The Rise of The Gentlemen Ransomware-as-a-Service: EDR Killers at the Forefront of Cybercrime
The Gentlemen ransomware-as-a-service (RaaS) operation is emerging as a significant player in the cybercrime landscape, having developed a sophisticated suite of tools designed to bypass endpoint detection and response (EDR) systems. These tools, often referred to as "EDR killers," are disseminated to affiliates seeking to compromise system defenses prior to launching their ransomware attacks.
At the core of this operation lies GentleKiller, a framework engineered specifically for this purpose. ESET security researcher Jakub Souček has shared insights into the capabilities of the Gentlemen group, noting that their array of EDR-terminating tools includes not just in-house creations but also third-party or leaked software such as HexKiller, ThrottleBlood, and HavocKiller. These tools share a common defense-evasion layer designed to impersonate legitimate security vendors, utilizing counterfeit version information and cloned certificates aimed at slipping under the radar of detection systems.
The operational sophistication of The Gentlemen has been showcased through their ability to quickly exploit newly disclosed proof-of-concept (PoC) exploits linked to the “bring your own vulnerable driver” (BYOVD) technique. ESET researchers have observed that, in some instances, the group has operationalized these PoCs within days of their public release, underscoring their agile operational capabilities.
Since its inception in March 2025, The Gentlemen has become one of the most prominent ransomware groups, claiming a staggering 504 victims to date. The group’s activities are heavily concentrated in Southeast Asia, South America, and Western Europe, marking them as an international threat. Research reports indicate that Alexander Andreevich Yapaev, a 36-year-old Russian national better known by his alias hastalamuerte, is at the helm of this operation. His background includes affiliations with other ransomware schemes, notably Qilin, before transitioning to lead The Gentlemen.
ESET has characterized The Gentlemen as one of the most technically proficient RaaS groups, having adopted an array of techniques aimed at ensuring that their EDR killer samples evade detection. Key strategies include employing binary protection mechanisms using Enigma or Themida software, alongside renaming malicious files to resemble popular cybersecurity products. This meticulous attention to detail extends to the use of legitimate digital signatures and icons that further confuse defensive systems.
Among their toolkit, GentleKiller stands out, featuring eight distinct variants, each modeled after real products and utilizing various vulnerable drivers in line with the BYOVD technique. These variants specifically target around 400 processes associated with 48 different security programs from popular vendors. The drivers exploited include well-known software, highlighting the targeted and planned nature of these attacks.
The drivers targeted by GentleKiller include several notable names:
- Kaspersky: “eb.sys”
- FACEIT Anti-Cheat: “nseckrnl.sys”
- Valorant: “GameDriverX64.sys”
- WatchDog: “dmx.sys”
- and many others.
In particular, the use of PoisonX.sys has garnered attention due to its connection to various BYOVD attacks, one of which notably targeted CrowdStrike Falcon EDR. Other campaigns detailed by cybersecurity experts involved threats leveraging BeyondTrust Remote Support for successful ransomware deployment, usually facilitating the termination of security tools via drivers like PoisonX.sys.
Souček’s analysis reveals that, when abstracting the impersonation layer and scrutinizing specific drivers used, the underlying code exhibits numerous structural and behavioral similarities, suggesting the use of a shared development template. This design enhances deployment efficiency and operational flexibility for affiliates, allowing for swift integration of new driver abuses shortly after EDR killer PoCs are disclosed.
The group has also incorporated third-party EDR killing tools, such as:
- HexKiller: Originally tied to the Warlock ransomware gang
- ThrottleBlood: Seen in attacks associated with MedusaLocker and DragonForce affiliates
- HavocKiller: Recognized for its role in broader attacks
ESET’s research also uncovered a Rust-based credential stealer, codenamed OxideHarvest, which specializes in gathering sensitive data from an array of popular web browsers, further expanding the malicious capabilities of The Gentlemen.
While many ransomware gangs depend on affiliates for EDR-killing tasks, The Gentlemen has streamlined this function by offering a unified, ready-to-use suite of EDR-killers. This decision reduces barriers for affiliate operatives, simplifying the execution of attacks.
This alarming trend in cybercrime coincides with the CERT Coordination Center (CERT/CC) issuing an advisory concerning multiple vendor-signed UEFI applications susceptible to Secure Boot bypass via BYOVD attacks. Important names like Acer, AMD, ASUS, and others have been identified as affected vendors. CERT/CC emphasized that if a target system trusts the vendor’s certificate, attackers with administrative privileges or physical access might exploit these applications, executing arbitrary code before the operating system initializes.
To mitigate such risks, system administrators are urged to update UEFI Forbidden Signature Database (DBX) entries to revoke trust in vulnerable vendor-signed binaries, ultimately blocking execution during the boot process.
The evolution of The Gentlemen ransomware group serves as a stark reminder of the ever-increasing sophistication of cyber threats, raising significant concerns for security professionals tasked with defending digital environments against such relentless operations. As the landscape evolves, so too must the strategies employed to defend against these sophisticated RaaS operations.