Gentlemen ransomware-as-a-service (RaaS) develops and maintains endpoint detection and response (EDR) killers to help your contacts avoid detection in attacks.
The hacking group uses a suite of EDR killing tools, most notably a tool researchers call GentleKiller. The tool has at least eight variants and emulates various official security products, including Kaspersky, Valorant, Javelin, and WatchDog.
The hacker group uses EDR killers, the most widely used of which is a custom tool researchers have named GentleKiller, which has at least eight variants masquerading as various legitimate products.
An EDR killer is usually used to disable defenses in the initial stages of an attack, and in ransomware cases, it ensures that data theft or encryption processes work without restrictions.
These tools work by using a ‘bring your own vulnerable driver’ (BYOVD) method to elevate privileges and disable security engines.
According to ESET researchers, each variant of GentleKiller uses different vulnerable drivers to gain kernel-level privileges. However, they all share the same strings, the same code obfuscation methods, and the same process execution and targeting scope.
Analysis of variants shows that the framework is designed to allow easy driver swapping or weaponization of newly disclosed bugs without requiring major code changes.
Source: ESET
ESET says GentleKiller targets more than 400 processes associated with nearly 48 security vendors/products, such as Microsoft, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky.
Source: ESET
The EDR kill tool binaries are protected by the commercial Enigma and Themida packaging and code protection tools. ESET notes that the threat actor also uses stolen digital signatures from legitimate, albeit invalid, software.
While GentleKiller is the standard tool used in Gentlemen ransomware attacks, ESET reports that the EDR killer threat group’s collection includes at least three third-party tools:
- HexKiller, formerly used by the Warlock gang
- ThrottleBlood, linked to MesudaLocker and DragonForce attacks
- HavocKiller, is also seen in ransomware activities
Gentleman RaaS may not be redundant, exposures are complex, or for use in certain situations where GentleKiller’s performance may be limited.
Additionally, ESET documented the use of OxideHarvest, a Rust-based credential-stealing tool that the researchers believe, based on the choice of programming language, was developed externally.
The researchers’ analysis shows that Gentlemen ransomware selects targets based on the configuration of their FortiGate endpoints. This is especially interesting given the recent discovery of “FortiBleed,” a collection of nearly 74,000 FortiGate VPN credentials.
Gentlemen RaaS has previously compromised Romanian energy provider Oltenia and is linked to the SystemBC proxy malware botnet with over 1,570 hosts, believed to be corporate targets.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
