CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 18, 2026

The Gentlemen Ransomware Gang Standardizes EDR Killing

Data Breach Today Archived Jun 18, 2026 ✓ Full text saved

Eset Links Group's Growth to Integrated Endpoint-Killing Tools Eset researchers say the rapidly growing Gentlemen ransomware operation differentiates itself by supplying affiliates with a standardized EDR-killer suite that disables security tools, quickly incorporates newly disclosed vulnerable drivers and helps scale attacks across multiple regions worldwide.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Cybercrime , Fraud Management & Cybercrime , Ransomware The Gentlemen Ransomware Gang Standardizes EDR Killing Eset Links Group's Growth to Integrated Endpoint-Killing Tools Tiffany Wang • June 18, 2026     Credit Eligible Get Permission Image: Shutterstock/ISMG Prolific ransomware group The Gentlemen is anything but mild and calm with endpoint detection and response, say researchers who found that the extortionists have turned EDR killing into a tactical advantage. See Also: Know Thy Enemy: Threats to Cyber Resilience The ransomware-as-a-service gang operates a suite that disrupts security software and targets victims across Southeast Asia, South America and Western Europe, Eset researchers found in Thursday research. By blending in-house development with tools built externally, the group differentiates itself with a diverse portfolio and the lucrative offering of taking only 10% share of ransom payments from affiliates, compared with the industry standard of 20%. "While most ransomware gangs continue to delegate EDR killing to affiliates, Gentlemen has chosen to centralize this function by offering affiliates a ready-to-use, standardized EDR-killer suite. This decision makes Gentlemen an attractive operator for affiliates as it materially lowers the entry barrier for them, making their job consequently easier," Eset wrote. Gentlemen has grown into one of the most active ransomware gangs this year. The group was reportedly formed by a disgruntled former Qilin affiliate, who assembled a team of formers from other ransomware group including Qilin, Embargo, LockBit, Medusa and BlackLock. Independent cybersecurity journalist Brian Krebs reported June 10 that the group appears to be led by a 36-year-old Russian living in the Western Urals city of Izhevsk. Eset research found that ransomware customers normally source their own EDR killer to use in intrusions, but Gentlemen sweetens the deal by offering them a complete package that includes both a self-developed tool and externally sourced artifacts. The most prevalent EDR killer in the group's ecosystem is GentleKiller, a self-developed tool with at least eight variants targeting more than 400 processes. Although each variant impersonates a different legitimate product and abuses a different vulnerable or malicious driver, they all share the same underlying characteristics, including terminating processes periodically and employing identical code obfuscation. This design offers operational flexibility for customers deploying the ransomware while making development easy for the service provider, Eset wrote. It allows the operators to incorporate newly abused drivers into their toolset within days of a proof of concept being disclosed. The group also incorporates third-party or leaked tools named HexKiller, ThrottleBlood and HavocKiller. "These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied through legitimate certificates and icons," Eset wrote. The overarching defense-evasion strategy includes applying advanced protection to executable files, spoofing trusted vendors' identities and manipulating file attributes to make the EDR-killing tools harder to detect and analyze. "While some components show signs of rushed implementation or inconsistent polish, the overall toolset demonstrates high operational effectiveness and tight integration into Gentlemen's ransomware workflow," Eset wrote.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    Jun 18, 2026
    Archived
    Jun 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗