The Gentlemen Ransomware Group: A Closer Look at Their EDR-Killing Techniques
The Gentlemen ransomware-as-a-service (RaaS) group has been actively enhancing its arsenal by developing and distributing a range of endpoint detection and response (EDR) killers to its affiliates. These tools are designed to disable system defenses before launching their encryptor.
At the core of their EDR-terminating tools is a framework known as GentleKiller, which serves as a foundation for their sophisticated cyberattacks.
ESET security researcher Jakub Souček highlighted that The Gentlemen incorporate various third-party or leaked tools like HexKiller, ThrottleBlood, and HavocKiller into their operations. These tools are unified through a common defense-evasion layer, disguising themselves as reputable security vendors with fake version information, copied certificates, and icons.
Known for their agility, The Gentlemen have quickly adapted newly disclosed proof-of-concept (PoC) exploits, particularly the bring your own vulnerable driver (BYOVD) technique, sometimes within days of their public disclosure.
Since their emergence in March 2025, The Gentlemen have become one of the most active ransomware groups, with 504 confirmed victims, primarily in Southeast Asia, South America, and Western Europe.
Recent investigations have identified Alexander Andreevich Yapaev, a 36-year-old Russian national also known as hastalamuerte, as the mastermind behind The Gentlemen. Yapaev previously participated in other ransomware schemes, including Qilin.
Described by ESET as a technically agile group, The Gentlemen utilize various techniques to ensure their EDR killer samples evade detection. This includes employing binary protection using Enigma or Themida and using filenames that closely resemble those of well-known cybersecurity products, complete with version information, digital signatures, and icons.
The flagship EDR killer tool used by The Gentlemen, GentleKiller, exists in eight different variants, each masquerading as a different legitimate product and exploiting a distinct vulnerable or malicious driver in BYOVD attacks. GentleKiller specifically targets 400 processes associated with 48 security programs from multiple vendors.
Notably, one of the drivers exploited by The Gentlemen, “PoisonX.sys,” has been linked to recent BYOVD attacks, including one that disabled CrowdStrike Falcon EDR. Another attack involved leveraging BeyondTrust Remote Support to deploy ransomware after disabling security tools using “PoisonX.sys” and “hrwfpdrv.sys,” as reported by Huntress.
According to Souček, the underlying code of The Gentlemen’s tools reveals a shared development template that prioritizes ease of deployment and operational flexibility for affiliates, while reducing the development workload for the operators. This streamlined approach enables The Gentlemen to integrate abused drivers into their toolkit swiftly following the disclosure of an EDR killer PoC.
Additionally, The Gentlemen utilize third-party BYOVD-based EDR killers such as HexKiller (“googleApiUtil64.sys”), ThrottleBlood (“ThrottleBlood.sys”), and HavocKiller or HwAudKiller (“havoc.sys”).
ESET also uncovered a Rust-based credential stealer named OxideHarvest (aka buildx641) capable of extracting data from various web browsers.
Unlike many ransomware groups that delegate EDR-killing tasks to affiliates, The Gentlemen centralize this function by offering a standardized EDR-killer suite, making it easier for affiliates to carry out attacks.
The recent advisory from the CERT Coordination Center (CERT/CC) highlighted vulnerabilities in multiple vendor-signed UEFI applications that could be exploited through a BYOVD attack to bypass Secure Boot. System administrators are advised to update the UEFI Forbidden Signature Database (DBX) to mitigate this risk.
