)',
                        'type': 'Corporate hosts'}],
 'attack_vector': 'Exploitation of vulnerable drivers (BYOVD), FortiGate '
                  'configurations, SystemBC proxy botnet',
 'data_breach': {'data_encryption': 'Yes (ransomware encryption)',
                 'data_exfiltration': 'Yes (via OxideHarvest, potential '
                                      'ransomware exfiltration)',
                 'sensitivity_of_data': 'High (credentials, corporate data)',
                 'type_of_data_compromised': 'Credentials, potentially '
                                             'sensitive corporate data'},
 'description': 'The Gentlemen ransomware operation has adopted a '
                'sophisticated, modular approach to evading endpoint detection '
                'and response (EDR) systems, leveraging tools sourced from '
                'multiple criminal groups. The gang’s arsenal includes '
                'GentleKiller, a custom-built EDR killer with at least eight '
                'variants, alongside borrowed tools like HexKiller, '
                'ThrottleBlood, and HavocKiller. The attack employs BYOVD '
                'techniques, targets over 400 processes across 48 security '
                'vendors, and uses commercial packers for obfuscation. The '
                'gang also incorporates tools from rival groups, creating '
                'redundancy and attribution challenges. A SystemBC proxy '
                'botnet provides persistent access for attacks, and the '
                'incident highlights the gang’s operational persistence with '
                '478 documented victims.',
 'impact': {'data_compromised': 'Credentials (via OxideHarvest), potentially '
                                'sensitive corporate data',
            'identity_theft_risk': 'High (due to credential theft)',
            'operational_impact': 'Disruption of security defenses, potential '
                                  'system encryption',
            'systems_affected': 'Endpoint detection and response (EDR) '
                                'systems, corporate hosts (1,570+ via SystemBC '
                                'botnet)'},
 'initial_access_broker': {'backdoors_established': 'SystemBC botnet (1,570+ '
                                                    'corporate hosts)',
                           'entry_point': 'FortiGate configurations, SystemBC '
                                          'proxy botnet',
                           'high_value_targets': 'Energy sector (e.g., '
                                                 'Oltenia), security vendors'},
 'investigation_status': 'Ongoing (478 victims documented before full '
                         'analysis)',
 'lessons_learned': 'The modular and interchangeable nature of EDR-killing '
                    'tools complicates detection and attribution. Tool-sharing '
                    'among ransomware gangs creates redundancy and tactical '
                    'flexibility. Defenders must audit driver blocklists, flag '
                    'multi-gang signatures, and harden configurations to '
                    'reduce exposure.',
 'motivation': 'Financial gain (ransomware), data exfiltration',
 'post_incident_analysis': {'corrective_actions': 'Audit driver blocklists, '
                                                  'flag multi-gang signatures, '
                                                  'harden FortiGate '
                                                  'configurations, enhance '
                                                  'monitoring for SystemBC '
                                                  'infections',
                            'root_causes': 'Exploitation of vulnerable drivers '
                                           '(BYOVD), FortiGate '
                                           'misconfigurations, modular '
                                           'EDR-killing tools, tool-sharing '
                                           'among ransomware gangs'},
 'ransomware': {'data_encryption': 'Yes',
                'data_exfiltration': 'Yes',
                'ransomware_strain': 'Gentlemen ransomware'},
 'recommendations': ['Audit driver blocklists against all eight GentleKiller '
                     'variants',
                     'Flag multi-gang EDR killer signatures in incidents',
                     'Harden FortiGate configurations to reduce exposure',
                     'Treat SystemBC infections as potential indicators of '
                     'compromise, especially in the energy sector'],
 'references': [{'source': 'ESET'}],
 'response': {'remediation_measures': 'Audit driver blocklists against all '
                                      'eight GentleKiller variants, flag '
                                      'multi-gang EDR killer signatures, '
                                      'harden FortiGate configurations',
              'third_party_assistance': 'ESET (cybersecurity firm)'},
 'threat_actor': 'Gentlemen ransomware gang',
 'title': 'Gentlemen Ransomware Deploys Modular EDR-Killing Framework with '
          'Cross-Gang Tools',
 'type': 'Ransomware',
 'vulnerability_exploited': 'Vulnerable drivers (8 distinct drivers), '
                            'FortiGate misconfigurations'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.