general · BleepingComputer
The Gentlemen ransomware-as-a-service (RaaS) group actively develops and deploys multiple endpoint detection and response (EDR) killers to help affiliates bypass security controls. The primary tool, dubbed GentleKiller by researchers, exists in at least eight variants that impersonate legitimate security products from vendors like Kaspersky, Valorant, Javelin, and WatchDog. According to ESET, GentleKiller uses the "bring your own vulnerable driver" (BYOVD) technique to achieve kernel-level privileges and targets over 400 processes associated with approximately 48 security vendors including Microsoft, CrowdStrike, SentinelOne, Palo Alto, Sophos, Trend Micro, and Bitdefender. The group supplements GentleKiller with at least three additional external EDR killers—HexKiller, ThrottleBlood, and HavocKiller—and uses stolen (though invalid) digital signatures to obfuscate the tools.
For Omniware's buyers, this activity underscores critical gaps in defense-in-depth strategies. Defense contractors managing controlled unclassified information (CUI) must validate that EDR implementations include driver-code verification and privileged access management controls aligned with NIST 800-171 requirements. Healthcare organizations subject to HIPAA and SaaS firms in SOC2 audits should review whether their endpoint protection strategies rely solely on a single detection vendor and confirm that vulnerability management processes cover driver-level flaws. All regulated firms should assess incident response playbooks for EDR evasion scenarios—an Omniware engagement can scope this in detail and identify gaps in your specific threat model.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/gentlemen-ransomware-uses-multiple-edr-killers-to-disable-defenses/
Source: BleepingComputer
All briefings