Gentlemen Ransomware Builds Modular EDR Killer Suite
Gentlemen Ransomware Builds Modular EDR Killer Suite
https://www.cybersecurity-insiders.com/gentlemen-ransomware-edr-killer-suite/
Publish Date: 2026-06-21 15:12:00
Source Domain: www.cybersecurity-insiders.com
Ransomware affiliates have long relied on commodity EDR-killing tools, but Gentlemen ransomware takes a different approach. The gang fields a curated, modular suite of endpoint detection and response killers drawn from at least three rival criminal gangs, engineered so affiliates can swap drivers between attacks without rewriting code. BleepingComputer reported on analysis by ESET, the Slovakia-based cybersecurity firm. ESET traced the framework through the gang’s compromise of Romanian energy provider Oltenia and a SystemBC proxy malware botnet of over 1,570 hosts believed to be corporate victims.
GentleKiller’s Eight Driver Variants Target 400 Processes Across 48 Vendors
The centerpiece of Gentlemen ransomware’s defense-evasion arsenal is GentleKiller, a purpose-built EDR killer with at least eight variants. Each uses a different vulnerable driver to reach kernel-level privileges through the bring your own vulnerable driver (BYOVD) technique. All eight variants share the same code obfuscation, the same process-killing logic, and the same target list. That design is deliberate: the framework lets operators swap a patched or blocklisted driver for a newly disclosed vulnerable one without touching the core tool.
The scope of what GentleKiller hunts is notable. ESET counted more than 400 processes associated with approximately 48 security vendors and products, including Microsoft, CrowdStrike, SentinelOne, Palo Alto Networks, Sophos, Trend Micro, ESET itself, Bitdefender, McAfee/Trellix, and Kaspersky. GentleKiller impersonates legitimate security products during execution, including Kaspersky, Valorant, Javelin, and WatchDog, and its binaries are protected by the commercial Enigma and Themida packing tools. The gang also uses stolen digital signatures from legitimate software, though ESET notes they are invalid.
The BYOVD supply chain here is harder to defend against than a single-tool adversary because of driver…
