GoKawiilThe Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in attacks.
The gang employs a collection of EDR-killing tools, most notably a utility that researchers dubbed GentleKiller. The tool has at least eight variants and impersonates various legitimate security products, including Kaspersky, Valorant, Javelin, and WatchDog.
The gang is using a suite of EDR killers, the most frequently used being a custom tool that researchers named GentleKiller, which has at least eight variants impersonating various legitimate products.
An EDR killer is typically used to disable defenses in the early phases of an attack, and in ransomware incidents, they ensure that data theft or encryption processes run unencumbered.
These tools work by leveraging the 'bring your own vulnerable driver' (BYOVD) technique to elevate privileges and disable security engines.
According to ESET researchers, each GentleKiller variant uses different vulnerable drivers to achieve kernel-level privileges. However, they all share common strings, identical code obfuscation techniques, and similar process-killing logic and targeting scope.
The analysis of the variants indicates that the framework is designed to allow easy driver swaps or weaponization of newly disclosed flaws without requiring major code changes.
Variant names and drivers used
Source: ESET
ESET states that GentleKiller targets more than 400 processes associated with approximately 48 security vendors/products, such as Microsoft, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, ESET, Bitdefender, McAfee/Trellix, and Kaspersky.
... continue reading