A sophisticated ransomware framework known as GentleKiller has been identified, enabling the Gentlemen ransomware-as-a-service (RaaS) group to systematically disable over 400 endpoint detection and response (EDR) processes before deploying their ransomware payloads.
GentleKiller employs the Bring Your Own Vulnerable Driver (BYOVD) technique, where attackers load legitimately signed but exploitable drivers to terminate security processes at the kernel level, effectively bypassing user-mode protections. This method allows the ransomware to operate undetected by neutralizing security defenses.
The framework comprises at least eight distinct variants, each masquerading as a legitimate security product and exploiting a unique vulnerable or malicious kernel-level driver. These drivers include those from Kaspersky, FACEIT Anti-Cheat, Valorant, Javelin/Safetica, Zemana WatchDog, Qihoo 360, IObit, and the PoisonX rootkit.
GentleKiller targets a wide array of security products, including Microsoft Defender, CrowdStrike, SentinelOne, Sophos, Palo Alto Networks, ESET, Bitdefender, Kaspersky, and McAfee/Trellix. The framework operates on a loop, scanning and terminating targeted processes every two seconds, ensuring that security defenses remain disabled throughout the attack.
Notably, the Gentlemen group demonstrates a rapid adoption of newly published BYOVD proof-of-concept exploits, integrating tools like UnknownKiller and PoisonKiller into GentleKiller’s arsenal within days of their public release. This swift incorporation indicates a well-resourced and agile development pipeline, setting Gentlemen apart from other RaaS operators who typically take longer to adapt publicly released exploits into their tooling.
In addition to GentleKiller, the Gentlemen group integrates three externally sourced EDR killers into its suite:
- HexKiller: Abuses a Baidu Antivirus BdApi driver.
- ThrottleBlood: Utilizes a TechPowerUp LLC driver.
- HavocKiller: Exploits a Huawei Audio driver.
All three tools are standardized through a shared defense-evasion layer that applies binary protectors like Enigma or Themida, impersonates security vendors with fabricated version information, copied digital signatures, and matching icons. This approach complicates attribution efforts, as tools from different origins appear similar due to the applied evasion strategies.
The emergence of GentleKiller underscores the evolving sophistication of ransomware operations and the critical need for organizations to implement robust security measures. Regularly updating and patching software, employing advanced threat detection systems, and conducting comprehensive security audits are essential steps in defending against such advanced threats.
