Gentlemen Ransomware Builds EDR-Killer Toolkit to Disable Security Defenses

The Gentlemen ransomware operation is giving affiliates a growing set of tools designed to shut down endpoint security before data theft or encryption begins. The most important tool in the group’s arsenal is GentleKiller, an in-house endpoint detection and response killer that uses vulnerable drivers to gain high privileges and terminate security processes.

According to ESET Research, Gentlemen operators maintain a full EDR-killer suite for their ransomware-as-a-service affiliates. That makes the group more dangerous because affiliates do not need to find or build their own tools to blind security software.

BleepingComputer reported that the suite includes at least eight GentleKiller variants, along with externally sourced tools such as HexKiller, ThrottleBlood, and HavocKiller. These tools help attackers disable defenses early in an intrusion so they can steal data, move laterally, and deploy ransomware with less resistance.

What Makes GentleKiller Dangerous

GentleKiller uses a technique known as bring your own vulnerable driver, or BYOVD. In this method, attackers load a legitimate but vulnerable driver into Windows, then abuse that driver to run actions at the kernel level, where security tools have much less control.

Each GentleKiller variant uses a different driver and impersonates a different legitimate product. Some variants pretend to be linked to brands or products such as Kaspersky, Valorant, Javelin, WatchDog, Network Blocker, Cleaner, and others.

The malware also uses packing and code-protection tools to make analysis harder. ESET found shared strings, similar process-killing logic, identical obfuscation patterns, and broad targeting across variants, which suggests a reusable development framework rather than a one-off tool.

Tool	Role In Attacks	Key Detail
GentleKiller	Primary EDR killer	At least eight variants abuse different drivers
HexKiller	External EDR killer	Previously linked to Warlock ransomware activity
ThrottleBlood	External EDR killer	Seen in MedusaLocker and DragonForce-linked attacks
HavocKiller	External EDR killer	Integrated into Gentlemen intrusion tooling
OxideHarvest	Credential stealer	Rust-based tool linked to a Gentlemen affiliate

The Toolkit Targets Hundreds Of Security Processes

The Gentlemen toolkit does not aim at a single antivirus product. ESET said GentleKiller targets more than 400 processes mapped to about 48 security products and vendors, including Microsoft, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, Bitdefender, ESET, McAfee, Trellix, and Kaspersky.

The wide target list shows how ransomware groups now treat security disabling as a repeatable engineering problem. Instead of hoping one exploit works, they maintain several options and swap drivers as new vulnerabilities or proof-of-concept tools become available.

The group also disguises the EDR killers by using fake version information, copied certificates, product-like filenames, and icons that resemble legitimate software. That can delay detection if defenders rely only on surface-level file names or signatures.

• GentleKiller variants abuse vulnerable or malicious drivers.
• The tools target hundreds of security-related processes.
• Some samples impersonate legitimate security or gaming products.
• The group uses packing tools such as Enigma and Themida.
• The design makes it easier to add new drivers when new BYOVD methods appear.

Why Gentlemen Stands Out From Other Ransomware Gangs

Many ransomware programs leave EDR-killing tools to individual affiliates. Gentlemen appears to centralize that work by maintaining a ready-made toolkit that affiliates can use during intrusions.

The ESET report said this lowers the entry barrier for affiliates because they receive a standardized defense-evasion package from the ransomware operators. That can make attacks more consistent and faster to execute.

Halcyon also described Gentlemen as a fast-scaling ransomware operation, noting that the group grew quickly after its emergence and used a generous affiliate revenue split to attract operators. That affiliate model helps explain why a mature toolset matters: better tools can make the program more attractive to criminals.

FortiGate Access Remains A Major Risk Factor

Gentlemen activity has also been linked to Fortinet edge devices. Halcyon said the group’s primary entry vector involved CVE-2024-55591, a FortiOS and FortiProxy authentication bypass flaw that can let attackers gain super-admin privileges on vulnerable systems.

The official Fortinet advisory says CVE-2024-55591 affects FortiOS and FortiProxy and may allow a remote attacker to gain super-admin privileges through crafted requests. Fortinet also noted that exploitation had been reported in the wild.

This edge-device angle matters because ransomware operators often want stable initial access before they deploy EDR killers. Once attackers enter through VPNs, firewalls, exposed RDP, or remote management tools, they can use EDR-killing utilities to weaken the endpoint layer before launching the next stage.

Attack Stage	How Gentlemen Uses It
Initial access	Abuse of exposed services, VPN credentials, FortiGate weaknesses, or remote tools
Defense evasion	Use of GentleKiller and other EDR killers to stop security tools
Credential theft	Use of tools such as OxideHarvest to collect browser and login data
Lateral movement	Use of legitimate admin tools to move through business networks
Extortion	Data theft, encryption, and public leak-site pressure

SystemBC Botnet Shows The Group’s Wider Infrastructure

Gentlemen affiliates have also been connected to SystemBC, a proxy malware family used to create encrypted tunnels into compromised environments. Check Point Research previously reported that a SystemBC command-and-control server linked to a Gentlemen ransomware case revealed more than 1,570 victims.

SystemBC gives attackers a way to maintain access and route malicious traffic through compromised systems. In ransomware cases, that kind of proxy access can support reconnaissance, credential theft, lateral movement, and later-stage deployment.

The BleepingComputer report also noted that Gentlemen has previously been linked to a SystemBC botnet and attacks against corporate environments. Combined with the EDR-killer suite, that points to a group investing across multiple parts of the intrusion chain.

FortiBleed Raises The Pressure On Edge Security

The timing is notable because defenders are also dealing with FortiBleed, a large credential-exposure incident involving Fortinet and FortiGate devices. Recorded Future reported that a dataset contained valid administrative and VPN credentials for tens of thousands of FortiGate systems.

There is no need to assume every FortiBleed-exposed organization was targeted by Gentlemen. Still, the overlap is worrying because ransomware groups actively look for remote access credentials and exposed edge devices.

Organizations using Fortinet devices should not treat patching as the only fix. The Fortinet PSIRT notice confirms the importance of fixing affected versions, but companies should also rotate credentials, review admin accounts, check VPN logs, and hunt for signs of old compromise.

What Security Teams Should Do Now

Defenders should assume that ransomware affiliates will try to disable endpoint tools before encryption. That means monitoring for driver loading, unusual service creation, security process termination, tampering with EDR agents, and sudden loss of endpoint telemetry.

The Halcyon threat assessment recommends strong perimeter hardening, Active Directory controls, backup resilience, and credential hygiene. Those steps remain important because EDR killers usually appear after attackers already have some level of access.

Security teams should also investigate any unexpected driver activity. Many BYOVD attacks rely on legitimate signed drivers, so defenders need rules that look for risky driver behavior, not only known malicious hashes.

• Patch Fortinet, VPN, firewall, and internet-facing systems quickly.
• Rotate VPN, administrator, service account, and privileged credentials.
• Enable phishing-resistant MFA for remote access and administrator accounts.
• Monitor for unusual driver loading and service creation.
• Alert when EDR or antivirus processes stop unexpectedly.
• Review Active Directory Group Policy changes and new admin accounts.
• Keep immutable backups offline and test recovery procedures.
• Use the Check Point Research findings to hunt for SystemBC-style proxy behavior.
• Review FortiBleed exposure using trusted security sources such as Recorded Future.

Why This Threat Matters

Gentlemen’s EDR-killer strategy shows how ransomware groups are becoming more organized. The group is not only offering ransomware payloads. It is building and maintaining a toolkit that helps affiliates get past the very tools companies use to detect ransomware attacks.

That does not mean EDR is useless. It means companies need layered controls that continue working even if one endpoint agent gets disabled. Network monitoring, identity controls, log collection, application control, backup isolation, and rapid credential rotation all become more important.

For enterprises, the key lesson is simple: ransomware defense cannot stop at endpoint software. Gentlemen’s toolkit targets that layer directly, so organizations need visibility before, during, and after an endpoint agent is attacked.

FAQ