The Gentlemen Ransomware With Custom EDR/AV Killers Scaling Faster to Attack Industries Worldwide

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

The Gentlemen is one of the most rapidly escalating ransomware threats observed in 2026. Emerging in mid-2025 from a payment dispute within the Qilin RaaS program, the group has evolved into a full-spectrum, human-operated Ransomware-as-a-Service (RaaS) operation that Microsoft tracks as Storm-2697.

Within its first year of independent operation, The Gentlemen has claimed over 500 victims across 70+ countries, accounting for approximately 10% of all global ransomware activity in April 2026.

What sets this group apart is not scale alone it is their operator-maintained EDR/AV killer infrastructure, marketed directly to affiliates under the in-house framework named GentleKiller, comprising at least eight distinct BYOVD (Bring Your Own Vulnerable Driver) variants capable of terminating over 400 security processes across 48 vendors.

The gang also integrates third-party EDR killers HexKiller, ThrottleBlood, and HavocKiller into a standardized, modular evasion suite. Coupled with a Go-based, self-propagating worm encryptor using hybrid Curve25519/XChaCha20 cryptography, The Gentlemen represents a Tier-1 threat to manufacturing, healthcare, financial services, and critical operational technology environments worldwide.

A significant intelligence windfall arrived in May 2026, when an internal backend database (“Rocket”) used by the group was leaked, exposing 3,366 internal chat messages, operator identities, victim lists (1,570+ confirmed), ransom negotiation transcripts, and the full toolchain.

At Cybersecuritynews, we synthesize published intelligence from the leak, ESET Research, Microsoft Threat Intelligence, Check Point Research, Trend Micro, and Huntress to deliver a comprehensive, defender-grade briefing.

Gentlemen at a glance (Image source: cybersecuritynews.com)

Threat Actor Profile

Identity and Origin

The Gentlemen was founded by an operator using the alias hastalamuerte (also known as zeta88 and tracked by PRODAFT as LARVA-368). This individual was previously an affiliate crew leader within the Qilin RaaS program before launching The Gentlemen as an independent operation following a payment dispute in July 2025. The operator is described as Russian-speaking and maintains hands-on involvement in attacks in addition to managing the RaaS platform.

The group operates under a strict CIS exclusion policy targeting organizations globally but programmatically excluding victims in CIS (Commonwealth of Independent States) countries, consistent with Russian-nexus threat actor norms.

Organizational Structure

Analysis of the leaked Rocket.Chat database reveals a tightly organized core of approximately 9 named operators and at least 8 distinct affiliate TOX IDs. The organizational structure is as follows:

Alias Role
zeta88 / hastalamuerte Administrator builds locker, runs RaaS panel, distributes targets, manages payouts
qbit Hands-on operator Fortinet scanning, NTLM relay, AD recon, EDR killer deployment
quant Log-based access, credential harvesting, OxideHarvest/buildx641 tool maintainer
Wick, mAst3r, Protagor Red-teamers, advertising partners, case-specific collaborators
Bl0ck, JeLLy, Kunder, Mamba Access brokers, support roles

The administrator actively uses AI-assisted development, referencing DeepSeek, Qwen, and Kimi for coding assistance and panel development. The Gentlemen GLOCKER admin panel was reportedly built in three days using AI-assisted coding.

  • Affiliate revenue split: 90% to affiliates, 10% to operators among the most generous in the ransomware ecosystem
  • Affiliate recruitment: Active on RAMP and BreachForums underground forums; invites penetration testers and initial access brokers
  • Partnership: Established an official BreachForums partnership in 2025 to expand the affiliate pool
  • Extortion model: Double extortion encryption plus data exfiltration
  • Ransom range: ~$250,000 initial demands; $190,000 settlements observed in leaked transcripts
  • Leak site: Tor-based dedicated leak site (DLS) with branded X/Twitter account for additional public pressure

Attack Chain: Step-by-Step Lifecycle

Gentlemen Ransomware Attack Kill Chain (Image source: cybersecuritynews.com)

Phase 1: Initial Access

The Gentlemen does not rely on phishing for initial access. Instead, affiliates systematically target internet-facing edge infrastructure, primarily FortiGate VPN appliances, Cisco ASA devices, and SonicWall appliances. The group maintained an active inventory of approximately 14,700 compromised FortiGate devices and 900+ validated brute-forced FortiGate VPN credentials ready for affiliate use.

Branding credentials observed in leaked data include: gentlemen25, Gentlemen25, gentle26.

Secondary access vectors include:

  • Infostealer-sourced credentials from underground marketplaces
  • Exploitation of exposed OWA/O365 portals using log-based credential tools (quant‘s log parser)
  • Access brokers supplying pre-compromised enterprise footholds (“поставщик ботов”)

Phase 2: Reconnaissance and Privilege Escalation

After achieving initial foothold, operators perform extensive internal reconnaissance using a custom offensive toolkit:

  • NetExec (NXC): Multi-purpose AD, SMB, WinRM offensive framework
  • RelayKing-Depth: NTLM relay scanning and exploitation
  • TaskHound: Task and privilege abuse
  • PrivHound: Local privilege escalation path discovery
  • CertiHound: Active Directory Certificate Services (ADCS) misconfiguration enumeration (ESC1–ESC17)
  • gogo.exe: Port scanner for exposed services
  • Advanced IP Scanner / Nmap: Network mapping (observed in Mackay Sugar incident)
  • KslDump / KslKatz: Kerberos/LSASS credential dumping

The group specifically targets domain administrator credentials and abuses Group Policy Objects (GPOs) for domain-wide compromise.

Phase 3: Defense Evasion (EDR/AV Killing)

This is the defining characteristic of The Gentlemen. Operators deploy their centralized GentleKiller suite before encryption begins. Tools are staged in a directory named GentlemenCollection on the target system.

custom EDR / AV Killer suite (Image source: cybersecuritynews.com)

The BYOVD technique works as follows:

  1. Drop a signed-but-vulnerable kernel driver to disk
  2. Load the driver as a Windows service via sc create / sc start
  3. Send IOCTLs to the driver from user space, reaching Ring-0 (kernel) privilege
  4. Enumerate and kill all target security processes overcoming user-mode tamper protection
GentleKiller EDR / AV Killer Framework Architecture (Image source: cybersecuritynews.com)

GentleKiller variants (8 known, each impersonating a different product):

Variant Name Fake Filename Abused Driver ESET Detection
Kaspersky Kasp<suffix>.exe eb.sys (custom rootkit PoC) Win64/KillAV.EA
FACEIT Anti-Cheat FaceIT<suffix>.exe nseckrnl.sys (NSecsoft NSecKrnl) Win64/KillAV.EA
Valorant Valorant<suffix>.exe GameDriverX64.sys / vgk.sys (Tower of Fantasy anti-cheat) Win64/KillAV.EA
Javelin EAAntiCheat<suffix>.exe, EASolo<suffix>.exe stpm_old.sys, stpm_new.sys (Safetica Process Monitor) Win64/KillAV.EA
WatchDog BitD<suffix>.exe dmx.sys (Zemana WatchDog Antimalware) Win64/KillAV.EA
Network Blocker MB<suffix>.exe 360netmon_wfp.sys (Qihoo 360) Win64/KillAV.EA
Cleaner Deletor.exe IMFForceDelete (IObit IMF ForceDelete) Win64/KillAV.EA
G11 G11<suffix>.exe, Symantec<suffix>.exe G11.sys / PoisonX (rootkit PoC) Win64/KillAV.EA

Third-party EDR killers integrated into the suite:

ESET Name Fake Filename Abused Driver Notes
HexKiller Avast<suffix>.exe googleApiUtil64.sys (Baidu Antivirus BdApi) Previously attributed to Warlock gang
ThrottleBlood Sent<suffix>.exe ThrottleBlood.sys (TechPowerUp LLC ThrottleStop) Also seen in MedusaLocker, DragonForce
HavocKiller HwAudKiller.exe, Sophos<suffix>.exe havoc.sys (Huawei Audio Driver) Active since Jan 2026, disclosed by Huntress Mar 2026

Additional evasion tools from leaked toolchain:

  • EDRStartupHinder blocks/delays EDR processes at startup
  • gfreeze EDR process freezing
  • glinker EDR evasion companion to gfreeze
  • DumpBrowserSecrets browser cookie/session harvesting
  • ETW (Event Tracing for Windows) patching and zerosalarium techniques
  • Titanis Windows ETW/logging manipulation framework

Binary protection and impersonation strategy applied uniformly to all EDR killers:

Filename Suffix Protection Fake Signature Fake Version Info
1 Enigma Yes Yes
2 Themida Yes Yes
Light None Yes Yes
Clear None No No

Phase 4: Lateral Movement and Persistence

The Gentlemen ransomware’s self-propagation (--spread) module attempts 21 independent remote execution techniques per target host, making it worm-like in behavior:

  • 5.1 Remote file copy over C$ administrative share
  • 5.2 PsExec-based remote execution (embedded PsExec binary or downloaded from Sysinternals Live)
  • 5.3 WMIC process creation (wmic /node:<target> process call create)
  • 5.4 Scheduled tasks (user context) DefU, UpdateGU, UpdateGU2
  • 5.5 Scheduled tasks (SYSTEM context) same tasks elevated
  • 5.6 Windows Services DefSvc, UpdateSvc, UpdateSvc2
  • 5.7 PowerShell Remoting via Invoke-Command (WinRM)
  • 5.8 PowerShell WMI (Invoke-WmiMethod) as alternative to wmic.exe

For persistence, the encryptor establishes two layers:

  • Scheduled tasks: UpdateSystem (SYSTEM context) and UpdateUser (current user context)
  • Registry Run keys: GupdateS under HKLM...Run and GupdateU under HKCU...Run

Additional persistence observed: AnyDesk remote access software, Cloudflare Zero Trust tunnels, SystemBC SOCKS5 proxy.

C2 Framework: Velociraptor (used as covert C2), ZeroPulse, Cloudflare tunnels

Lateral movement tools: PsExec, PuTTY (observed in Mackay Sugar incident), WinSCP (for data exfiltration via encrypted channels)

Phase 5: Data Exfiltration (Pre-Encryption)

Exfiltration volumes of hundreds of gigabytes to multiple terabytes per victim are typical. The group uses WinSCP for encrypted file transfer and quant‘s custom credential/data collector (buildx641/OxideHarvest) which leverages:

  • vssadmin shadow copies
  • ntds.dit extraction
  • SYSTEM hive copies
  • MANSPIDER for sensitive file share hunting

Data from prior compromises is actively reused to facilitate new attacks a UK consultancy breach was leveraged to gain access to a Turkish company, with stolen internal documents used for cross-target enrichment.

Phase 6: Encryption and Impact

Encryption Technology

The encryptor is written in Go and obfuscated with Garble, targeting Windows, Linux, NAS, BSD, and ESXi platforms:

  • Cryptographic scheme: Hybrid Curve25519 + XChaCha20
  • Key design: Per-file ephemeral Curve25519 key pair; ECDH shared secret used as XChaCha20 key
  • Nonce: First 24 bytes of the ephemeral public key; XOR-mutated per chunk for large files
  • Encrypted file extension: .umc16h (also .7mtzhh observed in some samples)
  • Execution requires a build-specific --password argument as an anti-analysis measure

Encryption Speed Modes

CLI Argument Per-Chunk % Total Encrypted (Large Files)
(default) 9% ~27%
--fast 3% ~9%
--superfast 1% ~3%
--ultrafast 0.3% ~0.9%

Small files (≤1 MB) are fully encrypted regardless of speed mode.

Post-Encryption Actions

The malware creates a scheduled task (gentlemen_system) to relaunch itself as SYSTEM for encrypting local drives.

  • Ransom note: README-GENTLEMEN.txt dropped in every traversed directory
  • Desktop wallpaper: %TEMP%gentlemen.bmp set as wallpaper
  • Shadow copy deletion: vssadmin delete shadows /all /quiet and wmic shadowcopy delete
  • Event log clearing: wevtutil cl System, wevtutil cl Application, wevtutil cl Security
  • Prefetch deletion, Defender log wipe, RDP log wipe, PowerShell history removal
  • Free space wiping (--wipe): Overwrites all unallocated disk space with random data
  • Self-delete (unless --keep flag): Removes encryptor binary post-execution

When run with --shares, the encryptor enables Windows network discovery services (fdrespub, fdPHost, SSDPSRV, upnphost) and removes firewall restrictions to maximize reachable encryption targets.

Known Infection Vectors

Vector Mechanism CVE/Tool Confidence
FortiGate VPN exploitation Authentication bypass in FortiOS/FortiProxy management interface CVE-2024-55591 High 81 mentions in leaked chat logs; 14,700+ compromised devices tracked
Erlang SSH / Cisco RCE Remote code execution on Cisco and Erlang-based SSH services CVE-2025-32433 High PoC shared and evaluated in internal Rocket.Chat logs
NTLM Relay Internal credential relay for privilege escalation post-initial access CVE-2025-33073 High RelayKing integrated into standard recon workflow
FortiGate VPN brute-force Credential stuffing/brute-force of VPN web panels ~900+ validated credentials in active use High
Infostealer credentials Purchased from underground markets; OWA/O365 portal abuse N/A High
Access brokers Pre-compromised Fortinet VPN access purchased from “Mamba” and other brokers N/A High
SonicWall VPN, Cisco ASA, Oracle EBS Active reconnaissance and exploit development noted Under research by group Medium
BYOVD kernel driver exploit CVE-2025-7771 ThrottleStop.sys driver for kernel code execution CVE-2025-7771 Medium

Common Vulnerabilities Exploited

CVE Product Vulnerability Type CVSS Status
CVE-2024-55591 Fortinet FortiOS / FortiProxy Authentication bypass in management interface enables unauthenticated super-admin access Critical Patch available widely unpatched
CVE-2025-32433 Erlang/OTP SSH (Cisco context) Pre-authentication remote code execution Critical PoC actively evaluated by operators
CVE-2025-33073 Windows NTLM NTLM reflection/relay privilege escalation High Actively scanned using RelayKing
CVE-2025-7771 TechPowerUp ThrottleStop.sys Kernel code execution via vulnerable driver (BYOVD) High Integrated as ThrottleBlood.sys
CVE-2023-27532 Veeam Backup & Replication Missing authentication targeted for backup destruction Critical Patching recommended
CVE-2024-37085 VMware ESXi Authentication bypass ESXi locker deployment vector High Patching recommended
Multiple ADCS flaws Microsoft Active Directory Certificate Services ESC1–ESC17 misconfigurations (CertiHound) Variable Enumerated post-compromise
Category Tool Purpose
EDR Killing (In-House) GentleKiller (8 variants) BYOVD kernel-level security process termination (400+ processes, 48 vendors)
EDR Killing (Third-Party) HexKiller BYOVD EDR killer (Baidu BdApi driver)
EDR Killing (Third-Party) ThrottleBlood BYOVD EDR killer (ThrottleStop.sys driver)
EDR Killing (Third-Party) HavocKiller BYOVD EDR killer (Huawei Audio driver)
EDR Evasion EDRStartupHinder Blocks/delays EDR processes at startup
EDR Evasion gfreeze EDR process freezing utility
EDR Evasion glinker EDR evasion companion tool
Credential Theft OxideHarvest (buildx641.exe) Rust-based credential stealer; harvests browsers, LSASS, NTDS
Credential Theft DumpBrowserSecrets Browser cookie and session token harvester
Credential Theft KslDump / KslKatz Kerberos / LSASS credential dumping
Credential Theft Mimikatz Credential extraction (operator referenced in multiple incidents)
AD Recon NetExec (NXC) SMB, AD, WinRM, LDAP offensive framework
AD Recon RelayKing-Depth NTLM relay path discovery and exploitation
AD Recon CertiHound ADCS misconfiguration enumeration (ESC1–ESC17)
Privilege Escalation PrivHound Local privilege escalation path finder
Privilege Escalation TaskHound Task and privilege abuse
Privilege Escalation RegPwn Registry-based service privilege escalation
Lateral Movement PsExec Remote execution; embedded in ransomware binary
Lateral Movement WinSCP Encrypted data exfiltration
Lateral Movement MANSPIDER Sensitive file share hunting
C2 / Remote Access Velociraptor Covert C2 with LSASS/memory collection
C2 / Remote Access ZeroPulse Remote access framework
C2 / Remote Access AnyDesk Persistent remote access
C2 / Remote Access SystemBC SOCKS5 proxy for covert C2 tunneling
C2 / Remote Access Cloudflare Zero Trust / Tunnels Covert HTTPS tunneling into victim networks
C2 / Remote Access Cobalt Strike Beacon-based C2 framework
Infrastructure gogo.exe Port scanner for initial surface discovery
ETW Evasion Titanis Windows ETW/logging manipulation
ETW Evasion zerosalarium ETW and log-based EDR kill research/techniques
OSINT Sputnik (browser extension) OSINT aggregation for target enrichment
Password Cracking chamd5.org / hashcracking_bot Online hash cracking services
VPN Infrastructure WireGuard, OpenVPN, Double-VPN Operator-side VPN for operational security
GPO Deployment Group Policy Management / Editor Domain-wide ransomware deployment via NETLOGON

Targeted Industries and Victimology

Targeted Industries and Geography (Image source: cybersecuritynews.com)

Industries by Victim Count (Top 5)

Rank Industry Victim Count
1 Manufacturing 101
2 Business Services 66
3 Technology 65
4 Healthcare 50
5 Consumer Services 44

Additional targeted sectors include: Construction, Education, Transportation, Financial Services, Insurance, Agri-Industrial (food production/sugar processing), Pharmaceuticals, and Critical Infrastructure (OT/ICS environments).

Geographic Focus (Top 5 Countries)

Rank Country Victim Count
1 United States 87
2 Thailand 37
3 France 28
4 Germany 24
5 Australia ~20 (estimated 4th most targeted per CheckPoint)

The Gentlemen is notable for its non-US-centric victimology; unlike most top-tier ransomware gangs, it maintains heavy focus on Southeast Asia, South America, and Western Europe. Targeting decisions are made primarily based on FortiGate device misconfiguration rather than geographic location.

Notable Attack: Mackay Sugar (June 2026)

In June 2026, The Gentlemen claimed responsibility for a ransomware attack on Mackay Sugar, Australia’s second-largest raw sugar producer. The attack shut down operations at the Farleigh and Racecourse mills for over a week, disrupting cane haulage and affecting 1,300+ family-owned farms.

The attack was executed via the NETLOGON share for payload deployment, with double-extortion threatening to release stolen data within 10 days.

Indicators of Compromise (IoCs)

File Hashes

Ransomware Encryptors

SHA-256 / SHA-1 Hash Filename Platform Description Source
22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67 ransomware binary Windows Windows encryptor (primary analyzed sample) Microsoft
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b psexec.exe Windows PsExec binary embedded in encryptor Microsoft
fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68 gentlemen.bmp Windows Post-encryption desktop wallpaper bitmap Microsoft
f918535f974591ef031bd0f30a8171e3da27a6754e6426a8ba095f83195661c8 G_hlm7jj_windows_amd64.exe Windows Encryptor (second Huntress-observed incident) Huntress
1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c Linux locker Linux Linux/NAS encryptor variant Decryption Digest
c12c4d58541cc4f75ae19b65295a52c559570054 Ransom.Win64.GENTLEMAN Windows Trend Micro signature Mackay Sugar incident Rescana/Trend

GentleKiller EDR Killer Suite (SHA-1 Hashes)

SHA-1 Filename ESET Detection Description
8AE6BD18B129061F63642531F1B684CF0383C75D Kasps.exe Win64/KillAV.EA GentleKiller Kaspersky variant
BA914FE77B177B45799403B16DD14765C510A074 eb.sys Win64/Agent.ITG Custom rootkit Kaspersky variant driver
D605994FC72A2BB59B5CFB1624A1B9170ECA73A2 FaceIT1.exe Win64/KillAV.EA GentleKiller FACEIT variant (Enigma-protected)
B0B912A3FD1C05D72080848EC4C92880004021A1 nseckrnl.sys Win64/VulnDriver.NSecsoft.A NSecKrnl driver FACEIT variant
5AA3124E5C4921E5EDFC60133B5D71DA21B07DA3 Valorant2.exe Win64/KillAV.EA GentleKiller Valorant variant (Themida-protected)
7556AE58C215B8245A43F764F0676C7A8F0FDD1A vgk.sys Win64/VulnDriver.PerfectWorld.A Anti-cheat driver Valorant variant
331879F5EEC8892BBD896F90BDBB1BAD0BF63BD6 EASolo2Light.exe Win64/KillAV.EA GentleKiller Javelin variant (newer Safetica driver)
F11AEBCCB9A86A7E2E653F90BAEC697F233C255F EASOLO1clear.exe Win64/KillAV.EA GentleKiller Javelin variant (older Safetica driver)
EF9CD06683159397F099CAA244E94E6EAAD96EBA EAAntiCheatLight.exe Win64/KillAV.EA GentleKiller Javelin variant (both Safetica drivers)
711EF221526997039E804A18DB9647C91680BBE2 stpm_old.sys Win64/VulnDriver.Safetica.A Safetica Process Monitor Driver (older)
68FEC379F2AE76C3D2CE913F7BE650CEA1D06990 stpm_new.sys Win64/VulnDriver.Safetica.H Safetica Process Monitor Driver (newer)
A11EE9CDC59E5CAA59AEFD27B30D104F3AD68E62 BitD1.exe Win64/KillAV.EA GentleKiller WatchDog variant (Themida-protected)
96F0DBF52AED0AFD43E44500116B04B674F7358E dmx.sys Win64/VulnDriver.WatchDogDev.C Zemana WatchDog Antimalware Driver
2F86898528C6CAB3540C486A9BFAA0C029B73950 MB2.exe Win64/KillAV.EA GentleKiller Network Blocker variant (Themida-protected)
9AD51AD97C01E97AB59214116740785E0F6320A8 360netmon_wfp.sys Win64/VulnDriver.Qihoo360.A Qihoo 360 driver Network Blocker variant
A19117175DBC9BA4D23B5DCE8415E299A2E32192 Deletor.exe Win64/KillAV.EA GentleKiller Cleaner variant
12500F6C87CE62712A0ED6652C57468D15C14223 IMFForceDelete Win64/VulnDriver.IObit.D.gen IObit IMF ForceDelete driver Cleaner variant
D29670E684E40DDC89B47010C37CBC96737035B6 Symantec.exe Win64/KillAV.EA GentleKiller G11 variant
56BEE9DF5833A637F5C54D5911DF98B0812FE643 G11.sys Win64/Agent.IYQ PoisonX rootkit G11 variant

Third-Party EDR Killers (SHA-1 Hashes)

SHA-1 Filename ESET Detection Description
CF4D74DF17A91B4A36A2911B22AFEC5D8FA93A01 Avast.exe Win32/KillAV.NVL HexKiller (Gentlemen evasion layer applied)
EC296F9501AD71E430810CB5CDC38D954D4BA536 googleApiUtil64.sys Win64/VulnDriver.Baidu.B Baidu Antivirus BdApi driver HexKiller
7131B377E96016DC1911020C9F95B1B4D042D7B4 Sent.exe Win64/KillAV.AT ThrottleBlood (Gentlemen evasion layer applied)
82ED942A52CDCF120A8919730E00BA37619661A3 ThrottleBlood.sys Win64/VulnDriver.GPUZ.B ThrottleStop.sys vulnerable driver ThrottleBlood
F0537CBB773AE12100B36731E7C39F5A9D852B14 Sophos.exe Win64/KillAV.DE HavocKiller (Gentlemen evasion layer applied)
1FA071303FB846308571E64727501FB98B1C2BE6 havoc.sys Win64/VulnDriver.Huawei.D Huawei Audio vulnerable driver HavocKiller

Credential Stealer (OxideHarvest)

SHA-1 Filename ESET Detection Description
A5CF917EC4A7DFBDFA43621398604805D860C718 buildx641.exe Win64/Spy.Agent.AGC OxideHarvest credential stealer (quant’s tool)
D4B19141102015D436321E6F26976E98183CFD27 buildx64.exe Win64/Spy.Agent.AGC OxideHarvest credential stealer (alternate build)

Additional Hashes (Trend Micro / Mackay Sugar Incident)

SHA-1 Detection Name Description
c12c4d58541cc4f75ae19b65295a52c559570054 Ransom.Win64.GENTLEMAN.THHAIBE Gentlemen Windows encryptor
c0979ec20b87084317d1bfa50405f7149c3b5c5f Trojan.Win64.KILLAV.THHBHBE EDR killer tool
df249727c12741ca176d5f1ccba3ce188a546d28 Trojan.Win64.KILLAV.THHBHBE EDR killer tool
e00293ce0eb534874efd615ae590cf6aa3858ba4 HackTool.Win32.PowerRun.THHBHBE Privilege escalation tool (PowerRun.exe)

Network Indicators

Indicator Type Description Source
193.233.202[.]17 C2 IP SOCKS proxy C2 svchost32.exe beacon on port 44729 Huntress
77.110.122[.]137 C2 IP Alternative SOCKS proxy C2 port 37182 Huntress
45[.]86[.]230[.]112 C2 IP Pre-ransomware staging host Gentlemen affiliate infrastructure HivePro
Cloudflare WARP tunnels Tunnel indicator Outbound Cloudflare WARP tunnel from non-IT endpoints (pre-encryption staging) Decryption Digest

File System and Host-Based Indicators

Indicator Type Description
.umc16h File extension Primary encrypted file extension
.7mtzhh File extension Alternate encrypted file extension observed in some campaigns
.fjn1jw File extension Alternate extension (observed in Huntress shipping/transport incident)
README-GENTLEMEN.txt Ransom note filename Dropped in every traversed directory
gentlemen.bmp Wallpaper artifact Desktop wallpaper deployed post-encryption (%TEMP%gentlemen.bmp)
gentlemen_system Scheduled task name SYSTEM-privilege scheduled task for local encryption
UpdateSystem Scheduled task name Persistence scheduled task (SYSTEM context)
UpdateUser Scheduled task name Persistence scheduled task (user context)
WindowsConnSvc Scheduled task name SOCKS proxy persistence task (svchost32.exe C2 beacon)
GupdateS Registry Run key value HKLM...RunGupdateS system-wide persistence
GupdateU Registry Run key value HKCU...RunGupdateU user-scope persistence
LOCKER_BACKGROUND=1 Environment variable Set when ransomware runs as background encryption worker
C:Temppsexec.exe Drop path PsExec dropped for lateral movement
C:Tempshare$ Hidden SMB share Created for remote payload distribution
C:Tempwipefile.tmp Wipe artifact Temporary file used for free-space wiping
<malware_path>.bat Self-delete script Batch script for post-encryption self-deletion
GentlemenCollection Staging directory Directory where EDR killer suite is staged
svchost32.exe Malicious process SOCKS proxy beacon disguised as Windows system process
WIN-8OA3CCQAE4D Workstation name Observed malicious workstation (Huntress May 2026 incident)

YARA Detection Rule

The following YARA rule from Check Point Research detects the The Gentlemen locker binary:

textrule thegentlemen_ransomware {
  meta:
    author = "@Tera0017/Check Point Research"
    description = "The Gentlemen Ransomware written in GO."
  strings:
    $string1 = "Silent mode (don't rename files)" ascii
    $string2 = "Encrypt only mapped and UNC network shares" ascii
    $string3 = "README-GENTLEMEN.txt" ascii
    $string4 = "gentlemen.bmp" ascii
    $string5 = "gentlemen_system" ascii
    $string6 = "[+] Encryption started. Going background..." ascii
    $string7 = "[+] FULL Encryption started" ascii
  condition:
    uint16(0) == 0x5A4D and 4 of them
}

Defender Detection Names

Platform Detection Name
Microsoft Defender AV Ransom:Win64/Gentlemen.SH!MTB
Microsoft Defender AV Ransom:Win64/BlackByte.SZ!MTB (for win.exe)
Microsoft Defender AV Trojan:Win32/MpTamperBulkExcl.H (PowerShell AV tampering)
ESET Win64/KillAV.EA (all GentleKiller variants)
ESET Win64/Agent.ITG (eb.sys rootkit driver)
ESET Win64/VulnDriver.* (all abused vulnerable drivers)
Trend Micro Ransom.Win64.GENTLEMAN.THHAIBE
Trend Micro Trojan.Win64.KILLAV.THHBHBE

Operator TOX IDs (From Leaked Data)

The following TOX IDs were extracted from ransomware samples, linking campaigns to affiliates:

TOX ID Role / Notes
F8E24C7F5B12CD69C44C73F438F65E9BF560ADF35EBBDF92CF9A9B84079F8F04060FF98D098E Administrator (zeta88 / hastalamuerte) confirmed in 4 infections
98C132E2B20B531BE6604397D97040C1E9EB42FCE12EDF119BCE8B4031CA5C70DAF5E65FA3C3 Most prolific affiliate 11+ campaign samples
D2CBA43A1AF6D965432AE11487726DB84D2945CF2CD975D7774B76B54AF052418AC2E59ADA69 Active affiliate 6 campaign samples
D527959A7BC728CB272A0DB683B547F079C98012201A48DD2792B84604E8BC29F6E6BDB8003F Active affiliate 3 campaign samples
F96C481CBB0D6E7BDA49C6D68CFDB1D284354961534EDEEDA854C672B48A8D6B7146F90BDACB Active affiliate
2F1A9C8B8AA163BBB84FF799A0954B232C279C5E9EE42505955288EAAD28685A2BC0713C7745 Active affiliate 2 campaign samples
15CE8D5DB0BAC3BCBB1FA69F2E672CC54EFBEC7684DA792F3CBF8B007A9FEA1D16374560DFA5 Active affiliate
88984846080D639C9A4EC394E53BA616D550B2B3AD691942EA2CCD33AA5B9340FD1A8FF40E9A Active affiliate

MITRE ATT&CK Mapping

Tactic Technique ID Technique Name Implementation
Initial Access T1190 Exploit Public-Facing Application CVE-2024-55591 FortiOS, CVE-2025-32433 Erlang SSH
Initial Access T1078 Valid Accounts Brute-forced / infostealer-sourced VPN credentials
Execution T1059.001 PowerShell Defender disabling, Defender exclusion abuse, lateral movement blobs
Execution T1059.003 Windows Command Shell GentleKiller console execution
Execution T1047 WMIC WMIC-based remote process creation for lateral movement
Execution T1053.005 Scheduled Tasks gentlemen_system, UpdateSystem, UpdateUser, WindowsConnSvc
Execution T1106 Native API DeviceIoControl calls to BYOVD kernel drivers
Persistence T1136 Create Account New domain/local accounts created by operators
Persistence T1543.003 Windows Service Driver installation as Windows service; DefSvc, UpdateSvc
Persistence T1547.001 Registry Run Keys GupdateS, GupdateU Run key persistence
Persistence T1574 Hijack Execution Flow BYOVD driver hijacking execution flow to kernel
Privilege Escalation T1068 Exploitation for Privilege Escalation CVE-2025-7771 via ThrottleBlood.sys
Defense Evasion T1562.001 Disable or Modify Tools GentleKiller, HexKiller, ThrottleBlood, HavocKiller, EDRStartupHinder
Defense Evasion T1562.009 Safe Mode Boot ETW patching, NTDLL unhooking (noted in post-leak locker upgrade)
Defense Evasion T1070.001 Clear Windows Event Logs System, Application, Security logs cleared via wevtutil
Defense Evasion T1070.004 File Deletion Prefetch, Defender logs, PowerShell history removed
Defense Evasion T1036 Masquerading EDR killers impersonate Kaspersky, Valorant, FACEIT, Symantec, etc.
Defense Evasion T1036.001 Invalid Code Signature Copied invalid signatures from legitimate executables
Defense Evasion T1027 Obfuscated Files Enigma/Themida packers; Garble Go obfuscation for locker
Defense Evasion T1112 Modify Registry Tampers with registry for anonymous SMB access and AV disabling
Credential Access T1003.001 LSASS Memory KslDump, KslKatz, Velociraptor LSASS collection
Credential Access T1003.003 NTDS ntds.dit extraction via buildx641/OxideHarvest
Credential Access T1557.001 NTLM Relay RelayKing with CVE-2025-33073
Discovery T1082 System Information Discovery OS/environment enumeration pre-encryption
Discovery T1135 Network Share Discovery Drive letters A–Z probed; WMI volume queries
Discovery T1069 Permission Groups Discovery AD group enumeration via NetExec/BloodHound integration
Lateral Movement T1021 Remote Services RDP, WinRM, SMB, PsExec lateral movement
Lateral Movement T1570 Lateral Tool Transfer Binary staging via C$ share and hidden share$
Lateral Movement T1484.001 GPO Modification Domain-wide ransomware deployment via GPO/NETLOGON
Collection T1560 Archive Collected Data Large-volume data exfiltration (hundreds of GB to TBs)
Exfiltration T1048 Exfiltration Over Alternative Protocol WinSCP encrypted data transfer
Exfiltration T1567 Exfiltration to Cloud Cloudflare tunnels used for covert exfiltration
Impact T1486 Data Encrypted for Impact Curve25519 + XChaCha20 per-file encryption
Impact T1490 Inhibit System Recovery VSS deletion via vssadmin and wmic
Impact T1561 Disk Wipe Free space wiping with random data (--wipe flag)
Impact T1491 Defacement Desktop wallpaper changed to gentlemen.bmp

Defensive Recommendations

  1. Patch CVE-2024-55591 urgently FortiOS authentication bypass is The Gentlemen’s primary initial access vector. Audit all internet-facing FortiGate, FortiProxy, and FortiSwitch devices and apply Fortinet’s patches immediately. Force credential resets on all VPN accounts.
  2. Block all 8 GentleKiller drivers and 3 third-party EDR killer drivers Use Microsoft’s Vulnerable Driver Blocklist and Windows Defender Application Control (WDAC). Audit against the complete driver list: eb.sys, nseckrnl.sys, vgk.sys, stpm_old.sys, stpm_new.sys, dmx.sys, 360netmon_wfp.sys, IMFForceDelete, G11.sys, googleApiUtil64.sys, ThrottleBlood.sys, havoc.sys.
  3. Enable HVCI (Memory Integrity / Hypervisor-Protected Code Integrity) HVCI prevents unsigned and vulnerable kernel drivers from loading, blocking the BYOVD attack vector at the hardware level.
  4. Alert on Sysmon Event ID 6 (Driver Loaded) Log all driver loads with hash and SignatureStatus. Cross-reference against the LOLDrivers list and the Gentlemen-specific driver hashes above.
  5. Mandate phishing-resistant MFA on all VPN/RDP/OWA endpoints The group actively brute-forces and credential-stuffs these services. Eliminate single-factor authentication on all external-facing infrastructure.

Detection Rules (SIEM/EDR Alerts)

Alert Priority Detection Rationale
Critical Scheduled task gentlemen_system created Confirmed precursor to SYSTEM-privileged encryption
Critical vssadmin.exe delete shadows or wmic shadowcopy delete Shadow copy deletion immediate ransomware indicator
Critical Security, System, Application event logs cleared Observed in 100% of documented incidents
Critical Loading of driver from GentlemenCollection directory Direct staging indicator
High Multiple Sysmon EID 6 (driver loads) with non-Microsoft certificates BYOVD attack in progress
High Set-MpPreference -DisableRealtimeMonitoring $true via PowerShell Defender disabling observed in every incident
High Add-MpPreference -ExclusionPath C: Exclusion of entire C: drive from AV scanning
High svchost32.exe connecting outbound over SOCKS (ports 44729, 37182) Known C2 beacon masquerading as system process
High GPO creation with unknown executable as startup script Domain-wide ransomware deployment precursor
High Outbound Cloudflare WARP tunnel from non-IT endpoints Pre-encryption staging behavior
Medium Bulk NTLM relay scanning from internal hosts (RelayKing signatures) Pre-encryption network reconnaissance
Medium EDRStartupHinder or gfreeze process names detected Startup EDR evasion tools
Medium New shares created: share$ on C:Temp Lateral movement staging share

Architecture and Hardening

  • Implement strict IT/OT network segmentation The Gentlemen’s worm propagation exploits flat networks; segmentation is the single most effective containment control
  • Protect backups with immutability The group actively targets Veeam, backup services, and NAS devices. Offline, immutable, air-gapped backups are mandatory
  • Enable EDR Tamper Protection Use vendor-specific tamper protection with Anti-exploit Protection to prevent process termination by EDR killers
  • Restrict domain controller NETLOGON share access Alert on unauthorized NETLOGON/SYSVOL modifications, as GPO-based deployment uses this vector
  • Deploy deception technologies Honeyfiles and honeytokens on critical file shares detect reconnaissance activities early
  • Monitor LSASS access Alert on Velociraptor, KslDump, or any unexpected process accessing LSASS memory
  • Restrict anonymous SMB access Harden LSA registry settings (RestrictAnonymous, RestrictAnonymousSAM) that the encryptor attempts to disable
  • Block tool binaries Consider blocking NetExec, RelayKing, PrivHound, TaskHound, CertiHound at perimeter and endpoint levels

On May 4, 2026, the Gentlemen RaaS administrator publicly acknowledged an internal breach of their “Rocket” backend database. The leak, sold by actor n7778 for $10,000 in Bitcoin, contained approximately 16.22 GB of operational data, with 44.4 MB publicly released as proof. The exposed data included:

  • 3,366 Rocket.Chat internal messages across channels: general, INFO, TOOLS, PODBOR
  • 9 named operator accounts and their roles
  • 1,570+ victims on one affiliate’s C2 botnet
  • Bitcoin laundering chains and payout records
  • Live FortiGate tracking dashboard showing active targets
  • Full toolchain including EDRStartupHinder, gfreeze, and EDR killer collections
  • Ransom negotiation transcripts ($250k initial → $190k settled)
  • Shadow file with password hashes for all internal server accounts

Despite the breach, the group maintained operational continuity, dismissed the leak, and announced technical upgrades to their locker (NTDLL unhooking, hardware breakpoint removal, ETW patching).