Ransomware affiliates have long relied on commodity EDR-killing tools, but Gentlemen ransomware takes a different approach. The gang fields a curated, modular suite of endpoint detection and response killers drawn from at least three rival criminal gangs, engineered so affiliates can swap drivers between attacks without rewriting code. BleepingComputer reported on analysis by ESET, the Slovakia-based cybersecurity firm. ESET traced the framework through the gang’s compromise of Romanian energy provider Oltenia and a SystemBC proxy malware botnet of over 1,570 hosts believed to be corporate victims.
GentleKiller’s Eight Driver Variants Target 400 Processes Across 48 Vendors
The centerpiece of Gentlemen ransomware’s defense-evasion arsenal is GentleKiller, a purpose-built EDR killer with at least eight variants. Each uses a different vulnerable driver to reach kernel-level privileges through the bring your own vulnerable driver (BYOVD) technique. All eight variants share the same code obfuscation, the same process-killing logic, and the same target list. That design is deliberate: the framework lets operators swap a patched or blocklisted driver for a newly disclosed vulnerable one without touching the core tool.
The scope of what GentleKiller hunts is notable. ESET counted more than 400 processes associated with approximately 48 security vendors and products, including Microsoft, CrowdStrike, SentinelOne, Palo Alto Networks, Sophos, Trend Micro, ESET itself, Bitdefender, McAfee/Trellix, and Kaspersky. GentleKiller impersonates legitimate security products during execution, including Kaspersky, Valorant, Javelin, and WatchDog, and its binaries are protected by the commercial Enigma and Themida packing tools. The gang also uses stolen digital signatures from legitimate software, though ESET notes they are invalid.
The BYOVD supply chain here is harder to defend against than a single-tool adversary because of driver interchangeability. A static driver blocklist catches one GentleKiller variant and leaves the other seven operational. Each new kernel-level vulnerability disclosure becomes a candidate for the next swap. The gang had already claimed 478 victims before ESET documented this multi-variant architecture, and the modular design explains the operational persistence: tools that are easy to update stay in circulation.
HexKiller, ThrottleBlood, and HavocKiller: The Borrowed EDR Killer Toolkit
Beyond GentleKiller, ESET found Gentlemen ransomware incorporating three additional EDR killers sourced directly from the broader criminal ecosystem. HexKiller was previously deployed by the Warlock gang. ThrottleBlood has been linked to MesudaLocker and DragonForce ransomware operations. HavocKiller has been seen across multiple ransomware campaigns. None of these are built by the Gentlemen RaaS team; they are borrowed.
ESET identifies three reasons for the borrowing: redundancy if GentleKiller fails against a target, attribution complexity when defenders see multiple gang signatures in a single incident, and tactical flexibility for affiliates who prefer specific tools. The analysis also uncovered OxideHarvest, a Rust-based credential stealer ESET believes was developed externally, based on the programming language choice.
This cross-gang tool-sharing is where the risk concentrates. The criminal tool market has matured to the point where EDR killer components circulate between gangs the way legitimate security modules are licensed between vendors. A defender who sees ThrottleBlood signatures in an incident log may attribute the attack to DragonForce; the actual operator is Gentlemen RaaS. Incident attribution becomes a first-responder problem at the moment response speed matters most.
Gentlemen Ransomware FortiGate Targeting and Three Defensive Steps
ESET’s targeting analysis reveals one more operational detail: the gang selects victims based on FortiGate endpoint configuration. Combined with the 1,570-host SystemBC botnet, this gives operators persistent access to a large pool of pre-compromised corporate environments for EDR-killer-assisted attacks.
The Oltenia energy provider compromise is the best-documented Gentlemen RaaS intrusion to date. Energy-sector defenders should treat any SystemBC detection as a potential indicator of this gang, since the botnet overlap ties the two operationally. Teams investigating ransomware incidents involving ThrottleBlood or HexKiller signatures should cross-check for GentleKiller variants before ruling out a common operator.
Three actions address what ESET documented, ordered by the attack sequence:
Audit your driver blocklist against all eight GentleKiller variants – ESET’s research identified variant-specific vulnerable drivers. A blocklist built from one known variant leaves the remaining seven undetected. Map your Microsoft Vulnerable Driver Blocklist against the full variant set ESET published, and set a review cadence tied to new BYOVD disclosures so each newly weaponized driver is blocked before entering the swap rotation.
Flag multi-gang EDR killer signatures in the same incident as a Gentlemen ransomware indicator – Seeing ThrottleBlood and GentleKiller together is not evidence of multiple gangs. It is the operational fingerprint of a single affiliate using the borrowed toolkit. Tune SIEM correlation rules to surface this combination and treat it as an escalation trigger, not an attribution ambiguity to resolve later.
Harden FortiGate configurations to reduce targeting exposure – The gang actively selects targets based on FortiGate endpoint configuration, so misconfigured devices are not random victims but actively selected ones. Audit external-facing FortiGate configurations against hardening guides from Fortinet and CISA. Gentlemen ransomware pre-positions through SystemBC before deploying GentleKiller, and the Oltenia compromise shows critical infrastructure operators cannot treat this group as a commodity threat.
Join our LinkedIn group Information Security Community!
