TL;DR
- The Gentlemen (operators tracked by Microsoft as Storm-2697) is a Russian-speaking, financially motivated ransomware-as-a-service operation that emerged mid-2025 from a Qilin affiliate split; its distinguishing feature is that operators centrally build, maintain, and distribute a full EDR-killer suite anchored by the in-house GentleKiller framework (8+ BYOVD variants) directly to affiliates, lowering the bar for affiliate-led intrusions.
- GentleKiller and its companion third-party killers (HexKiller, ThrottleBlood, HavocKiller) all work via Bring Your Own Vulnerable Driver (BYOVD): drop a signed-but-vulnerable kernel driver, load it as a service, then send IOCTLs to terminate 400+ security processes mapped to 48 vendors, defeating user-mode tamper protection from Ring 0. The single best detection surface is kernel driver-load telemetry (Sysmon Event ID 6 / Event ID 7045 service install) plus the
GentlemenCollectionstaging directory. - FortiGate edge compromise (CVE-2024-55591) is the group's primary initial-access vector, but the June 2026 "FortiBleed" leak is NOT confirmed to be a Gentlemen operation -- it is attributed to a separate Russian-speaking initial-access broker. Treat the relationship as a supply-chain/thematic overlap only.
Key Findings
Attribution and lineage. The Gentlemen is run by a Russian-speaking actor using the aliases hastalamuerte and zeta88, identified by Brian Krebs (June 10, 2026) as Alexander Andreevich Yapaev, a 36-year-old from Izhevsk, Russia. Before launching The Gentlemen, hastalamuerte ran a high-volume Qilin affiliate crew known as ArmCorp. A July 2025 RAMP-forum payment dispute (~$48,000 in unpaid commission) formalized the split; a Gentlemen sample with an embedded leak-site URL was uploaded to VirusTotal on July 17, 2025, five days before the public dispute, showing the brand was already in development. PRODAFT reported (Oct 17, 2025) that operators previously affiliated with Qilin, Embargo, LockBit, Medusa, and BlackLock. Microsoft tracks the operators as Storm-2697.
Business model. Classic RaaS with an unusually generous 90% affiliate / 10% operator split. This is a deliberate recruiting weapon: per Halcyon, the 90% share is "among the highest in the current underground market," noting that "most RaaS programs offer affiliates between 70% and 80% of ransom proceeds, with only RansomHub previously matching The Gentlemen's 90/10 split." Double extortion (encrypt + leak via Tor DLS and a branded social-media account). The group explicitly prohibits targeting Russia/CIS, consistent with Russian-speaking eCrime norms.
Scale and velocity. One of the fastest-scaling RaaS operations on record. Halcyon's Ransomware Research Center assessed the group "has claimed nearly 300 victims across 66 countries since mid-2025, scaling faster than any group on record." Trajectory: ~48 victims by October 2025, ~130 by early February 2026, 320+ by April 2026, and 478 claimed by mid-June 2026. Per Check Point, the 320+ claim by April made it "the #2 most active ransomware group by victim count so far this year." NCC Group's April 2026 data (via Computer Weekly) corroborates: Gentlemen ranked 2nd with 73 attacks (10%) versus Qilin's 107 (14%); NCC separately counted 48 Gentlemen attacks in January and (per other reporting) rising month-over-month. NTT, reported by IT Pro, assessed that The Gentlemen "has become one of the most active ransomware operators, accounting for 10% of all attacks and second only to the notorious Qilin."
Victimology. Notably not US-centric. Per ESET (via TechTimes, June 19, 2026): "Unlike most large ransomware operations -- which draw roughly half their victims from the United States -- Gentlemen's US concentration sits at approximately 13 percent." Heavy targeting across Southeast Asia, South America, and Western Europe; SOCRadar notes "significant victim concentrations in Thailand, the United Kingdom, Brazil, Germany, and India." ESET found victims are selected primarily based on FortiGate (mis)configuration rather than geography. Sectors hit include manufacturing, technology, healthcare, financial services, construction, insurance, energy, government, and education, with no restraint toward hospitals/critical infrastructure. Notable victims: Romania's Oltenia Energy Complex (Complexul Energetic Oltenia, Dec 26, 2025), Mackay Sugar (June 2026, forced physical mill shutdown), and the Adaptavist Group.
The EDR-killer suite. This is the group's signature differentiator. ESET (June 18, 2026 report, authored by Jakub Souček) confirmed, via a May 2026 internal data leak in which zeta88 openly discusses maintaining EDR-killer packages, that Gentlemen operators develop/maintain the suite and offer it to vetted affiliates. This is a rare operator-managed model (RansomHub's EDRKillShifter is the main precedent, but Gentlemen maintains a diverse portfolio rather than one tool).
Details
1. Threat Actor Profile
- Type: Cybercriminal RaaS operation (not nation-state), approximately 20 members per Group-IB. Centrally operated locker, panel, negotiation platform, and tooling; affiliates conduct intrusions and exfiltration.
- Encryptors: Go-based cross-platform locker (Windows, Linux, NAS, BSD) obfuscated with Garble, plus a dedicated C-based ESXi locker. Per-file hybrid crypto: X25519/Curve25519 key exchange + XChaCha20 stream cipher, per-file ephemeral keys. Hardcoded extension
.axfsmg; ransom noteREADME-GENTLEMEN.txt; group marker stringGENTLEMEN. Operator password gate (e.g.,G7Vz9eyG) required to run -- it is an execution gate, NOT the encryption key. Speed modes encrypt 0.3 to 3% of large files;--wipeoverwrites free space;--spreadturns the encryptor into a self-propagating worm that enumerates AD computers and attempts ~21 lateral-execution techniques per host. - AI assistance: Krebs/Check Point report the panel and tooling were reportedly built with AI coding assistants.
- Internal leak (May 2026): On May 4, 2026 the admin acknowledged a backend database compromise; data was briefly sold for $10,000 BTC then dumped publicly, exposing 9 internal accounts (zeta88, qbit, quant, Kunder, JeLLy, Protagor, Bl0ck, Wick, donpakto, mAst3r) and the group's FortiGate access dashboard, TTPs, and EDR-killer discussions.
2. EDR-Killer Framework -- Technical Deep Dive
Architecture: A suite, not a single tool. The centerpiece is GentleKiller (ESET's name), an in-house framework with at least 8 variants. All variants share a common code template: consistent strings, identical code obfuscation, a process-termination loop (scanning/killing every ~2 seconds), and a shared target list of 400+ processes mapped to 48 security products (Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Palo Alto/Cortex, Trend Micro, ESET, Bitdefender, McAfee/Trellix, Kaspersky, Sangfor, Cybereason, Carbon Black, Elastic, Huntress, ThreatLocker, Sysmon, etc.). The framework is designed for rapid driver swaps: per ESET, "the UnknownKiller and PoisonKiller proof-of-concepts were both adopted within days of their public release," distinguishing Gentlemen from RaaS operators who "typically wait weeks or months."
GentleKiller variants and abused drivers:
| Variant | Filename(s) | Abused Driver | Notes |
|---|---|---|---|
| Kaspersky | Kasp<suffix>.exe | eb.sys | Custom rootkit (UnknownKiller PoC) |
| FACEIT Anti-Cheat | FaceIT<suffix>.exe | nseckrnl.sys | NSecsoft NSecKrnl |
| Valorant | Valorant<suffix>.exe | GameDriverX64.sys / vgk.sys | Anti-cheat driver (PerfectWorld/Tower of Fantasy in IOCs) |
| Javelin | EAAntiCheat<suffix>.exe, EASolo<suffix>.exe | stpm_old.sys / stpm_new.sys | Safetica Process Monitor driver |
| WatchDog | BitD<suffix>.exe | dmx.sys | Zemana WatchDog Antimalware driver (CVE-2022-42045) |
| Network Blocker | MB<suffix>.exe | 360netmon_wfp.sys | Qihoo 360 driver |
| Cleaner | Deletor.exe | IMFForceDelete | IObit IMF ForceDelete filter driver (CVE-2025-26125) |
| G11 | G11<suffix>.exe, Symantec<suffix>.exe | PoisonX (G11.sys) | Rootkit; also seen paired with hrwfpdrv.sys in non-Gentlemen intrusions |
Third-party EDR killers integrated into the suite:
- HexKiller (Avast<suffix>.exe) -- abuses
googleApiUtil64.sys(Baidu Antivirus BdApi driver); previously assessed exclusive to the Warlock gang. - ThrottleBlood (Sent<suffix>.exe) -- abuses
ThrottleBlood.sys/ ThrottleStop.sys (TechPowerUp); seen in MedusaLocker and DragonForce intrusions; linked to Gentlemen by Trend Micro (Sept 2025). - HavocKiller (HwAudKiller.exe, Sophos<suffix>.exe) -- abuses
havoc.sys(Huawei audio driverHWAudioOs2Ec.sys, signed by Huawei Device Co.); publicly disclosed by Huntress March 19, 2026 but in real-world use since at least Jan 23, 2026.
Mechanics (how it disables EDR): All are BYOVD. The flow: gain local admin, drop a signed-but-vulnerable .sys to disk (often %TEMP%), register/load as a kernel service via sc create … type=kernel / sc start or NtLoadDriver, open a handle to the driver's device (e.g., \\.\HWAudioX64), then send a crafted IOCTL with the target PID. The vulnerable driver invokes ZwOpenProcess (PROCESS_ALL_ACCESS) + ZwTerminateProcess from kernel mode with no validation, terminating even PPL/tamper-protected security processes that resist user-mode kills. HavocKiller's IOCTL is 0x2248DC with a 4-byte PID buffer. Because the driver carries a valid signature, Driver Signature Enforcement loads it without complaint. (Related public BYOVD tooling such as RealBlindingEDR additionally strips kernel callbacks -- ObRegisterCallbacks, PsSetCreateProcessNotifyRoutine, minifilter callbacks -- to blind rather than kill; GentleKiller's documented behavior is loop-based process termination rather than callback stripping.)
Anti-analysis / evasion layer (standardized across the whole suite): Applied at the compiled-binary level (so it can be bolted onto tools they don't have source for): commercial packers Enigma or Themida; filenames impersonating security vendors; fabricated version info, copied (invalid) digital signatures from legitimate executables, and matching icons. ESET's suffix scheme: 1 = Enigma + fake sig + fake version; 2 = Themida + fake sig + fake version; Light = no packer but fake sig/version; Clear = none. Staging directory: GentlemenCollection.
Companion credential stealer: OxideHarvest (Rust; ESET name), maintained by affiliate quant as buildx641/buildx64. Command-line stealer (-i hosts, -u user, -p pass, -t threads, -o output) targeting Chromium and Gecko browser credential stores; multithreaded remote login + credential exfiltration.
3. Kill Chain and Attack Flow
- Initial access: FortiGate edge exploitation via CVE-2024-55591 (FortiOS/FortiProxy auth bypass, CWE-288, CVSS 9.6 to 9.8; Node.js WebSocket
getAdminSession()fails to validatelocal_access_tokenon/ws/cli/, granting unauth super-admin) -- referenced 81 times in leaked chats as their primary way in. Also: brute-forced/stolen VPN creds, infostealer logs (sourced via Snusbase), internet-facing RDP, SSL VPN, and remote-management tools. The group actively tracks CVE-2025-32433 (Erlang/OTP SSH, Cisco context) and CVE-2025-33073 (NTLM relay, operationalized via RelayKing/ntlmrelayx). Also patches noted for Veeam (CVE-2023-27532) and VMware ESXi (CVE-2024-37085). - Recon/validation: From a foothold (often the firewall is AD-integrated), reach a Domain Controller with Domain Admin; systematic credential validation, AD enumeration (Advanced IP Scanner, Nmap), targeting Domain/Enterprise Admins.
- Privilege escalation: PowerRun.exe (UAC bypass / SYSTEM), plus the BYOVD drivers for kernel-level operations (T1068).
- Defense evasion (where the EDR killer lands, pre-encryption): GentleKiller/suite deployed from
GentlemenCollection. PowerShell to disable Defender real-time monitoring (Set-MpPreference -DisableRealtimeMonitoring $true), add process/path exclusions (Add-MpPreference -ExclusionProcess,-ExclusionPath C:\), disable firewall, enable SMB1, loosen LSA anonymous-access (RestrictSendingNTLMTraffic=0,DisableRestrictedAdmin=0), lower RDPSecurityLayer. Delete shadow copies (vssadmin/wmic), clear System/Application/Security logs (wevtutil cl), delete Prefetch, Defender support logs, RDP logs, and PowerShell history. - C2 and lateral movement: SystemBC (SOCKS5, custom RC4-encrypted protocol) + Cobalt Strike; Mimikatz/comsvcs.dll for credential theft; PsExec, WMI, WinRM, scheduled tasks, services, PuTTY/SSH; AnyDesk + RDP for persistence. A newer custom C2 named G-BOT is reportedly replacing Cobalt Strike (moderate confidence). Huntress observed SystemBC beaconing to
193.233.202[.]17:44729. - Impact: GPO weaponization -- copy locker to NETLOGON share, create malicious GPO with immediate scheduled task, force policy refresh, then near-simultaneous domain-wide encryption within minutes. Or the
--spreadworm mode. Exfiltration (hundreds of GB to multiple TB) via WinSCP before encryption; double extortion.
4. FortiBleed Connection -- Clarified
FortiBleed is NOT a confirmed Gentlemen operation. Disclosed June 17-18, 2026 by Bob Diachenko (SecurityDiscovery) and Hudson Rock, FortiBleed is a dataset of credentials for 73,932 FortiGate firewall/SSL-VPN URLs across 194 countries (~21,632 unique domains), with broader figures climbing to ~86,000 devices. Kevin Beaumont independently confirmed the data is genuine and recent; the affected IPs differ from the January 2025 Belsen Group leak (~15,000 devices).
- It is not a single CVE/zero-day. Fortinet PSIRT (Carl Windsor, June 19, 2026) states it is credential reuse + brute force: "This is not a new Fortinet vulnerability, and this activity is not related to any recent incident or advisory." The underlying config theft is tied to older flaws including CVE-2022-40684, CVE-2023-27997 (XORtigate), CVE-2024-55591, and the FortiCloud SSO trio CVE-2026-24858 / CVE-2025-59718 / CVE-2025-59719, compounded by a FortiOS weakness where upgrading does not re-hash legacy SHA-256 admin passwords (PBKDF2 introduced in 7.2.11/7.4.8/7.6.1) until an admin re-authenticates, leaving crackable hashes.
- Attribution: A separate, unnamed Russian-speaking multi-operator initial-access broker (forum alias "SantaAd" per SpyCloud; Arctic Wolf assesses Russian-speaking with only low confidence and explicitly declines to name an actor). Attackers ran ~1.16B credential attempts vs. 320,777 FortiGate targets and 2.1B vs. 163,650 MSSQL systems, cracking SSL-VPN hashes on a 45-GPU Hashtopolis cluster. Recorded Future/Insikt linked IP
85.11.187.8to FortiBleed infrastructure. No ransomware group has claimed FortiBleed. - Relationship to Gentlemen: Circumstantial/supply-chain only. Both are Russian-speaking and FortiGate-centric, and FortiBleed-type access is exactly what RaaS affiliates buy, but no source documents a transaction, shared operator, or shared infrastructure. Critically, The Gentlemen maintains its own separate FortiGate stockpile. Per ESET, "the operators maintain a curated database of approximately 14,700 already-compromised FortiGate devices, allowing affiliates to skip reconnaissance and gain immediate network access," plus ~969 validated brute-forced VPN credentials (operator qbit's dashboard, surfaced in the May 2026 internal leak), which is distinct from the FortiBleed dataset. The ESET finding that Gentlemen selects victims by FortiGate configuration is what makes FortiBleed operationally relevant to defenders, not evidence of common identity. The "SantaAd"/"SantaMuerte" alias resemblance is unverified and likely coincidental.
5. Indicators of Compromise (selected, from ESET/Check Point/Huntress)
EDR-killer and driver files (SHA-1, ESET):
Kasps.exe8AE6BD18B129061F63642531F1B684CF0383C75D (GentleKiller Kaspersky)eb.sysBA914FE77B177B45799403B16DD14765C510A074 (rootkit)FaceIT1.exeD605994FC72A2BB59B5CFB1624A1B9170ECA73A2nseckrnl.sysB0B912A3FD1C05D72080848EC4C92880004021A1Valorant2.exe5AA3124E5C4921E5EDFC60133B5D71DA21B07DA3vgk.sys7556AE58C215B8245A43F764F0676C7A8F0FDD1Astpm_old.sys711EF221526997039E804A18DB9647C91680BBE2stpm_new.sys68FEC379F2AE76C3D2CE913F7BE650CEA1D06990BitD1.exeA11EE9CDC59E5CAA59AEFD27B30D104F3AD68E62dmx.sys96F0DBF52AED0AFD43E44500116B04B674F7358E (Zemana WatchDog)MB2.exe2F86898528C6CAB3540C486A9BFAA0C029B73950360netmon_wfp.sys9AD51AD97C01E97AB59214116740785E0F6320A8Deletor.exeA19117175DBC9BA4D23B5DCE8415E299A2E32192IMFForceDelete12500F6C87CE62712A0ED6652C57468D15C14223Symantec.exeD29670E684E40DDC89B47010C37CBC96737035B6 (G11)G11.sys56BEE9DF5833A637F5C54D5911DF98B0812FE643 (PoisonX)Avast.exeCF4D74DF17A91B4A36A2911B22AFEC5D8FA93A01 (HexKiller)googleApiUtil64.sysEC296F9501AD71E430810CB5CDC38D954D4BA536 (Baidu)Sent.exe7131B377E96016DC1911020C9F95B1B4D042D7B4 (ThrottleBlood)ThrottleBlood.sys82ED942A52CDCF120A8919730E00BA37619661A3Sophos.exeF0537CBB773AE12100B36731E7C39F5A9D852B14 (HavocKiller)havoc.sys1FA071303FB846308571E64727501FB98B1C2BE6 (Huawei)buildx641.exeA5CF917EC4A7DFBDFA43621398604805D860C718 (OxideHarvest)buildx64.exeD4B19141102015D436321E6F26976E98183CFD27 (OxideHarvest)
Encryptor (SHA-256): earliest sample 51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2 (July 17, 2025); Check Point IOCs 025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a, 3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235.
Network: SystemBC SOCKS5 C2 193.233.202[.]17:44729, prior 77.110.122[.]137:37182; Check Point DFIR 45.86.230[.]112, 91.107.247[.]163. FortiBleed (separate): 85.11.187.8.
Host artifacts: staging dir GentlemenCollection; SystemBC binary svchost32.exe in C:\Windows\Temp; scheduled tasks WindowsConnSvc (2-min interval, SYSTEM); kernel services named Havoc; ransom note README-GENTLEMEN.txt; extension .axfsmg; downloaded nmap-7.97-setup.exe under a fortigate user profile.
6. MITRE ATT&CK Mapping (v19)
- Initial Access: T1190 Exploit Public-Facing Application (CVE-2024-55591, CVE-2025-32433); T1133 External Remote Services (SSL VPN/RDP); T1078 Valid Accounts (brute-forced/stealer creds).
- Execution: T1059.001 PowerShell; T1059.003 Windows Command Shell; T1106 Native API (DeviceIoControl/IOCTL); T1047 WMI; T1053.005 Scheduled Task.
- Persistence: T1543.003 Create/Modify System Service (vulnerable driver loaded as service; AnyDesk service); T1547 Boot/Logon Autostart.
- Privilege Escalation: T1068 Exploitation for Priv Esc (BYOVD kernel access); T1548 Abuse Elevation (PowerRun UAC bypass).
- Defense Evasion: T1562.001 Impair Defenses: Disable/Modify Tools (EDR killers, Defender disable) and T1685 Disable or Modify Tools (ESET's mapping); T1014 Rootkit; T1574 Hijack Execution Flow; T1036 / T1036.001 Masquerading + Invalid Code Signature; T1027 Obfuscated Files (Enigma/Themida); T1070.001 Clear Windows Event Logs; T1070.003 Clear Command History; T1112 Modify Registry; T1484.001 GPO Modification; T1564 Hide Artifacts.
- Credential Access: T1003.001 LSASS Memory (Mimikatz/comsvcs.dll); T1557.001 LLMNR/NBT-NS/NTLM relay; T1555.003 Credentials from Web Browsers (OxideHarvest).
- Discovery: T1046 Network Service Discovery; T1018 Remote System Discovery; T1087 Account Discovery.
- Lateral Movement: T1021.001 RDP; T1021.002 SMB/Admin Shares (PsExec); T1021.004 SSH; T1570 Lateral Tool Transfer.
- C2: T1090 Proxy (SystemBC SOCKS5); T1071 App-Layer Protocol; T1219 Remote Access Software (AnyDesk).
- Exfiltration: T1048 Exfil over Alternative Protocol (WinSCP).
- Impact: T1486 Data Encrypted for Impact; T1490 Inhibit System Recovery (shadow-copy deletion); T1489 Service Stop; T1561 Disk Wipe (
--wipe).
7. Detection Opportunities
Highest-value telemetry -- kernel/driver layer (detect the load, not just the kill):
- Sysmon Event ID 6 (Driver Loaded) is the single most important BYOVD signal. Log all driver loads with hash + SignatureStatus, cross-reference against the LOLDrivers list and the specific Gentlemen-abused drivers (eb.sys, nseckrnl.sys, GameDriverX64/vgk.sys, stpm_old/new.sys, dmx.sys, 360netmon_wfp.sys, IMFForceDelete, PoisonX/G11.sys, googleApiUtil64.sys, ThrottleBlood.sys, havoc.sys). Critically filter on both Signature AND SignatureStatus to catch stolen/revoked certs. Alert on drivers loaded from non-standard paths (e.g., %TEMP%, C:\Users\Public).
- Windows System Event ID 7045 (Service Installed) for kernel-type service creation; Sysmon Event ID 1 for
sc.exe create … type=kernelcommand lines. - Splunk ESCU analytics "Windows Vulnerable Driver Loaded" and "Suspicious Driver Loaded Path" are directly applicable; SOC Prime publishes Sigma rules for The Gentlemen; Microsoft published Defender detections/hunting guidance with its Storm-2697 analysis.
Behavioral correlation (the kill-chain signature): download, then sc create, then service start, then security process unexpectedly dies. Alert on unexpected termination of AV/EDR processes and on loss of EDR telemetry from a host (treat as compromise). Monitor for the periodic (~2s) process-termination loop targeting security binaries.
PowerShell/Defender tampering: alert on Set-MpPreference -DisableRealtimeMonitoring, Add-MpPreference -ExclusionPath 'C:' / -ExclusionProcess, firewall disable, SMB1 enable, LSA registry changes; restrict who can run Set-MpPreference and enforce Tamper Protection.
Detection gaps when EDR is dead: Once the killer reaches Ring 0, user-mode tamper protection is moot. Pivot to surfaces that survive EDR death:
- Identity/AD logs: anomalous DC logons, failed-then-successful logon bursts from a DC, GPO creation/modification (Event ID 5136/5137), unusual ADMIN$/NETLOGON writes, scheduled-task creation under SYSTEM.
- Network: SystemBC SOCKS5 beaconing (e.g.,
193.233.202[.]17), Cobalt Strike, unexpected SOCKS5 from workstations, WinSCP exfil, edge-device auth anomalies. - Cloud/edge: FortiGate admin-config changes, new rogue super-admin accounts, FortiCloud SSO anomalies; cross-check devices against the Hudson Rock FortiBleed lookup.
Recommendations
Immediate (0-7 days):
- Block the BYOVD core. Enable HVCI (Memory Integrity) and enforce Microsoft's Vulnerable Driver Blocklist; verify the specific Gentlemen-abused drivers (Safetica/Zemana/Qihoo360/IObit/Huawei/Baidu/TechPowerUp + the rootkits) are blocked. Where supported, deploy WDAC driver allow-listing.
- Patch and assume-breach FortiGate. Patch CVE-2024-55591 on all FortiOS/FortiProxy; treat any device exposed during the vulnerability window as potentially compromised given the group's ~14,700-device stockpile. Disable internet-facing management interfaces; restrict via local-in policies. Rotate ALL FortiGate admin + SSL-VPN credentials (force PBKDF2 re-hash by interactive admin login post-upgrade), terminate active VPN/admin sessions, enforce phishing-resistant MFA, and check devices against the FortiBleed dataset. Audit for rogue admin accounts (e.g.,
forticloud-sync,fortigate-tech-support-style names). - Turn on/validate Sysmon Event ID 6 + 7045 ingestion and deploy LOLDrivers + Gentlemen-specific driver-hash detections. https://github.com/fluffybunnies-h4x/FT-Sysmon-Config
Short-term (1-4 weeks): 4. Harden Domain Controllers (the crown jewel of the kill chain): restrict interactive/network logons, monitor GPO changes, ADMIN$/NETLOGON writes, and RPC-launched binaries. Lock down GPO creation. 5. Enforce EDR Tamper Protection, password-protect agent uninstall, enable a secondary/independent telemetry source that survives primary-EDR death, and alert on EDR process death / telemetry loss. 6. Eliminate internet-facing RDP; inventory and restrict AnyDesk/ScreenConnect/remote-management tools; segment IT-management from production. 7. Maintain immutable, offline, tested backups isolated from domain-joined systems (the group specifically targets NAS/Exchange/backups pre-encryption).
Thresholds that change posture: Any Sysmon EVID 6 load of a known-vulnerable driver from %TEMP%/user-writable paths, any unexpected AV/EDR process termination, any Set-MpPreference -DisableRealtimeMonitoring, or any new immediate-trigger GPO on a DC should be treated as active intrusion and trigger IR. Detection of SystemBC, ThrottleBlood, or HexKiller signatures should trigger a hunt for co-located GentleKiller variants and a DC compromise assessment.
Caveats
- Dates/figures reflect a fast-moving 2026 campaign and vary by source: victim counts (~300/320->478), FortiBleed device counts (73,932->86,000+), and SystemBC botnet size (1,570+) are point-in-time and partly self-reported (leak-site claims may be inflated/recycled).
- The FortiBleed/Gentlemen link is unconfirmed -- explicitly circumstantial. No source documents shared operators/infrastructure or a transaction; the "SantaAd"/"SantaMuerte" alias resemblance is unverified and likely coincidental. Do not report them as the same actor.
- Process-to-vendor mapping for GentleKiller's 400+ targets was AI-assisted by ESET and may contain minor inconsistencies.
- Attribution of hastalamuerte to Alexander Yapaev is journalist/researcher name-and-shame (Krebs, PRODAFT); there is no public indictment, sanction, or takedown as of late June 2026.
- Some technical details (G-BOT replacing Cobalt Strike; CWE-244 partial-key-recovery from memory) are lower-confidence/newer and should be validated against current builds.
- BYOVD requires local admin first -- it is an escalation/evasion technique, not initial access; reducing admin counts is a high-impact control.
References
Primary Research and Analysis
-
Souček, Jakub. "Killing Me Gently: Inside Gentlemen's EDR Killer Framework." ESET WeLiveSecurity, June 18, 2026. https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/
-
"Gentlemen Ransomware Uses Multiple EDR Killers to Disable Defenses." Bleeping Computer, June 2026. https://www.bleepingcomputer.com/news/security/gentlemen-ransomware-uses-multiple-edr-killers-to-disable-defenses/
-
"DFIR Report: The Gentlemen and SystemBC -- A Sneak Peek Behind the Proxy." Check Point Research, 2026. https://research.checkpoint.com/2026/dfir-report-the-gentlemen/
-
"Thus Spoke...The Gentlemen." Check Point Research, 2026. https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
-
"How Hastalamuerte Operates: Group-IB's Analysis of The Gentlemen's Attack Methods." Group-IB, 2026. https://www.group-ib.com/blog/hastalamuerte-gentlemen-raas-ttps/
-
"Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed." Trend Micro, September 2025. https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
Threat Actor Profiling and RaaS Analysis
-
"The Gentlemen Ransomware Group Is Scaling Faster Than Any Other Group on Record." Halcyon Ransomware Research Center, 2026. https://www.halcyon.ai/ransomware-research-reports/threat-assessment-the-gentlemen-ransomware-group
-
"The Gentlemen: RaaS Ecosystem Analysis." Falconfeeds, 2026. https://falconfeeds.io/blogs/the-gentlemen-russia-raas-operation-rocket-leak-analysis/
-
"Inside The Gentlemen Ransomware Leak: When the Hunter Becomes the Hunted." SOCRadar, 2026. https://socradar.io/blog/gentlemen-ransomware-leak/
-
"The Gentlemen Ransomware: What the Internal Leak Reveals About Their Playbook." SOS Ransomware, 2026. https://sosransomware.com/en/ransomware-groups/the-gentlemen-ransomware-what-the-internal-leak-reveals-about-their-playbook/
-
"Modus Operandi: The Gentlemen (Storm-2697)." CyberWarrior76 via Substack, 2026. https://cyberwarrior76.substack.com/p/modus-operandi-the-gentlemen-storm
-
"The Gentlemen Ransomware: A Rapidly Scaling RaaS Threat." Hive Pro, 2026. https://www.hivepro.com/threat-advisory/the-gentlemen-ransomware-a-rapidly-scaling-raas-threat
-
"The Gentlemen Ransomware -- Threat Actor." FortiGuard Labs, 2026. https://fortiguard.fortinet.com/threat-actor/6387/the-gentlemen-ransomware
-
"The Gentlemen Ransomware Group Deploys Dual-Extortion Tactics, Encrypting and Exfiltrating Data." GBHackers, 2026. https://gbhackers.com/gentlemen-ransomware-2/
FortiBleed Coverage
-
"FortiBleed Leak Exposes Fortinet VPN Credentials for 73,000 Devices." Bleeping Computer, June 2026. https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/
-
"Technical Advisory: FortiBleed Credential Exposure Campaign Targeting Internet-Facing Fortinet Devices." Bitdefender Business Insights, 2026. https://www.bitdefender.com/en-gb/blog/businessinsights/technical-advisory-fortibleed-credential-exposure-campaign-targeting-internet-facing-fortinet-devices
CVE and Vulnerability References
-
"CVE-2024-55591 -- FortiOS/FortiProxy Authentication Bypass." NVD / Fortinet PSIRT. https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity
-
"CVE-2022-42045 -- Zemana WatchDog Antimalware Driver Privilege Escalation." NVD. https://nvd.nist.gov/vuln/detail/CVE-2022-42045
-
"CVE-2025-26125 -- IObit IMF ForceDelete Driver Vulnerability." NVD. https://nvd.nist.gov/vuln/detail/CVE-2025-26125
Additional Supporting Sources
-
"GentleKiller Ransomware Abuses Vulnerable Drivers to Disable 400+ EDR Security Processes." Cryptika Cybersecurity, 2026. https://www.cryptika.com/gentlekiller-ransomware-abuses-vulnerable-drivers-to-disable-400-edr-security-processes/
-
"Gentlemen Ransomware Builds Modular EDR Killer Suite From Rival Gang Tools." Cybersecurity Insiders, 2026. https://www.cybersecurity-insiders.com/gentlemen-ransomware-edr-killer-suite/
-
LOLDrivers Project -- Vulnerable Driver Reference. https://www.loldrivers.io/
