The **Gentlemen** RaaS operation is increasingly developing and maintaining a robust set of EDR killers to help its affiliates bypass detection during ransomware attacks. ### GentleKiller: A Multi-Variant EDR Evasion Tool The gang's primary EDR-killing tool, dubbed **GentleKiller** by researchers, has at least eight distinct variants. These variants are designed to impersonate legitimate security products such as **Kaspersky**, **Valorant**, **Javelin**, and **WatchDog**, adding a layer of deception to their operations. EDR killers are typically deployed in the initial stages of an attack. Their function is to neutralize security mechanisms, allowing ransomware and data exfiltration processes to execute without interference. These tools primarily leverage the 'bring your own vulnerable driver' (BYOVD) technique. This method allows them to elevate privileges to the kernel level, effectively disabling security engines. According to **ESET** researchers, each **GentleKiller** variant utilizes different vulnerable drivers to achieve kernel-level privileges. Despite these differences, they share common strings, identical code obfuscation techniques, and similar process-killing logic and targeting scope. This consistency suggests a well-engineered framework designed for modularity and easy adaptation to new vulnerabilities.  **ESET**'s analysis reveals that **GentleKiller** targets over 400 processes associated with approximately 48 security vendors and products. This extensive list includes industry leaders such as **Microsoft**, **CrowdStrike**, **SentinelOne**, **Palo Alto**, **Sophos**, **Trend Micro**, **ESET**, **Bitdefender**, **McAfee/Trellix**, and **Kaspersky**.  The binaries for **GentleKiller** are protected by commercial packing and code-protection tools like **Enigma** and **Themida**. Furthermore, **ESET** notes that the threat actors employ stolen, albeit invalid, digital signatures from legitimate software, further complicating analysis and detection. ### A Diverse Arsenal of EDR Killers Beyond **GentleKiller**, the **Gentlemen** RaaS incorporates at least three other external EDR killer tools: * **HexKiller**: Previously associated with the **Warlock** gang. * **ThrottleBlood**: Linked to **MesudaLocker** and **DragonForce** attacks. * **HavocKiller**: Also observed in various ransomware operations. The inclusion of these external tools could serve several purposes, including redundancy, increasing attribution complexity, or for use in specific scenarios where **GentleKiller**'s effectiveness might be limited. **ESET** also documented the use of **OxideHarvest**, a Rust-based credential-stealing tool. The choice of programming language suggests this tool was likely developed externally. ### Targeting and Past Operations Researchers indicate that **Gentlemen** ransomware selects its targets based on the configuration of their **FortiGate** endpoints. This is particularly noteworthy given the recent discovery of "**FortiBleed**," a leak exposing nearly 74,000 **FortiGate** VPN credentials. Previous operations attributed to the **Gentlemen** RaaS include the compromise of the **Romanian energy provider Oltenia**. The group has also been linked to a **SystemBC** proxy malware botnet comprising over 1,570 hosts, believed to be corporate victims.