Gentlemen ransomware gang supplies EDR killers to affiliates

ESET has identified the Gentlemen ransomware gang as the developer and maintainer of a set of tools designed to disable endpoint security software, which it supplies directly to affiliates.

The findings point to a more organised model within the ransomware-as-a-service market, in which operators provide not only encryption malware but also software intended to weaken a victim's defences before an attack begins.

According to ESET, Gentlemen emerged in late 2025 and became one of the more active ransomware groups in the first quarter of 2026. The group uses a double-extortion model, encrypting data and threatening to publish stolen material if victims do not pay.

Researchers said Gentlemen differs from many rival groups by not leaving affiliates to find their own tools for defeating security products. Instead, its operators build and update a portfolio of so-called EDR killers used to disrupt endpoint detection and response software on compromised systems.

Tool framework

At the core of that portfolio is an in-house framework ESET calls GentleKiller. Researchers have identified at least eight variants, each designed to imitate a different legitimate security product while using a different vulnerable or malicious driver.

Despite surface differences, the variants share internal characteristics. Researchers said they use a common defence-evasion approach that includes fake version information, along with copied certificates and icons from legitimate security vendors.

The aim is to make the malicious tools appear trustworthy to both security systems and users. ESET said the evasion techniques are applied to compiled samples rather than source code, allowing the group to protect the tools even when it does not hold the original code.

Gentlemen also integrates third-party or leaked tools into its operations, including HexKiller, ThrottleBlood and HavocKiller. Those tools are folded into the same broader evasion approach used across the group's own software.

Some GentleKiller variants appeared only hours after proof-of-concept techniques involving vulnerable drivers became public. Researchers said that shows the group can move quickly when new methods for bypassing security products are disclosed.

Global spread

ESET said Gentlemen's victim base is geographically broad and differs from the pattern usually seen among major ransomware gangs. Many large operations are heavily focused on the United States, but Gentlemen does not appear to follow that trend.

Instead, a significant share of observed victims were in Southeast Asia, South America and Western Europe. ESET highlighted Thailand, Brazil and France among the affected countries.

That pattern may reflect affiliate choices as much as direction from the group's operators. Even so, ESET said the lack of a strong US focus makes Gentlemen stand out among the most active ransomware operations.

The research also drew on an internal data leak the group suffered in May. That material helped confirm ESET's earlier assessment that Gentlemen's operators were directly involved in developing and maintaining EDR-killing tools for affiliates.

"While there have been multiple reports covering Gentlemen in recent months, they have not focused on a detailed analysis of the group's EDR killers. Thanks to ESET's continued incident-level visibility, we can provide a uniquely deep view into Gentlemen's EDR-killer development practices. The internal data leak that Gentlemen suffered in May 2026 gave us more insight into the inner workings of the group," said Jakub Souček, ESET researcher.

"The leak also allowed us to confirm the hypothesis we formed in February 2026: that Gentlemen operators actively develop and maintain a portfolio of EDR killers that they offer to affiliates, centered around their in-house framework, which we have named GentleKiller," Souček said.

Affiliate model

ESET said Gentlemen offers affiliates a 90% share of ransom proceeds, a structure that may help explain its rapid growth. In the ransomware-as-a-service model, operators maintain core infrastructure and malware, while affiliates carry out intrusions and deploy attacks.

The addition of operator-maintained security-disabling tools suggests a broader support package for affiliates than is commonly discussed in reporting on ransomware groups. It also points to a market in which operators seek to reduce friction for partners by supplying more of the software needed to complete an attack.

Aside from the EDR killers, ESET also identified a credential stealer called OxideHarvest, which it attributed to one of Gentlemen's affiliates. The presence of a separate tool for harvesting credentials suggests affiliates may combine operator-supplied software with their own utilities during intrusions.

For defenders, the significance lies less in any single variant than in the repeatable framework behind them. ESET said the shared features across GentleKiller samples could help security teams identify and respond to future versions that have not yet been seen.

"From a defense perspective, understanding how GentleKiller works allows defenders to better design their defensive strategies and defend even against yet-to-be-developed additions to Gentlemen's EDR-killing arsenal," said Souček.