Full Report
The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for impairing system defenses before deploying the encryptor. This mature portfolio of EDR-terminating tools is centered around a framework that's known as GentleKiller. "They also incorporate third-party or
Analysis Summary
# Tool/Technique: GentleKiller (EDR Killer Framework)
## Overview
GentleKiller is a sophisticated EDR (Endpoint Detection and Response) termination framework developed and maintained by **The Gentlemen** Ransomware-as-a-Service (RaaS) operation. It is designed to impair system defenses by terminating security processes using "Bring Your Own Vulnerable Driver" (BYOVD) attacks before the final ransomware payload is deployed.
## Technical Details
- **Type**: Malware Framework / EDR Killer
- **Platform**: Windows
- **Capabilities**: Defense Evasion, Process Termination (400+ processes), BYOVD Exploitation, Binary Packing.
- **First Seen**: March 2025
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- **T1562.001 - Impair Defenses: Disable or Modify Tools** (Terminating EDR/AV processes)
- **T1036 - Masquerading** (Impersonating legitimate security vendors)
- **T1064 - Scripting** (Operationalizing PoC exploits)
- **T1543.003 - Create or Modify System Process: Windows Service** (Loading vulnerable drivers)
- **TA0002 - Execution**
- **T1059 - Command and Scripting Interpreter**
## Functionality
### Core Capabilities
- **Mass Process Termination**: Targets approximately 400 processes associated with 48 distinct security products.
- **BYOVD (Bring Your Own Vulnerable Driver)**: Leverages legitimate but vulnerable third-party drivers to gain kernel-level privileges to kill protected security agents.
- **Rapid Operationalization**: Capable of integrating new PoC exploits into the framework within days of public disclosure.
### Advanced Features
- **Sophisticated Masquerading**: Employs fake version information, legitimate software icons, and copied digital certificates to appear as trusted security software.
- **Binary Obfuscation**: The framework utilizes **Enigma** or **Themida** packers to shield binaries from static analysis and signature-based detection.
- **Standardized Defense Layer**: Incorporates and standardizes third-party or leaked tools (HexKiller, ThrottleBlood, HavocKiller) into a unified evasion layer.
## Indicators of Compromise
### File Names (Drivers used in BYOVD)
- `eb.sys` (Kaspersky)
- `nseckrnl.sys` (FACEIT Anti-Cheat)
- `GameDriverX64.sys` (Valorant)
- `stpm_old.sys` / `stpm_new.sys` (Javelin)
- `dmx.sys` (WatchDog)
- `360netmon_wfp.sys` (Network Blocker)
- `IMFForceDelete.sys` (Cleaner)
- `PoisonX.sys` (G11)
### Behavioral Indicators
- Attempted loading of known vulnerable drivers not associated with the local environment.
- Rapid termination of multiple security-related process trees.
- Presence of binaries packed with Enigma or Themida in unconventional directories.
## Associated Threat Actors
- **The Gentlemen (RaaS)**: Credited with creating and distributing the tool to affiliates.
- **Alexander Andreevich Yapaev (aka "hastalamuerte")**: Identified as the alleged leader of the operation.
## Detection Methods
- **Signature-based detection**: Scanning for known vulnerable driver hashes (e.g., PoisonX, IMFForceDelete).
- **Behavioral detection**: Monitoring for unauthorized driver installation and calls to `TerminateProcess` targeting security software.
- **Driver Blocklisting**: Utilizing Microsoft’s vulnerable driver blocklist or WDAC to prevent the loading of the drivers listed in the functionality section.
## Mitigation Strategies
- **Enforce Driver Signing**: Enable strict Windows Driver Signature Enforcement (DSE).
- **Endpoint Hardening**: Implement **Microsoft Vulnerable Driver Blocklist** to prevent BYOVD attacks.
- **Identity & Access Management**: Restrict administrative privileges to prevent the loading of kernel drivers.
- **Tamper Protection**: Enable native "Tamper Protection" features in EDR solutions to prevent unauthorized service/process termination.
## Related Tools/Techniques
- **HexKiller**
- **ThrottleBlood**
- **HavocKiller**
- **BYOVD (Technique)**: Broadly used by other ransomware groups like Qilin and DragonForce.