The Gentlemen ransomware-as-a-service operation is actively maintaining a set of EDR killers, led by the GentleKiller tool, to help affiliates evade security defenses during attacks. ESET says the group also uses external tools like HexKiller, ThrottleBlood, and HavocKiller, and has tied the activity to FortiGate-based targeting, the Romanian energy provider Oltenia, and a SystemBC proxy botnet. #Gentlemen #GentleKiller #HexKiller #ThrottleBlood #HavocKiller #FortiGate #Oltenia #SystemBC
Keypoints
- Gentlemen RaaS uses EDR killers to bypass defenses early in attacks.
- GentleKiller has at least eight variants and impersonates legitimate security products.
- The tool uses BYOVD to gain kernel-level privileges and disable security engines.
- GentleKiller targets more than 400 processes across about 48 security vendors.
- The group also uses external tools like HexKiller, ThrottleBlood, HavocKiller, and OxideHarvest.