The rapid professionalization of the ransomware-as-a-service market throughout the first half of the current year has fundamentally altered the defensive requirements for modern enterprise networks across the globe. We have entered an era where the Gentlemen ransomware group is no longer content with providing just an encryption binary; they have transitioned into providing a comprehensive suite of offensive tools that automate the most difficult part of a breach. By centralizing the development of evasion techniques through their GentleKiller framework, they have effectively removed the technical burden from their affiliates, allowing even entry-level cybercriminals to bypass sophisticated endpoint detection and response systems. This shift represents a move toward an industrialized model of cybercrime where high-level software engineering meets the ruthless efficiency of a distributed affiliate network. As these groups become more organized, the gap between traditional security measures and the capabilities of modern threat actors continues to widen at an alarming rate.
The Gentlemen Ecosystem
Organizational Profile: The New RaaS Leadership
The leadership structure of the Gentlemen group reflects a high degree of technical maturity and a deep understanding of the current cybercrime labor market. At the helm is a prominent threat actor known by the alias “hastalamuerte,” an individual whose pedigree includes significant contributions to the Qilin ransomware operations. This transition of talent suggests a consolidation of expertise from former major syndicates like LockBit and Medusa, creating a “supergroup” of sorts that understands the operational failures of its predecessors. By recruiting seasoned veterans, the Gentlemen collective has built a stable platform that prioritizes long-term persistence over short-term chaos. This strategic recruitment has allowed them to hit the ground running with a codebase that is both resilient and adaptable, catering to the needs of the most demanding and capable affiliates in the underground community.
To maintain a competitive edge in a crowded market, the operators have introduced a revenue-sharing model that significantly disrupts the industry standard for ransomware-as-a-service providers. While traditional groups typically offer a seventy or eighty percent cut to their affiliates, Gentlemen has aggressively marketed a ninety percent share for high-performing partners. This financial incentive is paired with a high-quality toolkit that includes multi-platform encryptors written in both Go and C languages. The Go-based encryptor provides a versatile solution for standard Windows and Linux environments, benefiting from the language’s inherent speed and ease of cross-compilation. Meanwhile, the specialized C variant is meticulously optimized for VMware ESXi environments, allowing the group to target the very heart of modern enterprise infrastructure where virtualized workloads reside and critical data is often concentrated.
The group’s business model is further bolstered by a rigorous double-extortion strategy that has become the cornerstone of their operational success. They do not merely stop at encrypting a victim’s local storage; they engage in systemic data exfiltration to ensure they have multiple points of leverage during the negotiation phase. This approach ensures that even if an organization has robust backup solutions, they still face the crippling prospect of a massive public data breach. The Gentlemen operators manage their leak sites with professional precision, using the threat of exposure to coerce payments from victims who might otherwise refuse to engage. This combination of superior financial incentives for affiliates and a relentless pressure campaign against victims has allowed the group to rapidly expand its influence and cement its position as a top-tier threat.
By centralizing the production of their EDR-killing modules, the Gentlemen group has effectively standardized the success of their attacks across their entire affiliate base. This “utility-first” development philosophy ensures that every member of the network, regardless of their individual technical proficiency, has access to the most advanced defense evasion tools available. This standardization creates a significant challenge for incident responders because the attack patterns become more consistent and harder to differentiate based on the affiliate’s skill level. The group’s ability to provide a “turnkey” solution for bypassing modern security stacks has lowered the barrier to entry for devastating corporate attacks, leading to a surge in high-impact breaches that bypass even the most well-funded security operations centers.
Global Victimology: A Shift in Geographic Focus
In a departure from the historical trend of ransomware groups focusing almost exclusively on North American targets, the Gentlemen operation has demonstrated a remarkably diverse geographic footprint. Their victimology reports indicate a strategic expansion into regions such as Southeast Asia, South America, and parts of Western Europe that were previously considered secondary targets. Countries like Thailand, Brazil, and France have seen a disproportionate number of incidents, suggesting that the group is actively seeking out environments where security maturity might lag behind the rapid pace of digital transformation. This global spread is not accidental; it is the result of a calculated effort to identify and exploit specific security gaps in regional infrastructures that have not yet adapted to the latest wave of driver-based evasion techniques.
The selection process for their targets is driven by an automated, “vulnerability-first” approach that prioritizes ease of access over industry specificities. The group’s internal operations involve the continuous scanning of the global internet for misconfigurations in network security appliances, particularly those from FortiGate. When a vulnerable appliance is identified, it is categorized and handed off to a specialized affiliate for the initial compromise. This centralized sourcing of entry points allows the group to maintain a high volume of active operations without relying on the manual discovery efforts of individual affiliates. By focusing on widespread appliance vulnerabilities, they can quickly pivot from a single misconfiguration to full domain dominance, often before the victim’s IT department is even aware of the initial perimeter breach.
This focus on appliance-level vulnerabilities highlights a critical weakness in many corporate security strategies that prioritize internal host security while neglecting the edge devices that guard the perimeter. The Gentlemen group’s success in exploiting these “forgotten” assets demonstrates their ability to find the path of least resistance into a network. Once inside, they use their standardized toolkit to move laterally, ensuring that the initial access is converted into a full-scale ransomware deployment with minimal friction. This methodology allows them to scale their operations globally, targeting any organization with an exposed or unpatched gateway regardless of its physical location or the language of its administrators. Their global reach serves as a reminder that the perimeter is only as strong as its weakest, most overlooked component.
As the Gentlemen group continues to refine its targeting algorithms, we are seeing a shift toward more opportunistic and volume-based attacks. They have effectively industrialized the scouting phase of a cyberattack, using massive botnets and specialized scripts to keep a constant pipeline of potential victims ready for exploitation. This relentless pressure makes it increasingly difficult for organizations to stay ahead of the threat, as a single missed patch or a minor configuration error can lead to a total network compromise within hours. The group’s ability to operate across different time zones and jurisdictions also complicates international law enforcement efforts, as they can quickly shift their focus to regions where cooperation between local authorities and global security agencies is less robust.
GentleKiller Framework
Technical Architecture: The Modular EDR Killer
At the core of the group’s defensive evasion capabilities is the GentleKiller framework, a modular and highly adaptable tool designed to neutralize security software at the kernel level. Unlike traditional malware that attempts to hide from antivirus programs, GentleKiller takes a more aggressive approach by identifying and terminating the security processes themselves. Research has uncovered at least eight distinct variants of this tool, each of which is built on a common architectural template but utilizes different drivers to achieve its goals. This modularity allows the developers to swap out components whenever a specific driver is blacklisted or a new vulnerability is discovered, ensuring that the tool remains effective even as security vendors update their detection engines to recognize their previous tactics.
The execution logic of GentleKiller is designed for total environmental dominance, utilizing an infinite loop that constantly monitors for the presence of security agents. If a terminated security process attempts to restart—either through an automated recovery mechanism or manual intervention by an administrator—the framework immediately detects the new process and shuts it down again. This persistent “killer” loop is critical during the exfiltration phase of an attack, as it prevents the security operations center from regaining visibility while the attackers are moving large volumes of sensitive data out of the network. By maintaining this state of “active blindness,” the Gentlemen affiliates can operate with a level of impunity that was previously reserved for the most sophisticated nation-state actors.
The framework’s target list is remarkably comprehensive, containing specific identifiers for over four hundred different processes across nearly fifty unique security vendors. This includes industry leaders such as CrowdStrike, SentinelOne, and Microsoft Defender, as well as more specialized backup agents and system monitoring utilities. By covering such a broad spectrum of software, the developers have ensured that their tool can be deployed in almost any corporate environment regardless of the specific security stack in place. The inclusion of backup agents in the termination list is particularly significant, as it prevents the organization from creating new, clean snapshots of their data once the intrusion has been detected, further increasing the pressure to pay the ransom.
To facilitate ease of use for their affiliates, the GentleKiller tools are built as console-based applications that provide detailed, verbose debug output during the execution process. This output allows the operator to verify that every targeted security service has been successfully neutralized before moving to the next stage of the attack. It provides real-time feedback on which drivers were successfully loaded and which processes were terminated, giving the affiliate total confidence in their invisibility. This level of transparency in the tooling reflects the professional software development standards that the Gentlemen group has adopted, treating their malicious framework as a legitimate enterprise product designed for maximum reliability and user satisfaction in the field.
Defense Evasion: Packaging and Masquerading
The Gentlemen operators employ a sophisticated system of binary protection and obfuscation to ensure that their tools can bypass both static and heuristic analysis. They have adopted a standardized naming convention for their binaries, using suffixes like “1,” “2,” “Light,” and “Clear” to indicate the specific type of protection applied to the file. This system allows affiliates to choose the most appropriate version of the tool based on the specific security measures they encounter within a target network. For example, a “Light” version might be used in environments with minimal security to avoid the overhead of heavy packing, while the “1” and “2” versions are reserved for hardened targets where advanced obfuscation is required to evade deep packet inspection and automated sandboxing.
The versions labeled with “1” and “2” are typically protected by commercial-grade packers such as Enigma or Themida, which are notoriously difficult for security researchers to reverse engineer. These packers encrypt the underlying code and include various anti-debugging and anti-VM checks to prevent the tool from being analyzed in a controlled environment. Furthermore, these files often come with forged version information and stolen digital signatures that make them appear as legitimate system files at first glance. While these signatures are often technically invalid because the file contents have been altered, many basic security solutions still grant them a higher degree of trust, allowing the malicious binary to execute without triggering the immediate alarms that an unsigned file would.
In addition to heavy packing, the GentleKiller framework makes extensive use of masquerading techniques to blend into the target system’s operating environment. The developers frequently clone the icons and metadata of legitimate security software from well-known vendors like Kaspersky, Sophos, or Malwarebytes. By fabricating fields such as “Company Name,” “Product Version,” and “Legal Copyright,” they create a file that looks perfectly normal to a casual observer or a system administrator performing a cursory check of running processes. This psychological component of evasion is just as important as the technical one, as it delays the discovery of the intrusion by making the malicious activity appear as a routine part of the system’s security operations.
String obfuscation and internal renaming are also used to hide the true intent of the GentleKiller binaries from simple scanning tools. The names of the security processes that the tool targets are never stored in plain text; instead, they are encrypted or encoded until the moment they are needed. This prevents security tools from identifying the binary as “malicious” based on a list of targeted EDR filenames found within its code. By combining these diverse evasion tactics with the raw power of kernel-level driver abuse, the Gentlemen group has created a toolset that is exceptionally resilient. Their approach demonstrates a deep understanding of how modern security software works and, more importantly, how to exploit the trust-based mechanisms that these systems rely on to function.
Exploitation and Tooling
BYOVD: The Weaponization of Vulnerable Drivers
The primary mechanism of action for the GentleKiller framework is the “Bring Your Own Vulnerable Driver” (BYOVD) technique, which leverages the inherent trust that modern operating systems place in signed kernel-mode drivers. By installing a legitimate but flawed driver from a reputable vendor, the attackers can exploit a known vulnerability within that driver to execute code with kernel privileges. This allows them to bypass the standard security boundaries that prevent user-level applications from interfering with protected system processes. Once they have achieved this level of access, they can simply tell the operating system to stop the EDR service, and the system will comply because the command is coming from a trusted, kernel-level source.
The Gentlemen group has shown an impressive ability to quickly integrate newly discovered driver vulnerabilities into their framework. Whenever a security researcher publishes a proof-of-concept for a driver exploit, such as the PoisonKiller or UnknownKiller vulnerabilities, the group often weaponizes it within forty-eight hours. This agility is a testament to their dedicated development team, which monitors the cybersecurity research landscape in real-time to find new “keys” to the kingdom. By maintaining a constant stream of new, exploitable drivers, they ensure that their EDR-killing capabilities remain functional even as older vulnerabilities are patched or the associated drivers are added to global blocklists.
The diversity of the drivers utilized by GentleKiller is another key factor in its success, as it targets software from a wide range of categories, including gaming anti-cheat systems. Drivers from platforms like FaceIT and Valorant have been identified in their toolkit, as these drivers often require deep system access to prevent cheating and therefore provide a perfect pathway for kernel exploitation. They also target utility drivers from legitimate software like IObit’s ForceDelete or Safetica’s ProcessMonitor. By using such a varied collection of drivers, the attackers can rotate their tactics depending on what is most likely to be permitted on a target system, making it nearly impossible for defenders to predict which driver will be used in a given attack.
In some of their more advanced operations, the Gentlemen group has even deployed custom rootkits designed to provide persistent, invisible access to a compromised system. One such example is the “eb.sys” driver, which is often paired with their Kaspersky-impersonating variants to hide files, network connections, and registry keys from the operating system itself. This move into the development of custom kernel-space tools represents a significant escalation in the ransomware threat landscape. It indicates that the group is no longer just using publicly available exploits but is investing in original research and development to maintain its offensive superiority over the most advanced defensive technologies available today.
Third-Party Integration: The Full-Spectrum Toolkit
While GentleKiller is the flagship product of the Gentlemen operation, the group also maintains a wide array of third-party tools to provide their affiliates with multiple paths to success. They have been known to incorporate EDR-killing tools originally developed by other groups, such as the HexKiller tool previously associated with the Warlock gang. These external tools are often repackaged and integrated into the Gentlemen standardized delivery system, ensuring they benefit from the same layers of packing and obfuscation as the group’s in-house software. This pragmatic approach to tooling allows the group to offer a “full-spectrum” offensive suite that can handle any obstacle an affiliate might encounter during an intrusion.
Beyond simple process termination, the Gentlemen toolkit includes specialized modules for lateral movement and credential harvesting, most notably the Rust-based “OxideHarvest” utility. This tool is designed for the rapid and systematic collection of login credentials from a wide variety of sources, including web browsers, email clients, and messaging apps. Because it is written in Rust, OxideHarvest is highly efficient and resistant to traditional reverse engineering techniques, making it a favorite among the group’s more sophisticated affiliates. It uses a flexible, JSON-based configuration system to find and decrypt credential databases, allowing it to adapt to different software versions and installation paths without needing a full recompile.
The integration of tools like ThrottleBlood and HavocKiller, which exploit drivers from manufacturers like Huawei and TechPowerUp, further demonstrates the group’s commitment to redundancy. If a specific driver exploitation method fails or is blocked by an active security agent, the affiliate can simply switch to another tool in the collection. This “defense in depth” in reverse means that the attacker only needs one successful exploit to win, while the defender must successfully block every possible driver-based attack to remain secure. This fundamental asymmetry is what makes the Gentlemen group so dangerous, as they provide their affiliates with enough options to eventually find a crack in even the most robust defensive perimeter.
The group’s willingness to acquire and adapt effective software from across the underground marketplace suggests they are active participants in the broader cybercrime economy. They do not operate in a vacuum; they leverage the work of other developers and groups to enhance their own platform. This collaborative approach to malware development has created a situation where the best offensive technologies are rapidly shared and improved upon, leading to a quick evolution of threat capabilities. For the Gentlemen affiliates, this means they are always equipped with the most effective tools for the job, backed by a support structure that ensures their software is always up-to-date and ready for the next high-value target.
Defensive Strategies: Moving Beyond Static Signatures
Combating the Gentlemen group requires a fundamental shift in how organizations approach endpoint security, moving away from a reliance on file-based signatures and toward behavioral analysis of kernel activity. Because the group uses legitimate, signed drivers for their BYOVD attacks, simply blocking the driver files themselves is a reactive and often ineffective strategy. Instead, security teams must implement monitoring solutions that can detect the unauthorized creation of system services and the loading of drivers by processes that do not have a legitimate reason to do so. By focusing on the “behavioral anomalies” associated with driver abuse, defenders can identify an intrusion in its early stages before the EDR-killing loop has a chance to take hold.
Organizations should also pay close attention to specific indicators of compromise that are unique to the Gentlemen group’s operational patterns. This includes monitoring for the presence of files in staging directories often labeled with the string “GentlemenCollection” or looking for the specific naming conventions used for their evasion tools. Furthermore, any instance of a security process being repeatedly terminated and restarted should be treated as a critical alert. In a normal environment, a security agent rarely crashes or stops unexpectedly; an automated pattern of termination is a clear sign that an EDR-killer is active on the host and that a major breach is currently in progress.
Implementing strict driver blocklisting policies is another essential defensive measure that can significantly reduce the attack surface available to groups like Gentlemen. Many of the vulnerable drivers used in these attacks are well-documented by security researchers and lists are publicly available to help organizations prevent them from ever being loaded. By using tools like Microsoft’s recommended driver blocklist or third-party equivalents, security administrators can preemptively close the door on the most common BYOVD vectors. This proactive hardening of the operating system kernel is one of the few ways to effectively neutralize the core advantage that the GentleKiller framework provides to its users.
Ultimately, defending against an industrialized ransomware threat requires a multi-layered approach that combines technical controls with rigorous security hygiene. This includes the rapid patching of perimeter devices like FortiGate appliances to prevent initial access and the implementation of Zero Trust architectures that limit the ability of an attacker to move laterally once inside. By mapping the group’s tactics to the MITRE ATT&CK framework—specifically focusing on techniques like Masquerading and Defense Impairment—security teams can build more resilient detection and response playbooks. The goal is to make the environment so difficult to navigate that the cost of the attack exceeds the potential reward, forcing the threat actors to look for easier targets elsewhere.
The emergence of the Gentlemen group and their GentleKiller framework signaled a critical turning point in the evolution of ransomware-as-a-service operations. By automating the most complex aspects of EDR evasion and providing a professionalized suite of tools, the group successfully lowered the barrier to entry for high-impact cyberattacks. Organizations were forced to look beyond traditional antivirus solutions and embrace advanced kernel monitoring and behavioral analytics to stay ahead of the curve. The historical success of these attacks was largely mitigated by those who implemented strict driver blocklisting and prioritized the security of their network perimeter. As we moved forward, the focus shifted toward a proactive defense model that assumed the presence of an attacker and focused on limiting their ability to impair security systems. The lessons learned from the Gentlemen campaign underscored the necessity of continuous adaptation in the face of an increasingly sophisticated and industrialized adversary. Through collaborative intelligence sharing and the adoption of more resilient system architectures, the global security community eventually turned the tide against driver-based evasion tactics. This period of intense conflict highlighted that security is not a static destination but a constant process of identifying, understanding, and neutralizing emerging threats before they can cause systemic harm.
