Eset Links Ransomware Group’s Growth to Integrated Endpoint-Killing Tools
Recently, cybersecurity researchers from Eset have revealed that the notorious ransomware collective known as The Gentlemen has significantly advanced their operations, particularly in the way they approach endpoint detection and response (EDR) killing. According to the findings published on June 18, 2026, the group has innovatively turned this capability into a tactical advantage as they employ a sophisticated suite designed to disable security measures in order to exploit their victims.
Operating predominantly across regions such as Southeast Asia, South America, and Western Europe, The Gentlemen have cultivated a reputation for being anything but gentle in their methods. By utilizing a combination of tools developed in-house and those sourced externally, the group has set itself apart from its competitors, boasting a unique selling proposition of taking only a 10% cut from ransom payments made by their affiliates. This is significantly lower than the industry standard of 20%, making the partnership more appealing to those involved in cyber extortion.
In an analysis by Eset, it was noted that while most ransomware groups delegate the task of EDR killing to their affiliates, The Gentlemen have opted to centralize this function. They provide a ready-to-use, standardized EDR-killing suite to their affiliates, effectively reducing the entry barrier for new players in the ransomware landscape. This strategy not only simplifies the execution of attacks but also enhances the attractiveness of joining their operation, as affiliates are given a well-structured framework to work with.
Since its inception this year, The Gentlemen have rapidly ascended the ranks to become one of the most prolific ransomware gangs. Their emergence is reportedly linked to a former member of the Qilin group, who, after experiencing discontent, rallied together a team of ex-members from various other ransomware outfits, including LockBit, Embargo, Medusa, and BlackLock. This strategy of consolidating talent has allowed The Gentlemen to capitalize on the combined experiences and resources of seasoned cybercriminals.
In a recent article on his blog, independent cybersecurity journalist Brian Krebs reported that the group appears to be led by a 36-year-old Russian individual based in the Western Urals city of Izhevsk. His insights shed light on the organizational structure behind The Gentlemen, suggesting a level of strategic planning and leadership that has facilitated their growth.
Eset’s research revealed that unlike most ransomware customers who typically have to acquire their own EDR-killing tools, The Gentlemen offers a comprehensive package that integrates both their self-developed tools and externally sourced artifacts. The standout component of this suite is GentleKiller, an advanced tool they have designed personally. With multiple variants that target over 400 processes, GentleKiller impersonates a variety of legitimate products and exploits various vulnerabilities, showcasing the group’s tech-savvy approach.
Each variant of GentleKiller is designed to terminate processes at specified intervals while using identical code obfuscation techniques, thus ensuring that they remain elusive to detection mechanisms. The operational flexibility this tool provides allows ransomware customers to deploy their attacks more efficiently, while also enabling Gentlemen’s operators to swiftly adapt to new vulnerabilities as they arise.
In addition to their proprietary software, the group incorporates third-party or leaked applications—specifically HexKiller, ThrottleBlood, and HavocKiller—into their arsenal. These tools are standardized under a shared defense-evasion strategy, which mimics trusted security vendors’ identities to bolster the mask of legitimacy. The group employs advanced measures to protect executable files and manipulates file attributes in order to evade detection and thwart analysis efforts.
While certain components of their toolkit may display signs of hurried development, Eset’s evaluation indicates that the overall effectiveness of Gentlemen’s arsenal is quite high. The tools are intricately integrated into the group’s ransomware workflow, demonstrating a cohesive operational ethos.
In conclusion, the developments surrounding The Gentlemen ransomware group illustrate the evolving landscape of cybercrime in which tactical innovation and operational efficiency play a crucial role. As these cyber extortionists continue to refine their methods, both individuals and organizations must remain vigilant and proactive in strengthening their defenses to counteract such increasingly sophisticated threats.