
The Gentlemen Ransomware (Storm-2697): GentleKiller EDR-Killer Framework
RaaSEDR KillerBYOVDGentleKillerHexKillerThrottleBloodHavocKillerOxideHarvestThe GentlemenStorm-2697Double ExtortionDefense ImpairmentCredential Theft
The Gentlemen is a ransomware-as-a-service operation (tracked by Microsoft as Storm-2697) that centrally develops and maintains an EDR-killer suite for its affiliates, built around an in-house framework named GentleKiller with at least eight BYOVD variants plus the integrated third-party killers HexKiller, ThrottleBlood and HavocKiller. The group uses double extortion, selects victims primarily by FortiGate (mis)configuration, and recently claimed the attack on Australia's Mackay Sugar.
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
| Technique | Detection | Detection Strategy |
|---|---|---|
| T1059.003 | DET0202 | Behavioral Detection of Windows Command Shell Execution |
| T1106 | DET0529 | Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls |
| T1543.003 | DET0552 | Detection of Windows Service Creation or Modification |
| T1036 | DET0127 | Behavioral Detection of Masquerading via Metadata and Execution Discrepancy |
| T1036.001 | DET0031 | Invalid Code Signature Execution Detection via Metadata and Behavioral Context |
| T1027 | DET0378 | Behavioral Detection of Obfuscated Files or Information |
| T1685 | DET0497 | Detection of Defense Impairment through Disabled or Modified Tools |
Observed Countries5
AU (439)
BR (656)
FR (743)
RO (2)
TH (290)