What’s going on?
Quick version: the Gentlemen ransomware-as-a-service crew have been quietly building a toolbox to shut down defenders. Their go-to hack is a family of EDR killers — little utilities whose job is to make endpoint protection take a long coffee break so the bad stuff can run freely.
The most common member of that family is a custom bit of nastiness dubbed GentleKiller. It shows up in at least eight flavors, pretending to be everything from antivirus vendors to gaming and watchdog software. The trick is simple and brutal: disable security processes early during an intrusion, then steal data or encrypt files without interruption.
Tools, targets, and the weird bits
How do they yank the rug out from under EDRs? They use a “bring your own vulnerable driver” approach to get kernel-level privileges. In plain English: they load drivers with known flaws, abuse them to climb up the privilege ladder, and then mute or kill protection engines.
Researchers note the GentleKiller variants share the same funky fingerprints — matching strings, the same obfuscation tricks, and nearly identical process-killing logic — which suggests the framework is designed to let operators swap drivers or plug in new exploits without rewriting much code.
The toolset targets a huge list of security processes — hundreds of processes associated with around forty-eight vendors, including names like Microsoft, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky. The binaries themselves are wrapped in commercial packers and protections, and some builds even try to ride on stolen (but invalid) digital signatures.
- HexKiller — a utility previously seen with other gangs
- ThrottleBlood — linked to older ransomware campaigns
- HavocKiller — another EDR-disabling tool used in the wild
Those extra tools seem to act as backup plans: redundancy, misdirection for attribution, or simply options for cases where one method fails.
There’s also OxideHarvest, a credential-stealer written in Rust, which looks like it came from a different author. The gang mixes homegrown components with externally sourced tools — kind of like a rogue open-source buffet.
On the targeting side, the group appears to pick victims based partly on FortiGate configurations — which is eyebrow-raising given the recent large leak of FortiGate VPN credentials known as FortiBleed. Past activity includes major hits like a Romanian energy provider and connections to a SystemBC-powered proxy botnet with thousands of compromised hosts.
So what should defenders do? Patch and block vulnerable drivers where possible, watch for odd driver loads and unsigned or suspiciously signed binaries, rotate credentials aggressively (especially VPNs), and exercise least-privilege for service accounts. And yes — run breach-and-attack style tests on your EDR/AV so you know what actually trips alarms.
Final thought: the Gentlemen crew are not reinventing the wheel — they’re polishing it and swapping tires on the fly. Keep your drivers updated, your telemetry noisy, and your suspicion meter set to “annoyingly high.”