EXECUTIVE SUMMARY
The campaign is being run by the ransomware‑as‑a‑service group known as Gentlemen. It combines classic ransomware with a suite of utilities designed to disable endpoint detection and response products. Recent activity shows the gang targeting organisations in Southeast Asia, South America and Western Europe across sectors such as finance, manufacturing and logistics. Their primary objective is double extortion: encrypting critical data while threatening public disclosure of stolen information unless a ransom is paid. Affiliates receive the full toolset, allowing rapid deployment against chosen victims.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign is being run by the ransomware‑as‑a‑service group known as Gentlemen. It combines classic ransomware with a suite of utilities designed to disable endpoint detection and response products. Recent activity shows the gang targeting organisations in Southeast Asia, South America and Western Europe across sectors such as finance, manufacturing and logistics. Their primary objective is double extortion: encrypting critical data while threatening public disclosure of stolen information unless a ransom is paid. Affiliates receive the full toolset, allowing rapid deployment against chosen victims.[emaillocker id="1283"]
Initial infection is typically achieved through phishing emails that carry malicious attachments or by exploiting vulnerable drivers exposed on the target network. Once the payload lands, an early stage component disables or evades security agents, clearing event logs and terminating protective processes. The ransomware then encrypts files on reachable drives and simultaneously copies sensitive documents to a hidden staging area for exfiltration. Communication with the operators is maintained via encrypted channels, enabling remote commands to adjust encryption keys or trigger data release. Persistence is achieved through scheduled tasks that survive reboots.
The presence of built‑in EDR‑disabling capabilities makes the threat especially hard for security teams to spot, as traditional alerts are suppressed before the ransomware begins encrypting data. Recovery is further complicated by the rapid data exfiltration that follows encryption, leaving organisations exposed even if the ransom is paid. Mitigation should start with rigorous patch management for drivers and operating systems, combined with network segmentation to limit lateral movement. Continuous monitoring for abnormal process termination, regular offline backups and a robust incident‑response plan are essential to reduce impact and restore operations quickly.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1583.003 | Acquire Infrastructure | Virtual Private Server |
| Initial Access | T1078 | Valid Accounts | — |
| Initial Access | T1133 | External Remote Services | — |
| Credential Access | T1539 | Steal Web Session Cookie | — |
| Credential Access | T1555 | Credentials from Password Stores | — |
| Discovery | T1018 | Remote System Discovery | — |
| Discovery | T1087 | Account Discovery | — |
| Discovery | T1482 | Domain Trust Discovery | — |
| Lateral Movement | T1021 | Remote Services | — |
| Impact | T1486 | Data Encrypted for Impact | — |
| Impact | T1489 | Service Stop | — |
| Impact | T1490 | Inhibit System Recovery | — |
REFERENCES:
The following reports contain further technical details:
https://www.welivesecurity.com/en/eset-research/killing-me-gently-inside-gentlemens-edr-killer-framework/
https://thecybersecguru.com/news/gentlekiller-gentlemen-ransomware-edr-killer-byovd/