Campaigns
The Gentlemen Ransomware (Storm-2697): GentleKiller EDR-Killer Framework

The Gentlemen Ransomware (Storm-2697): GentleKiller EDR-Killer Framework

RaaSEDR KillerBYOVDGentleKillerHexKillerThrottleBloodHavocKillerOxideHarvestThe GentlemenStorm-2697Double ExtortionDefense ImpairmentCredential Theft
The Gentlemen is a ransomware-as-a-service operation (tracked by Microsoft as Storm-2697) that centrally develops and maintains an EDR-killer suite for its affiliates, built around an in-house framework named GentleKiller with at least eight BYOVD variants plus the integrated third-party killers HexKiller, ThrottleBlood and HavocKiller. The group uses double extortion, selects victims primarily by FortiGate (mis)configuration, and recently claimed the attack on Australia's Mackay Sugar.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

TechniqueDetectionDetection Strategy
T1059.003DET0202Behavioral Detection of Windows Command Shell Execution
T1106DET0529Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls
T1543.003DET0552Detection of Windows Service Creation or Modification
T1036DET0127Behavioral Detection of Masquerading via Metadata and Execution Discrepancy
T1036.001DET0031Invalid Code Signature Execution Detection via Metadata and Behavioral Context
T1027DET0378Behavioral Detection of Obfuscated Files or Information
T1685DET0497Detection of Defense Impairment through Disabled or Modified Tools

Observed Countries5

AU (439)
BR (656)
FR (743)
RO (2)
TH (290)