Analysis of the Gentlemen Ransomware-as-a-Service Operation
A recent examination of the Gentlemen ransomware-as-a-service (RaaS) operation has unveiled a sophisticated and centralized methodology aimed at negating endpoint detection and response (EDR) solutions. This unique approach distinguishes the Gentlemen group from a growing number of ransomware operations, effectively lowering the technological barriers for affiliates and positioning it among the top five most active ransomware groups as of the first quarter of 2026.
The Gentlemen operation emerged in late 2025 and was quick to capture a formidable network of affiliates by offering an enticing 90% revenue share model. Threat intelligence firm Group-IB attributed the creation of this group to an individual known as hastalamuerte, a former affiliate of Qilin with deep-seated connections to established ransomware syndicates. The operation has quickly caught the attention of security researchers, showing characteristics that signify an advanced level of planning and execution.
Connections to Established Ransomware Networks
Analysts from PRODAFT have established links between Gentlemen and other notorious ransomware operations, including LockBit, Embargo, Medusa, and BlackLock. Such connections suggest that Gentlemen is being spearheaded by a highly experienced threat actor whose real-world identity was recently uncovered by cybersecurity expert Brian Krebs on June 10, 2026. Unlike other ransomware operations that primarily concentrate on U.S. enterprises, Gentlemen showcases a globally distributed profile with significant targets across Southeast Asia, South America, and Western Europe, evidencing confirmed victims in countries such as Thailand, Brazil, and France.
EDR Evading Mechanisms
At the heart of the operation lies the EDR-disabling framework known as GentleKiller, which was first documented by ESET in February 2026. Security researchers have identified at least eight different variants of this tool, each exploiting various vulnerable or malicious drivers while adhering to a consistent development template. This template features recurring internal strings, process-termination loops, and uniform code obfuscation. The GentleKiller framework aggressively targets over 400 processes associated with 48 distinct security products, including major enterprise solutions from CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Kaspersky, and ESET.
One of the more alarming aspects of the Gentlemen operation is its rapid weaponization cycle. The group routinely incorporates newly disclosed Bring Your Own Vulnerable Driver (BYOVD) proof-of-concept exploits, such as UnknownKiller and PoisonKiller, within days of their public announcement. A researcher from ESET noted that beyond the internal GentleKiller framework, the overall operational arsenal includes three externally sourced EDR killing tools in the GentlemenCollection directory. These tools operate under a standardized defense evasion strategy, ensuring that their malicious activities remain undetected.
Key Components of the Evasion Strategy
The three main tools in this collection encompass:
-
HexKiller: Exploits the Baidu Antivirus BdApi driver, previously associated solely with the Warlock gang, though no evidence currently suggests direct collaboration.
-
ThrottleBlood: Utilizes a driver digitally signed by TechPowerUp LLC, which has been witnessed in MedusaLocker and DragonForce operations, implying potential distribution through underground markets.
- HavocKiller: Leverages a Huawei Audio driver, publicly disclosed in March 2026, while ESET telemetry indicates its use in live intrusions as early as January 23, 2026.
To enhance operational security, the Gentlemen group implements a comprehensive evasion strategy across its toolkit. This includes the use of binary packers like Enigma or Themida, crafting forged version metadata, duplicating invalid digital signatures, and spoofing icons that impersonate legitimate vendors post-compilation.
Expanding Intrusion Capabilities
In addition to utilizing existing tools, researchers have detected affiliated actors enhancing their operational capabilities. An affiliate known as quant has successfully integrated OxideHarvest, a Rust-based credential stealer targeting Chromium and Gecko browsers, which is operationally deployed under the filename buildx641.exe.
Implications for Cybersecurity
Understanding the Gentlemen RaaS operation is crucial for developing effective defense strategies against evolving ransomware threats. Security teams are advised to transition from static indicators to more dynamic behavioral analysis. Prioritizing the building of detection strategies around BYOVD driver abuse, anomalous process-termination behaviors, and vendor impersonation techniques will be essential in countering the rapidly adapting tactics utilized by this group.
In conclusion, the rise of the Gentlemen RaaS operation underscores a significant shift in the ransomware landscape. Cybersecurity efforts must adapt to these evolving threats through the development of robust and proactive defense mechanisms, recognizing that traditional threat detection methods may no longer be sufficient in an environment where ransomware operations are growing more sophisticated.