www.it-connect.fr
Gentlemen Ransomware Gang Ships Its Own EDR Killers to Affiliates
A ready-to-use toolkit for neutralizing EDR on targeted machines is the extra perk the Gentlemen ransomware gang provides to its affiliates. This unusual feature sets this Ransomware-as-a-Service (RaaS) operation apart, as revealed by a months-long investigation by ESET researchers. Here’s what you need to know.
Table of Contents
Gentlemen, an operator that arms its affiliates
First spotted in late 2025, Gentlemen rose in just a few months to become one of the most active ransomware gangs of Q1 2026. The group operates under a ransomware-as-a-service (RaaS) model and uses double extortion. As a reminder, this tactic involves threatening to leak the victim’s data if the ransom is not paid, in addition to encrypting the data, of course.
In the case of the Gentlemen ransomware, the operators offer different encryption modules, including a Go-based variant targeting Windows, Linux and other platforms, as well as a C-based variant designed for ESXi.
What makes Gentlemen a threat apart, however, is another feature. In most ransomware intrusions, each affiliate has to find their own tool capable of disabling the target’s EDR. Gentlemen does things differently: its operators handle the development and maintenance of a set of EDR killers that are directly offered to affiliates. In the past, RansomHub developed an in-house tool, EDRKillShifter, designed to kill EDR on targeted machines. But Gentlemen goes further by offering an entire catalog.
GentleKiller: a homegrown tool backed by existing utilities
In their report, ESET researchers mention GentleKiller, a tool developed in-house by the operators behind the Gentlemen RaaS. There was already a hypothesis about this in February. "The leak of internal data suffered by Gentlemen in May 2026 allowed us to better understand the group’s internal workings," they write.
Indeed, in the leaked communications, zeta88 (an alias used by the gang leader, hastalamuerte) discusses the maintenance and supply of these EDR killer packages. Although GentleKiller is a central component of the Gentlemen ecosystem, it is not the only one.
"This leak also allowed us to confirm our February 2026 hypothesis that the Gentlemen operators actively develop and maintain a portfolio of tools designed to bypass EDR, which they offer to their affiliates, mainly relying on their internal infrastructure that we named ‘GentleKiller’.", the researchers note.
For its part, ESET identified at least eight distinct GentleKiller variants, each impersonating a different legitimate application and abusing a specific vulnerable or malicious driver. GentleKiller also targets more than 400 process names, which the researchers link to 48 security products: from Acronis to Zscaler, including CrowdStrike, ESET, Microsoft Defender, SentinelOne and Sophos.
The GentleKiller variants observed and documented by the researchers come in several forms:
- Kaspersky, which abuses a rootkit named eb.sys,
- FACEIT Anti-Cheat, Valorant and Javelin, which hijack anti-cheat or process-monitoring drivers,
- WatchDog, which relies on Zemana’s antimalware driver,
- Network Blocker, Cleaner and G11, which exploit a Qihoo 360 driver, an IObit driver and the PoisonX rootkit, respectively.
Added to this homegrown foundation developed by the Gentlemen gang’s hackers are three existing EDR killers they integrated into their "catalog." These include HexKiller (previously associated with the Warlock gang), ThrottleBlood (seen among affiliates of MedusaLocker and DragonForce) and HavocKiller. In addition, the OxideHarvest malware, an infostealer that targets web browsers, was also found on several Gentlemen ransomware victims.
France in the crosshairs of the Gentlemen RaaS
According to the ESET report, Gentlemen affiliates are hitting a broad and diverse geographic range, with a significant share of victims in Southeast Asia, South America and Western Europe. In addition, and this is important to note, other countries are also being targeted. Among them: France, Brazil and Thailand.
"Recently leaked data show that, when choosing its victims, Gentlemen uses a centralized approach that involves sorting potential candidates before distributing them among its affiliates. Victims are selected primarily based on their FortiGate (mis)configuration rather than their geographic location.", the researchers explain.
The victim list published by the Gentlemen gang also references several French victims: Amigest (a Lyon-based IT integrator), Cofaq (a cooperative in Poitiers), Constructions Piraino, ITD System, Cleor, and the municipality of Le Perreux-sur-Marne.
