SOC Incident Toolkit
Back to Campaigns
The Gentlemen Ransomware (Storm-2697): GentleKiller EDR-Killer Framework

The Gentlemen Ransomware (Storm-2697): GentleKiller EDR-Killer Framework

RaaSEDR KillerBYOVDGentleKillerHexKillerThrottleBloodHavocKillerOxideHarvestThe GentlemenStorm-2697Double ExtortionDefense ImpairmentCredential Theft

The Gentlemen is a ransomware-as-a-service operation (tracked by Microsoft as Storm-2697) that centrally develops and maintains an EDR-killer suite for its affiliates, built around an in-house framework named GentleKiller with at least eight BYOVD variants plus the integrated third-party killers HexKiller, ThrottleBlood and HavocKiller. The group uses double extortion, selects victims primarily by FortiGate (mis)configuration, and recently claimed the attack on Australia's Mackay Sugar.

Indicators of Compromise

Hashes (27)

82ED942A52CDCF120A8919730E00BA37619661A3CF4D74DF17A91B4A36A2911B22AFEC5D8FA93A011FA071303FB846308571E64727501FB98B1C2BE6BA914FE77B177B45799403B16DD14765C510A074711EF221526997039E804A18DB9647C91680BBE22F86898528C6CAB3540C486A9BFAA0C029B739505AA3124E5C4921E5EDFC60133B5D71DA21B07DA39AD51AD97C01E97AB59214116740785E0F6320A856BEE9DF5833A637F5C54D5911DF98B0812FE6437131B377E96016DC1911020C9F95B1B4D042D7B4A19117175DBC9BA4D23B5DCE8415E299A2E3219212500F6C87CE62712A0ED6652C57468D15C14223D4B19141102015D436321E6F26976E98183CFD2796F0DBF52AED0AFD43E44500116B04B674F7358EB0B912A3FD1C05D72080848EC4C92880004021A168FEC379F2AE76C3D2CE913F7BE650CEA1D06990F0537CBB773AE12100B36731E7C39F5A9D852B14331879F5EEC8892BBD896F90BDBB1BAD0BF63BD6A11EE9CDC59E5CAA59AEFD27B30D104F3AD68E62D29670E684E40DDC89B47010C37CBC96737035B6+7 more

Notes

<div class="content-body"><span class="content-title">CONCLUSION</span><p class="content-description">The Gentlemen lowers the operational barrier for its affiliates by shipping a ready-to-use, standardized EDR-killer suite, and demonstrates the ability to weaponize newly disclosed BYOVD proofs-of-concept within days. Defenders should prioritize vulnerable-driver blocklisting, protect service-creation and driver-load paths, monitor for the GentlemenCollection staging directory, and treat any EDR/AV process termination or sensor tampering as a high-severity precursor to encryption.</p><p class="content-description">SOCRadar customers can track this threat across the <a href="https://platform.socradar.com">SOCRadar</a> platform using the IOC Radar (hash hunting), Cyber Threat Intelligence (campaign and actor tracking), Attack Surface Management (exposed FortiGate exposure) and Dark Web Monitoring (leak-site activity) modules.</p></div>

Mitigation

<div> <table> <thead> <tr> <th>ID</th> <th>Mitigation</th> </tr> </thead> <tbody> <tr> <td><a href="https://attack.mitre.org/mitigations/M1017">M1017</a></td> <td>User Training</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1018">M1018</a></td> <td>User Account Management</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1022">M1022</a></td> <td>Restrict File and Directory Permissions</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1024">M1024</a></td> <td>Restrict Registry Permissions</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1028">M1028</a></td> <td>Operating System Configuration</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1038">M1038</a></td> <td>Execution Prevention</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1040">M1040</a></td> <td>Behavior Prevention on Endpoint</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1042">M1042</a></td> <td>Disable or Remove Feature or Program</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1045">M1045</a></td> <td>Code Signing</td> </tr> <tr> <td><a href=" https://attack.mitre.org/mitigations/M1047">M1047</a></td> <td>Audit</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1049">M1049</a></td> <td>Antivirus/Antimalware</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1054">M1054</a></td> <td>Software Configuration</td> </tr> </tbody> </table> </div>