Skip to main content
HashnodeFPT IS SecurityFPT IS Security

Command Palette

Search for a command to run...

The Gentlemen and the Fight Against EDR: New Ransomware Trends 2026

Updated
12 min readView as Markdown
The Gentlemen and the Fight Against EDR: New Ransomware Trends 2026
L
Lưu Tuấn Anh
Part of seriesNewsletters-eng

Overview

The rise of the Ransomware-as-a-Service (RaaS) Gentlemen gang since mid-2025 has marked a dangerous step forward in cybercriminal tactics. The most notable point of this group is the development and integration of GentleKiller - a specialized framework to "hunt" and disable more than 400 security processes (EDR/XDR) using Bring Your Own Vulnerable Driver (BYOVD) technology. Combined with the use of SystemBC as an anonymous proxy, Gentlemen has demonstrated the ability to penetrate the most resilient enterprise defenses. To cope, organizations need to immediately shift focus from relying solely on EDR to strictly controlling the kernel drivers allowed to execute on the system.

In addition, recently TheGentlemen ransomware group posted information about Ty Thac Co., Ltd. on its leak site, claiming to have infiltrated and stolen the business's data. Ty Thac, also known as Yih Shuo Footwear, is a large-scale footwear manufacturing enterprise headquartered in Dong Thap province, Vietnam, specializing in manufacturing and exporting footwear and related components to the international market.

Identity Information & Activity

  • Name: Gentlemen (or GentleKiller Ransomware)

  • Operating model: Ransomware-as-a-Service (RaaS)

  • Time of appearance: Mid 2025 (According to Check Point Research)

  • Activity level: Strongly active and one of the most active groups in Q1/2026.

  • Attribution: Suspected is a Russian-speaking group (based on RaaS activity patterns), but there is no official conclusion yet.

History and Characteristics of the Gentlemen Gang

Activity history

According to investigative reports from ESET and Check Point Research, The Gentlemen is believed to have appeared in late 2025. Some intelligence sources show that the group has contact with members who were active in the Qilin Ransomware ecosystem before splitting up to build their own RaaS program. Right from the early stages, The Gentlemen has chosen a professional operating model with an attractive profit sharing mechanism to attract experienced affiliates.

In just a few months of operation, The Gentlemen has quickly expanded its scale and recorded more than 400 victims globally. Unlike many ransomware gangs that focus mainly on businesses in North America, The Gentlemen expands their scope of operations to many different regions including Europe, South America and Southeast Asia. This shows that the group is not dependent on a single target market but is pursuing a strategy of hunting opportunities on a global scale.

Goals & Motives

Motive: The main motive is purely financial gain through the Double Extortion model - data encryption and threat of leaking sensitive information.

Big Game Hunting:

  • Targeting "rich" victims: The group does not attack sporadically but focuses on medium and large-sized businesses and organizations (Enterprise level). In particular, they tend to choose organizations that have invested heavily in expensive Endpoint security solutions (EDR/XDR). Successfully disabling these systems with GentleKiller not only demonstrates technical strength but also creates enormous psychological pressure on victims, forcing them to pay huge ransoms.

  • Industry: Similar to other RaaS models, victims often belong to sectors with low downtime tolerance such as Healthcare, Manufacturing, Finance or Critical Infrastructure.

  • Depends on IABs: Specific goals in many cases are determined by the "sourcing" from Initial Access Brokers (IABs). Gentlemen's affiliates will purchase access rights (usually VPN/RDP credentials) from IABs to conduct intrusions, so any organization that leaks authentication information can fall into the trap.

Profit model: Operates on a profit-sharing RaaS model, in which affiliates (attackers) will receive a large percentage of the ransom (usually 70-80%), the rest belongs to the Gentlemen and GentleKiller framework developers.

The Gentlemen's difference

What makes The Gentlemen special is not the ransomware but the "Defense Evasion First" strategy - prioritizing disabling defense systems before performing destructive actions.

While many other ransomware groups still rely on public tools or affiliates' personal skills to avoid EDR, The Gentlemen have built their own ecosystem of tools, most notably the GentleKiller framework. This is a toolkit specifically designed to destroy security processes, exploit vulnerable drivers according to BYOVD (Bring Your Own Vulnerable Driver) technology and disable EDR self-protection mechanisms.

Technical Highlights: GentleKiller Framework & SystemBC

Centralized EDR Killer Suite (Centralized EDR-killing Suite)

Unlike most RaaS gangs that purchase bypass tools sporadically, Gentlemen maintains and provides affiliates with a centralized, continuously maintained EDR Killer suite.

  • Core BYOVD technique: Leverage valid third-party but vulnerable drivers (vulnerable drivers) to defeat EDR drivers. The malicious code will drop the driver to disk, register it as a Windows Service (usually leaving a trace of Event ID 7045), then continuously interact via DeviceIoControl to send commands to terminate (kill) the process. A special feature is that GentleKiller is programmed with a loop, automatically scanning and killing target processes every 2 seconds to ensure that EDR cannot self-respawn.

  • Scale and variations: ESET has documented at least eight variations of GentleKiller. This tool targets more than 400 processes related to 48 leading security vendors (like Microsoft Defender, CrowdStrike, SentinelOne, Kaspersky, etc.). Variants often take advantage of drivers such as eb.sys (Kaspersky), nseckrnl.sys (FACEIT Anti-Cheat), GameDriverX64.sys (Valorant), and dmx.sys (Zemana).

  • Weaponization speed: A scary highlight of Gentlemen is the speed of converting PoC source codes into real combat weapons. Open tools like UnknownKiller and PoisonKiller were integrated into the Gentlemen framework just days after they were announced on GitHub.

  • Third-party integration: The framework also integrates tools from other groups that have been "standardized" (such as HexKiller, which abuses the Baidu driver googleApiUtil64.sys, ThrottleBlood, HavocKiller). It's all packaged and obfuscated through tools like Enigma or Themida, with metadata and digital signatures spoofed to look like legitimate security software, to make things as difficult as possible for analysts.

The cooperation of SystemBC and OxideHarvest

While GentleKiller clears the way at the Endpoint level, Gentlemen deploys other tools to consolidate control:

  • SystemBC: Acts as a silent RAT and SOCKS5 proxy. It encrypts and routes all C2 traffic, conceals exfiltration activities (data theft) and lateral movement in the internal network, helping attackers completely bypass network monitoring solutions (NDR/NTA).

  • OxideHarvest: A credential stealer written in Rust that extracts credentials from Chromium and Gecko kernel browsers on the victim machine, setting the stage for privilege escalation.

Real Campaign Analysis (DFIR Case Study)

According to analysis from Check Point Research's DFIR report, a typical Gentlemen attack campaign usually takes place in an extremely systematic Kill-chain:

  • Phase 1 - Initial Access & Recon: The attacker gains initial access (usually via a compromised VPN account or purchase from IAB). After penetrating, they use OxideHarvest to scrape (dump) the password stored on the victim's browser, in order to escalate to Local Admin/Domain Admin privileges.

  • Phase 2 - Setting up anonymous C2 (Persistence & C2): SystemBC is dropped on the system and executed. This malware quickly establishes a secure SOCKS5 tunnel directly connecting to the attacker's infrastructure. This phase usually lasts in silence (dwell time) for the attacker to scan the entire network and steal important data before encryption.

  • Phase 3 - Defense Evasion: Right before hour G, the GentleKiller toolkit is activated with Admin rights. At this time, SIEM/Log systems often record the event of loading an unusual kernel driver (Event ID 7045 - Service Creation) with the fake name of a security tool. Immediately, GentleKiller's "2 second" loop begins to operate, sending a series of kill commands to the Kernel. As a result, dozens of "Service Stopped" or "Agent Offline" warnings suddenly appeared on the EDR admin screen before the system completely lost connection.

  • Stage 4 - Finishing blow (Impact): When the defense system is completely "blind" and paralyzed, the Ransomware payload is officially dropped. It deletes backup copies (Shadow Copies) with the vssadmin command and conducts mass data encryption at breakneck speed, leaving a ransom note for the victim.

Expert comments & Impact on Vietnam

Gentlemen's model shows a worrying shift in the underworld: integrating "heavy weapons" like EDR Killer into RaaS models is becoming the new norm. This lowers the technical barrier for affiliates, allowing them to carry out complex attacks that were previously only possible with APT groups.

Impact and risk assessment for Vietnam:

  • Dependence on vulnerable software (Vulnerable Drivers): Vietnam is a market that uses a lot of software from diverse vendors (including old software, anti-cheat games, system management software that is not updated regularly). Drivers like Kaspersky, Qihoo 360 or game anti-cheat software are scattered across many server systems and workstations in Vietnam. This is the gold mine for Gentlemen to exploit BYOVD technology.

  • "Blind" faith in EDR: In fact, in many organizations, banks and corporations in Vietnam, there is an overconfidence in investing in "top-tier" EDR solutions. However, EDR mainly runs in User-mode (Ring 3) or partly in Kernel-mode (Ring 0). When an attacker gains Local Admin rights and loads a vulnerable driver with a valid signature, they have equal or higher power than EDR. EDR solutions worth millions of dollars can be "blindfolded" with just a .sys file weighing a few dozen KB.

  • Risk of leaking VPN/RDP accounts (IABs supply): According to observations from actual incidents in Vietnam recently, lax password management habits, lack of MFA and the use of cracked software have created a large number of access accounts being sold on black markets. This is the perfect input for gangs like the Gentlemen to buy back from IABs to conduct extortion.

In short, for Vietnamese businesses, the current defense game is no longer about "whose EDR is better", but about who has better control over OS hardening (especially preventing unauthorized driver loading) and strictly managing user privileges.

MITRE ATT&CK techniques

Tactic Technique ID Technique Name Description in the Campaign
Initial Access T1133T1190 External Remote ServicesExploit Public-Facing Application Acquired access through compromised RDP/VPN credentials purchased from Initial Access Brokers (IABs) or by exploiting vulnerabilities in public-facing systems.
Execution T1059.001 Command and Scripting Interpreter: PowerShell Used PowerShell to download payloads and automate execution activities.
Privilege Escalation T1543.003 Create or Modify System Process: Windows Service Created new Windows services with the highest privileges to load vulnerable kernel drivers.
Defense Evasion T1562.001T1068 Impair Defenses: Disable or Modify ToolsExploitation for Privilege Escalation Core capability of GentleKiller: leveraged the Bring Your Own Vulnerable Driver (BYOVD) technique to gain Ring 0 access and terminate or disable more than 400 AV/EDR processes.
Command and Control T1090.003T1573.001 Proxy: Multi-hop ProxyEncrypted Channel: Symmetric Cryptography Deployed SystemBC to establish a SOCKS5 proxy, encrypt communications, and conceal traffic between infected hosts and the C2 infrastructure.
Impact T1486T1490 Data Encrypted for ImpactInhibit System Recovery The ransomware payload encrypted data at scale. It may also disable shadow copies (e.g., via vssadmin) to prevent system recovery.

IOC

Malicious IP

  • 91.107.247[.]163

  • 45.86.230[.]112

SHA-256

  • 992c951f4af57ca7cd8396f5ed69c2199fd6fd4ae5e93726da3e198e78bec0a5

  • 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a

  • 22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67

  • 2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d

  • 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235

  • 48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd

  • 62c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8

  • 860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923

  • 87d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c

  • 8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892db

  • 91415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1

  • 994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3

  • 9f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454

  • a7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0ad

  • b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6

  • c46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8

  • c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73

  • ec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd2

  • efaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108f

  • f736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12

  • fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958

  • cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e

  • 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

  • fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68

  • 5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca

  • 788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19

  • 1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c

Yara Rule

rule thegentlemen_ransomware
{
    meta:
        author = "@Tera0017/Check Point Research"
        description = "The Gentlemen Ransomware written in GO."
    strings:
        $string1 = "Silent mode (don't rename files)" ascii
        $string2 = "Encrypt only mapped and UNC network shares" ascii
        $string3 = "README-GENTLEMEN.txt" ascii
        $string4 = "gentlemen.bmp" ascii
        $string5 = "gentlemen_system" ascii
        $string6 = "[+] Encryption started. Going background..." ascii
        $string7 = "[+] FULL Encryption started" ascii
    condition:
        uint16(0) == 0x5A4D and 4 of them
}

Control and monitor kernel drivers

  • Activate Microsoft Vulnerable Driver Blocklist on the entire Windows system.

  • Use Windows Defender Application Control (WDAC) to control allowed drivers to download.

  • Follow events related to:

    • Driver installation.

    • Driver loading.

    • Service creation.

    • Kernel module registration.

  • Build a list of valid drivers (Driver Allowlist).

  • Block publicly available drivers with serious vulnerabilities.

Monitor behavior instead of just monitoring malware

Need to detect

  • Process termination in bulk.

  • Abnormal operation with kernel object.

  • Turn off the security service.

  • Delete registry related to EDR.

  • Illegal driver download.

  • Unusual access to LSASS or security process.

Should be implemented

  • Behavioral Detection.

  • UEBA (User and Entity Behavior Analytics).

  • Periodic Threat Hunting.

Enhanced Tamper Protection

  • Enable Tamper Protection on EDR.

  • Use a separate admin password for agent removal.

  • Apply MFA to EDR admin accounts.

  • Limit admin console access.

Protect privileged accounts

  • Deploy Privileged Access Management (PAM).

  • Mandatory MFA applies.

  • Remove shared admin accounts.

  • Use separate accounts for administration and daily work.

  • Monitor logins from unusual devices or locations.

Enhanced BYOVD detection

Some important indicators

  • Event ID related to Driver Load.

  • Sysmon Event ID 6.

  • Service Creation Event ID 7045.

  • The process launched with SYSTEM permissions is not part of the baseline.

  • Rare drivers appear on the endpoint.

Threat Hunting

Search:

  • The new driver is loaded before EDR stops working.

  • Event sequence Driver Load → Process Kill → Ransomware Execution.

  • Signs of exploitation of drivers with known CVEs.

Backup according to the 3-2-1 principle

There is no defensive measure that guarantees absolute safety.

Therefore it is necessary:

  • 3 copies of data.

  • 2 different types of storage media.

  • 1 offline or immutable copy.

Check periodically

  • Data recovery capabilities.

  • Recovery time (RTO).

  • Acceptable level of data loss (RPO).

Reference

Killing me gently: Inside Gentlemen’s EDR killer framework

Gentlemen ransomware uses multiple EDR killers to disable defenses

Dark Web Profile: The Gentlemen Ransomware

#gentlemen#ransome#ransomware-as-a-service-raas#edr-xdr#byovd#threat-intelligence

Comments

Join the discussion

No comments yet. Be the first to comment.

Newsletters-eng

Part 4 of 50
Up next

OnyxC2 Stealer – New threat turns browsers into data warehouses for cybercriminals

Campaign summary The arrival of OnyxC2 marks a notable step forward in the Malware-as-a-Service (MaaS) market. More than just a traditional infostealer, OnyxC2 is built as a complete platform for cybe

More from this blog

F

FPT IS Security

857 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.