Killing me gently: Inside Gentlemen’s EDR killer framework

What Happened

The Gentlemen ransomware gang has developed a specialized toolkit called GentleKiller that they share with their partners to disable security software on victim computers. Organizations worldwide, particularly those with misconfigured FortiGate firewalls, are targeted, with the gang notably avoiding a US-centric focus. This toolkit allows attackers to easily bypass over 400 different antivirus and security products by exploiting vulnerable system files, clearing the way for ransomware deployment and password theft. Defenders should ensure firewalls are properly configured, monitor for unusual attempts to disable security software, and block known vulnerable drivers from loading on their systems.

Key Takeaways

• Gentlemen ransomware operators provide a centralized, in-house EDR killer suite called GentleKiller directly to their affiliates.
• GentleKiller leverages Bring Your Own Vulnerable Driver (BYOVD) techniques, rapidly weaponizing newly disclosed vulnerable drivers within days.
• The gang standardizes evasion across their tools using fake vendor names, invalid signatures, and packers like Enigma or Themida.
• Gentlemen targets a globally distributed set of victims, notably avoiding a US-centric focus, often exploiting FortiGate misconfigurations for initial access.
• Affiliates also utilize a Rust-based credential stealer named OxideHarvest (buildx641) to extract browser data.

Affected Systems

• Windows endpoints with EDR/AV solutions installed (over 48 products targeted)
• FortiGate appliances (targeted for initial access due to misconfigurations)

Attack Chain

The attack begins with initial access, often exploiting misconfigured FortiGate appliances. Once inside, affiliates deploy the GentleKiller framework (or third-party tools like HexKiller) from a staging directory named 'GentlemenCollection'. These tools use BYOVD techniques to load vulnerable drivers, which then terminate over 400 security-related processes to impair defenses. Following EDR evasion, affiliates use the OxideHarvest credential stealer to extract browser credentials before finally deploying the Gentlemen ransomware payload for double extortion.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.) but offers extensive behavioral indicators, targeted process lists, and file hashes for custom rule creation.

Detection Engineering Assessment

EDR Visibility: Medium — EDR solutions may detect the initial dropping of the vulnerable driver or the service creation, but if the BYOVD attack is successful, the EDR agent will be forcefully terminated, blinding further telemetry. Network Visibility: Low — The EDR killer and credential stealer operate primarily locally on the endpoint. Network visibility is only relevant for the initial FortiGate exploitation or subsequent C2/exfiltration, which are not detailed in this report. Detection Difficulty: Moderate — Detecting the staging directory or known vulnerable driver hashes is straightforward, but the rapid rotation of BYOVD payloads requires behavioral heuristics (e.g., unexpected service creation followed by security process termination) rather than relying solely on static signatures.

Required Log Sources

• Event ID 7045 (Service Creation)
• Event ID 4688 (Process Creation)
• Sysmon Event 11 (File Create)
• Sysmon Event 6 (Driver Loaded)

Hunting Hypotheses

Control Gaps

• Lack of strict Driver Signature Enforcement or blocklisting of known vulnerable drivers (WDAC/HVCI)
• Inadequate protection against unauthorized service creation by local administrators

Key Behavioral Indicators

• Executables with fake vendor names (e.g., Kasps.exe, FaceIT1.exe) dropping .sys files
• Invalid digital signatures on files masquerading as security products
• Staging directory named 'GentlemenCollection'

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider adding the provided SHA-1 hashes and driver filenames to your EDR and AV blocklists.
• Evaluate whether your FortiGate appliances are fully patched and securely configured, as they are a primary initial access vector for this group.

Infrastructure Hardening

• If supported by your environment, consider implementing Microsoft's Vulnerable Driver Blocklist or using Windows Defender Application Control (WDAC) to block known vulnerable drivers.
• Evaluate restricting the 'Load and unload device drivers' user right (SeLoadDriverPrivilege) to only strictly necessary administrative accounts.

User Protection

• Consider enforcing Tamper Protection features within your EDR/AV solutions to prevent unauthorized termination of security processes.

Security Awareness

• Consider educating administrative staff on the risks of BYOVD attacks and the importance of monitoring for unexpected driver loads.

MITRE ATT&CK Mapping

• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
• T1106 - Native API
• T1543.003 - Create or Modify System Process: Windows Service
• T1036 - Masquerading
• T1036.001 - Masquerading: Invalid Code Signature
• T1027 - Obfuscated Files or Information
• T1685 - Disable or Modify Tools

Additional IOCs

• File Hashes:
  • BA914FE77B177B45799403B16DD14765C510A074 (SHA1) - eb.sys (Custom rootkit)
  • D605994FC72A2BB59B5CFB1624A1B9170ECA73A2 (SHA1) - FaceIT1.exe (GentleKiller FACEIT variant)
  • B0B912A3FD1C05D72080848EC4C92880004021A1 (SHA1) - nseckrnl.sys (NSecsoft driver)
  • 5AA3124E5C4921E5EDFC60133B5D71DA21B07DA3 (SHA1) - Valorant2.exe (GentleKiller Valorant variant)
  • 7556AE58C215B8245A43F764F0676C7A8F0FDD1A (SHA1) - vgk.sys (Tower of Fantasy AntiCheat driver)
  • 331879F5EEC8892BBD896F90BDBB1BAD0BF63BD6 (SHA1) - EASolo2Light.exe (GentleKiller Javelin variant)
  • F11AEBCCB9A86A7E2E653F90BAEC697F233C255F (SHA1) - EASOLO1clear.exe (GentleKiller Javelin variant)
  • EF9CD06683159397F099CAA244E94E6EAAD96EBA (SHA1) - EAAntiCheatLight.exe (GentleKiller Javelin variant)
  • 711EF221526997039E804A18DB9647C91680BBE2 (SHA1) - stpm_old.sys (Safetica driver)
  • 68FEC379F2AE76C3D2CE913F7BE650CEA1D06990 (SHA1) - stpm_new.sys (Safetica driver)
  • A11EE9CDC59E5CAA59AEFD27B30D104F3AD68E62 (SHA1) - BitD1.exe (GentleKiller WatchDog variant)
  • 96F0DBF52AED0AFD43E44500116B04B674F7358E (SHA1) - dmx.sys (Zemana WatchDog driver)
  • 2F86898528C6CAB3540C486A9BFAA0C029B73950 (SHA1) - MB2.exe (GentleKiller Network Blocker variant)
  • 9AD51AD97C01E97AB59214116740785E0F6320A8 (SHA1) - 360netmon_wfp.sys (360netmon driver)
  • A19117175DBC9BA4D23B5DCE8415E299A2E32192 (SHA1) - Deletor.exe (GentleKiller Cleaner variant)
  • 12500F6C87CE62712A0ED6652C57468D15C14223 (SHA1) - IMFForceDelete (IObit driver)
  • D29670E684E40DDC89B47010C37CBC96737035B6 (SHA1) - Symantec.exe (GentleKiller G11 variant)
  • 56BEE9DF5833A637F5C54D5911DF98B0812FE643 (SHA1) - G11.sys (PoisonX rootkit)
  • CF4D74DF17A91B4A36A2911B22AFEC5D8FA93A01 (SHA1) - Avast.exe (HexKiller)
  • EC296F9501AD71E430810CB5CDC38D954D4BA536 (SHA1) - googleApiUtil64.sys (Baidu driver)
  • 7131B377E96016DC1911020C9F95B1B4D042D7B4 (SHA1) - Sent.exe (ThrottleBlood)
  • 82ED942A52CDCF120A8919730E00BA37619661A3 (SHA1) - ThrottleBlood.sys (ThrottleStop driver)
  • F0537CBB773AE12100B36731E7C39F5A9D852B14 (SHA1) - Sophos.exe (HavocKiller)
  • 1FA071303FB846308571E64727501FB98B1C2BE6 (SHA1) - havoc.sys (Huawei driver)
  • D4B19141102015D436321E6F26976E98183CFD27 (SHA1) - buildx64.exe (OxideHarvest stealer)
• Command Lines:
  • Purpose: Execution of the OxideHarvest credential stealer with arguments for target IPs and output files. | Tools: OxideHarvest, buildx641.exe | Stage: Credential Access | build.exe --ip-list